Slashdot Mirror

← Back to Stories (view on slashdot.org)

What We Know About the FBI's CIPAV Spyware

Posted by Zonk on from the i-always-feel-like-somebody's-watching-me dept.

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

14 of 207 comments (clear)

  1. does it... by russ1337 · · Score: 5, Interesting

    What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

    Does it run on Linux?

    sorry, couldn't help myself.... but seriously..... does it?
    1. Re:does it... by HaeMaker · · Score: 4, Funny

      Let's find out...

      "Mr. Gman from Quantico, VA has sent you an eGreetingCard from Flowers By Irene! Just open this P.D.F. file to view..."

    2. Re:does it... by dgatwood · · Score: 4, Insightful

      Mod parent down. SELinux is support for more fine-grained rights management in Linux. It's a mandatory access control policy system, basically. Unless parent has proof that there is a back door in there somewhere, I'm pretty sure parent is full of it.

      Just because the software is partially paid for by the government, it does not necessarily follow that it's a back door. Take off the tinfoil hat.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. What about zombies? by Reziac · · Score: 4, Insightful

    What happens when zombied computers are used to email such threats? who gets the blame in that case? How do you distinguish the innocent zombied-user from the trojan or virus? Would being infected constitute defense? If so, how do you prove intent??

    So many questions raised by this... I'm sure others can think of many more.

    --
    ~REZ~ #43301. Who'd fake being me anyway?
    1. Re:What about zombies? by toleraen · · Score: 5, Interesting

      I think the obvious question would be "How does it get installed?"

  3. The real threat of "government spyware" by Opportunist · · Score: 5, Interesting

    The core problem is, surprisingly, its correlation with antivirus tools.

    Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.

    So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

    I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:The real threat of "government spyware" by querist · · Score: 4, Informative

      Discretion is the better part of valor.

      One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.

      Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.

      Therefore, the following (simplified) steps must occur:

      1. become infected with the malware
      2. suspect that the machine is infected
      3. correctly isolate the malware (find its parts, etc)

      Then, once those happen one must also do the following in order to hope that protection will be offered to others:

      4. send the sample to one or more anti-malware application support teams for inclusion
      5. wait until the AV/AM team can create a signature
      6. wait until the AV/AM team distribute the signature
      7. wait until people update their AV/AM signature databases.

      As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.

      That works just fine if you send out a few hundred thousand messages.

      If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".

      This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.

      Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.

      This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.

      Things like this make the lives of us who work in security full time much more complicated.

      -Q

  4. Nice acronym but... by Statecraftsman · · Score: 4, Funny

    can't we just continue calling this Vista?

  5. But how do they install it?!?! by Daneboy · · Score: 5, Interesting
    How, exactly, do the Men In Black install this uber-spyware on a target system?

    Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

    Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?

    Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?

    Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?

    Anyone know?

    --
    /* "Specialization is for insects." -Heinlein */
  6. Is this really a reliable tool for the FBI? by Vokkyt · · Score: 4, Interesting

    There are many programs out there, such as LittleSnitch for Mac, which are rather adamant about making sure you know everything that is phoning home on your computer. Does the CIPAV have a method of circumventing these road blocks or would the FBI be stumped by the same software that is intended to keep computers safe from malicious software? While I could certainly understand them working with larger developers like Symantec and Microsoft to ensure that their anti-spyware and virus protection software dutifully ignores a product like CIPAV, what about machines running protection applications from smaller developers, or even open source protection, like the ClamAV project?

    Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?

  7. Let's check... by Jeff+Carr · · Score: 5, Funny

    $sudo apt-get remove cipav
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Couldn't find package cipav
    Whew, safe!

    --
    The television will not be revolutionized.
  8. Some More Speculation on Installation Methods by Dreamland · · Score: 5, Interesting

    Some more speculation on installation methods of CIPAV can be found here:

    http://blog.misec.net/2007/07/31/3/

    Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?

  9. Re:address is 192.168.0.100 by ArcherB · · Score: 4, Funny

    Just look for the guy with that address!

    It most do a trace route/phone home or somthing to actually get a useful address

    As opposed to the guy at 127.0.0.1! I hacked into his machine once, but that bastard had some sort of active defense daemon running that wiped my drive at the same time I was trying to wipe his!

    Fortunately, I was able to see the porno pics of his wife before I was hit. Man! That bitch was FUGLY!

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  10. Zombie or not, one specimen WILL be found. by arth1 · · Score: 4, Interesting
    Another worry is if someone finds it, how good precautions are there that it's immune to subversion, in multiple ways:
    • Sending false data to the feds. With my knowledge of the bureau, I doubt they would ever question the data they receive. (The healthy paranoid people who might ask questions either get fired, or end up in different government branches).
    • Using the app or information in it to launch an attack to the fed's own clandestine systems. This could include modifying the data sent to try to trigger a buffer over/underflow, or simply brute force DoS the target destination through a botnet.
    • If it contains backdoor functionality, replace it with a honeypot and gain access to passwords and client info of the feds trying to access it.
    • Modifying the app too send data not to the feds but to somewhere else. This would be the holy grail of trojans, as it's likely that most AV software have specific exceptions for ignoring software from the government.