FBI remotely installs spyware to trace bomb threat
The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.
Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.
Screen snapshot of 'timberlinebombinfo' MySpace account
The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.
While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.
An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.
"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."
News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.
There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail.
But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.
Finding out who's behind a MySpace account
An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile -- timberlinebombinfo -- when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages.
In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am."
The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.
That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says.
CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)
After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.
Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)
One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.
Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV.
Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order.
The verbatim results of our survey are here.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
Pretty clever but easily discovered.
It is going to get harder and harder to really use a traditional EXE virus program like once known. Not to mention a person can track all there programs and checksum their drive if they are clever enough. This is in addition to their virus protection. This guy was using a proxy of some type possibly so this isn't your average criminal. He had done other crimes(according to the story) and just got too brazen.
I wonder what liability Myspace or other providers have if whatever method is used causes issues???
You would think the FBI with all their resources could do this same thing without the need for spyware. How hard can it be?
A 1x1 pixel GIF isn't going to be able to report back to the FBI the IP address, MAC address, open communications ports, list of running programs, OS type and serial number, Internet browser and version, language encoding, registered computer name, registered company name, current logged-in user name, URL connected to, and a list of IP addresses subsequently visited.
It's on page 6 of the first PDF as well.
The "are you sure you want to do this" message(they need to have this popup during install) is quite often shut off because people get sick of it.
It is still possible to install software with a user account.
If you think you are any safer in Vista then in XP, well there isn't much to say about such stupidity.
making it OS independent. Just a thought....
My guess is that you would use an image to get the IP address of the target, then have an application running server side punch a hole through the router. If I had my guess, Magic Lantern is a server side application. Think of something on the lines of Steve Gibson's "Shields up".
Before anyone asks, yes, you could do this if the person was running a proxy server, but it would be a bit harder. The tricky part would be getting past the firewalls that the ISP uses.
"Another is that the FBI has found (or paid someone to uncover)
unknown vulnerabilities in Windows or Windows-based security
software that would permit CIPAV to be installed."
I've never heard of an OS called Linux-Windows, Unix-Windows
or Mac-Windows so I'm going to go out on a limb and say I
believe YES.. the article refers to MS-Windows..
(next time READ the article)
If, to solve one case, the security of millions of internet users is put at risk, then this is unconscienable. There is no difference between this and the actions of a hacker breaking into any given computer system, and in fact, should a hacker gain access to the information deemed "classified" by the FBI, they could exploit it to do any amount of damage they wanted to. A reverse engineered CIPAV in the hand of hackers or terrorists could be lethal.
The predators have one advantage, avatar icons...
Another question...if someone ads that a site is for families...should they be required to make it safe for children...or are children no longer a part of family?