What We Know About the FBI's CIPAV Spyware

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

does it...

[russ1337]

What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

Does it run on Linux?

sorry, couldn't help myself.... but seriously..... does it?

Re:does it...

[TWX]

Does it run on Linux?

Even if it does, if you find one of those last-generation Motorola 68000 machines and compile your entire OS from scratch I doubt that they'll have a binary-compatible version to install on it...

Of course, be prepared to have one SETI@Home packet take about four weeks to process, and to have a bogomips rating of something like 16.9...

How to identify?

[redshirt1111]

I did read the article, but did not see anything about identification. Other than ensuring there is no spyware running on your machine, anyone have an idea how to detect this particular program?

Re:How to identify?

[Opportunist]

Well, there are some ways. Some of them used by trojans, some used by AV kits, some by both.

You can go ahead and force every program you run to load a DLL of yours, which hooks the relevant calls and alerts you should an application that's not supposed to tries to access things it has no business in. At least that's how I did it.

It does slow the system down considerably, though, so you might want to use it on a separate machine (real or VM) that you use to do your internet stuff.

The real threat of "government spyware"

[Opportunist]

The core problem is, surprisingly, its correlation with antivirus tools.

Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.

So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?

Re:The real threat of "government spyware"

match the fed trojan in behaviour and shape, possibly in signature.

That's difficult considering that all cia and fed software are signed with a public crypto key that is hidden deep in windows, and used to verify that the binary is indeed a signed goverment trojan.

The same method is used to send windows trojans to foreign military windows computers as well - that's why many european states does not trust windows to run their battleships or other critical military systems. I was assigned to disassembling the windows core logic when I did my mil svc.

Re:What about zombies?

[toleraen]

I think the obvious question would be "How does it get installed?"

Do they still get spam?

[192939495969798999]

If they have this amazing tool for tracking people down, do they still get spam at HQ? If so, why not use this to catch the spammers and make them stop? Is it because they're all beyond jurisdiction now?

But how do they install it?!?!

[Daneboy]

How, exactly, do the Men In Black install this uber-spyware on a target system?

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?

Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?

Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?

Anyone know?

Re:But how do they install it?!?!

[Opportunist]

Maybe it's just a variant of the way MPack infects. Slipping code into inconspicuous pages, redirecting you to an iframe containing an exploit, suitable for your browser, and presto.

Re:What about zombies?

One would hope that, "because of the war against terrorism", being infected becomes a legal offense.
That would certainly increase the awareness.

Better question

[grasshoppa]

What happens to the first person to get a hold of this software and fully analyze it?

5 bucks says they get a visit from big men in serious black suits and then are never seen again.

Is this really a reliable tool for the FBI?

[Vokkyt]

There are many programs out there, such as LittleSnitch for Mac, which are rather adamant about making sure you know everything that is phoning home on your computer. Does the CIPAV have a method of circumventing these road blocks or would the FBI be stumped by the same software that is intended to keep computers safe from malicious software? While I could certainly understand them working with larger developers like Symantec and Microsoft to ensure that their anti-spyware and virus protection software dutifully ignores a product like CIPAV, what about machines running protection applications from smaller developers, or even open source protection, like the ClamAV project?

Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?

Re:Is this really a reliable tool for the FBI?

[Vokkyt]

Also (sorry to double post, but this just came to mind), what happens if it is blockable. Does using the software to prevent CIPAV from calling home constitute a felony for disrupting a Federal investigation? Or, what happens in the case of a rebuild? Is that also considered to be messing with a Federal Investigation if the target is unaware that they are being monitored?

What if Crackers modify it for themselves?

[denis-The-menace]

If AV companies do let the FBI version go through unchecked,
what if the virus and worm writers of today get a hold of this and modify it for their own purposes?

Some More Speculation on Installation Methods

[Dreamland]

Some more speculation on installation methods of CIPAV can be found here:

http://blog.misec.net/2007/07/31/3/

Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?

Re:What about zombies?

[toleraen]

I was referring more to the question of how the FBI installs the software on your machine. For some reason picturing a guy in a black suit wearing dark sunglasses sending "OMG Pony Screensaver Inside!!1" emails doesn't cut it. If they're going for computer evidence, it seems likely that their targets would be a bit more computer literate: more up to date on patches, firewalls, etc.

Otherwise, who knows. Maybe their software has to wipe out other possible malware to be effective (wouldn't want that data they're collecting, or even the software they installed going overseas, right?). You'd hope that they would have to show that it was someone typing out the emails locally vs. remotely. But then, who's to say it wasn't the person's little brother writing the email? It doesn't seem like they'd have a lot to stand on...there should be a lot of supporting evidence going with what they collect with that software.

But in the end, don't they pretty much just have to say "We're the FBI. That's what happened." anyway?

Zombie or not, one specimen WILL be found.

[arth1]

Another worry is if someone finds it, how good precautions are there that it's immune to subversion, in multiple ways:

• Sending false data to the feds. With my knowledge of the bureau, I doubt they would ever question the data they receive. (The healthy paranoid people who might ask questions either get fired, or end up in different government branches).
  
• Using the app or information in it to launch an attack to the fed's own clandestine systems. This could include modifying the data sent to try to trigger a buffer over/underflow, or simply brute force DoS the target destination through a botnet.
  
• If it contains backdoor functionality, replace it with a honeypot and gain access to passwords and client info of the feds trying to access it.
  
• Modifying the app too send data not to the feds but to somewhere else. This would be the holy grail of trojans, as it's likely that most AV software have specific exceptions for ignoring software from the government.
  

Re:So, if you're a criminal....

[vertinox]

Thats why I have always disagreed with the current policy, not because I support the vile people that create such images, but I fear that it would be too easy to frame some one who is innocent.

There is this Japanese urban legend that when a corporation or Yakuza wants to off someone, they have the sucker win a trip to Indonesia. Then at the airport they slip some drugs in his bag and then give an anonymous tip to the Indonesian authorities.

The thing is... The penalty for drug possession in Indonesia is death.

You just got a government to carry out a mob hit for you.

That said, if you didn't like someone in particular and had a vendetta, putting these images on their machine would be a good way to get rid of them for a long time... Or at least ruin their career and family life.

I'm surprised the same Russian mob types behind spamming haven't created a scheme to put images on peoples computer and threaten to report them to the FBI if they didn't pay up.