FBI Uses Spyware to Capture Cyber Criminals

It doesn't carry quite the same weight as the Warren Commission report and it might even contain more redactions than the Nixon tape transcripts, but recently-released FBI documents obtained by Wired News via the Freedom of Information Act (FOIA) prove that the FBI has been using its own version of spyware for years to catch cyber-criminals. The spyware goes by the moniker, "Computer and Internet Protocol Address Verifier" (CIPAV), and has apparently has been in use by the FBI since at least 2004.

CIPAV first came to public attention in 2007 when it was mentioned in an FBI affidavit that Wired News had obtained. The affidavit was filed in the U.S. District Court in the Western District of Washington, and it was a request for a search warrant to use the spyware "to track the source of e-mailed bomb threats against" Timberline High School in Washington State. The affidavit was granted, the FBI successfully infected the anonymous source's computer, and they soon discovered his identity. A 15-year old student at the school, Josh Glazebrook, was arrested; indicted; "pleaded guilty to making bomb threats, identity theft and felony harassment;" served time in a juvenile detention center; ordered to pay restitution to the school; was expelled from school; and was ordered to stay away from computers for two years.

As to how CIPAV works, that information is still classified. However, as to what CIPAV does, the 2007 affidavit went into some detail:

"The spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent 'pen register' mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days."

Wired uploaded the 152-pages of declassified FBI documents to Scribd 
None of the collected information actually includes any personal contents of the infected computer or its transmissions, such as actual files or documents, e-mails or IMs, or logged keystrokes. This was likely done on purpose so as to avoid the perception of too much of an invasion of privacy, which could potentially increase the chances that collected evidence could be thrown out in a court case.

Even so, one of the documents that just came to light is a memo from as far back as 2002, which indicated the FBI was concerned that the overuse and potential inappropriate use of its cyber-surveillance techniques (this likely pre-dates the creation of the CIPAV spyware) in investigations might lead to the suppression of evidence:

"As many of you know, some investigators have begun to use and investigative technique referred to as an 'Internet Protocol Address Verifier" [REDCACTED], a/k/a a "[REDCACTED]" While the technique is of indisputable value in certain kinds of cases, we are seeking indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and risk of suppression) without any countervailing benefit."

The recently-released documents also disclose that CIPAV was used in a number of other investigations--including one as far back as 2004 where a man was cutting communications lines in Boston and was extorting service providers to pay him to cease his sabotage. Other investigations that utilized CIPAV include that of a sexual predator, a hitman, someone impersonating an FBI chief, people making threats, hackers, and other extortionists.

In at least a number of these incidents, the perpetrators were using anonymizers and proxy servers to escape detection. Apparently, CIPAV is very good at circumventing the very techniques implemented by anonymizers and proxy servers.

"The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link."

Another fact disclosed in the released documents, as pointed out by Wired News, is that all the documented cases of the FBI's use of CIPAV were done so through legal search warrants. This does not mean, however, that the FBI has always sought search warrants for its investigations using CIPAV. In fact, a potentially precedent-setting appeals case from 2007, United States v. Forrester, states that some information, such as "IP addresses of websites a person has visited and to/from addresses from a person's emails" can be legally obtained without a needing a warrant. While the FBI provided over 152 pages of heavily redacted documents to Wired News as a result of the FIOA request, there were an additional 623 pages that were not handed over. These other pages might very well contain information of CIPAV-based investigations that were conducted without legal search warrants.
Via:  Wired News
3vi1 5 years ago

This wouldn't be scary at all, had I not read the Chinese Rainy Day Super-Fun Hacker Activity Booklet:

Activity #211 -

Step 1: Use MySpace to find teenage child of decadent capitalist government official.

Step 2: Send school e-mail bomb-hoax via chain of anonymous remailers, mixmaster, open SMTP relays, etc.

Step 3: Create MySpace threatinfo page, invite kids from the school, and wait for FBI to send you CIPAV. Use only a simple text browser with no scripting capabilities + outbound firewalling at an intermediate proxy to prevent CIPAV from actually having a chance at doing anything.

Step 4: Dissect CIPAV (and sell to Russian hackers for six digits).

Bonus activity: Modify an existing trojan so that it is now stealthed to CIPAV and self erasing. Send to official's child's MySpace account via same hole the FBI used to send you CIPAV. Have this trojan download all necessary historical "tracks" and execute original CIPAV code then self-erase.

Someone tell Iain Softley I just wrote a more believable sequel to Hackers.

Kiristo 5 years ago

That does sound pretty good.

Anonymous 5 years ago

CIPAV has also been rumored to exploit a little known animated cursor hole and various quicktime vulnerabilities.

Instead of snooping on us they should take their skills and put them to use on securing our weak utilities infrastructures which have seen chinese and russian hacking increase 83% in 2008. If it was totally disclosed the amount of succesful hack attempts into our national power grid networks would be alarming to say the very least.

Post a Comment
or Register to comment