Skip to comments.FBI remotely installs spyware to trace bomb threat
Posted on 07/25/2007 1:09:16 PM PDT by Leo Carpathian
The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.
Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.
Screen snapshot of 'timberlinebombinfo' MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.
While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.
An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.
"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."
News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.
There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail.
But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.
Finding out who's behind a MySpace account An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile--timberlinebombinfo--when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages.
In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including email@example.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am."
The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 220.127.116.11, which turned out to be a compromised computer in Italy.
That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says.
CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)
After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.
Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)
One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.
Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order.
Note to self: Be sure add to spyware blocker.
All it would take is for one corrupt cop to disclose how to get malware to pass itself off as policeware...
If the FBI is so smart at such stuff, why don’t they nab a few virus makers, spammers, etc.?
Spyware blockers may not work...
~snip~ One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.
Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed.~snip~
I've always wondered if MS agreed to put "backdoors" in it's OS for the Feds to use when needed.
So how long you think that took? 15 minutes or so?
I would assume more than a few Feds work for MS also.
Not a possibility, but a reality.
Eric Chien, chief researcher at Symantec's antivirus research lab, said that provided a hypothetical keystroke logging tool was used only by the FBI, then Symantec would avoid updating its antivirus tools to detect such a Trojan.
Symantec is yet to hear back from the FBI on its enquiries about Magic Lantern.
"If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it - we wouldn't detect it," said Chien. "However we would detect modified versions that might be used by hackers."
Symantec mouthpiece Eric Chien said his firm would work with FBI agents to infect their paying customers. He clarified Symantec's patriotism in a story published in The Register. "If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it we wouldn't detect it," Chien explained.
Symantec didn't stand alone in its patriotism back then. Associated Press reporter Ted Bridis claimed an unnamed McAfee expert "contacted the FBI on [21 Nov 01] to ensure its software wouldn't inadvertently detect the bureau's snooping software."
Unfortunately, this rush of patriotism caused a serious publicity snafu for the U.S. antivirus industry. Customers threatened to switch to non-patriotic products to achieve the protection they desired. Symantec quickly backed away from Chien's patriotic statements. McAfee went so far as to contest the accuracy of the AP story to assuage their client base. "Network Associates/McAfee.com Corporation has not contacted the FBI, nor has the FBI contacted NAI/McAfee.com Corp., regarding Magic Lantern."
(Longtime Vmyths readers will recall AP reporter Ted Bridis exposed "The China Syndrome" while working for the Wall Street Journal. I don't take his reporting lightly and I independently narrowed the identity of the McAfee expert to two individuals. One regularly advises the White House on national cyber-security doctrine; the other departed on an apparently no-notice business trip to Europe when the brouhaha surfaced.)
Ah! But McAfee admitted to an intriguing exemption for the FBI's Magic Lantern trojan. The firm "does and will continue to comply with any and all U.S. laws and legislation." Think about this for a moment.
Where is the NY Times when you really need them?
The last time this country, the entire country, was really at war (WWII) government censors were reading private letters and deleting sensitive information.
Some day all you progressives & libertarians will have to choose between those who want “spy” (via the Patriot Act) on folks in order to locate terrorist bombers and those who what to impose Sharia.
(flameproof suit cleaned & pressed and ready to wear) :-)
I remember hearing about this some time ago wrt keylog malware.
Makes sense- if I’m running antispyware stuff that CAN catch FBI spybots, it will! So the antispyware and virus protection people must be agreeing to not include the signatures in their product.
Does that make the product defective?
If ACLU knew that fbi was colluding with spyware vendors (so that terrorists can be dimed out) I bet they’ll sue.
“Spyware blockers may not work...”
Didn’t it mention using e-mails to install it. I got blockers for that too and no matter what kind of Porno they tempt me with, I will not open the attachment. LOL!
And those are my only two choices?
Depending on who gets into office, I don't see much choice.
I am a charter member of above!
Hillary will just love all these new powers! You think that we had it bad under bubba? Blackbird.
. As George Washington said in 1774, “The crisis is arrived when we must assert our rights or submit to every imposition which can be heaped upon us, till custom and use shall make us . . . slaves.”
The contempt felt for those who would not fight for their own liberty was expressed by Samuel Adams: “If ye love wealth better than liberty, the tranquillity of servitude better than the animating contest of freedom, go home from us in peace. We ask not your counsels or arms. Crouch down and lick the hands which feed you. May your chains set lightly upon you, and may posterity forget that ye were our countrymen.”
Imagine that men from that era were observing us today. They would see that we send up to 50% of our income to different levels of government, and we are told that this is not sufficient that our duty is to sacrifice more. (Consider this shocking fact: the colonists paid approximately 1% of their incomes in taxes!) They would see an incredible number of regulations on all types of domestic and foreign commerce. They would see an immense army of bureaucrats to enforce the regulations and another army of real soldiers residing more or less permanently in other countries. It would be clear to them that Jefferson’s statement is unfortunately still true that “even under the best forms [of government] those entrusted with power have, in time and by slow operation, perverted it into tyranny.”
The biggest surprise to our observers would not be that those in power seek to expand their power. They would have expected that. The biggest surprise would be the degraded state of many Americans who have lost the stature that comes from taking responsibility for one’s own life. They would see millions of dependent creatures, comfortable in their dependency, crouching and licking the hands that feed them, and begging for more, asking only that the benefits they get are paid for by the sacrifices of other people.
Can any of us deny that the citizens are primarily to blame for the erosion of their own liberties? Most are traveling the road to serfdom willingly. But the road goes nowhere new. It leads only to the same forms of tyranny that have characterized most societies in history.
There is liberty . . . and there are thousands of forms of tyranny. There are men’s rights . . . and thousands of rationalizations for violating them. When it comes to liberty, everything but the real thing is the wrong thing. We must accept no substitutes.
>> Some day all you progressives & libertarians will have to choose between those who want spy (via the Patriot Act) on folks in order to locate terrorist bombers and those who what to impose Sharia. (flameproof suit cleaned & pressed and ready to wear) :-)
No flames, my FRiend... I get that part.
It doesn’t bother me at all that W’s justice department does this sort of thing.
But it positively sends cold chills up and down my spine to think that HILLARY!s justice department would have the capability and the green light to use it.
Remember "FileGate", "TravelGate" and Vince Foster. Hillery will "use it", green light or not.
The question is not whether I object to the Feds tapping into my mail (snail or otherwise). What matters is do I want Akmed Jihad succeding with his plan to blow up folks at the local mall/elementary school/football game/fill-in-the-blank because some smarmy judge rules that the law enforcement folks might be "profiling" in their request for a wire-tap.
I don't like waiting in a line of traffic while the highway patrol does a license or sobriety check on a Saturday evening. However, I much prefer that to meeting a drunk head on traveling in my lane at 85 mph. We all give up some rights as a part of living in society.
If I lived in the upper east side of Manhattan, I'd probably have to give up my right to raise pigs & chickens in the "backyard". If I want to live in peace & safety in the midst of Islamic Jihad then I will probably have to endure the feds snooping some on everyone, me included.
Perhaps Master Glazebrook should have been using a Mac! :)