FBI creates computer monitoring malware and used it

[Invader Zim]

Threat Level - Wired Blogs

FBI Spyware: How Does the CIPAV Work? -- UPDATE
By Kevin Poulsen EmailJuly 18, 2007 | 1:52:41 PMCategories: Spooks Gone Wild

Fbi_logo_2

Following up on my story on the FBI's computer-monitoring malware, the most interesting question unanswered in the FBI affidavit (.pdf) is how the bureau gets its "Computer and Internet Protocol Address Verifier" onto a target PC.

In the Josh Glazebrook case, the FBI sent its program specifically to Glazebrook's then-anonymous MySpace profile, Timberlinebombinfo. The attack is described this way:

The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI. The computers sending and receiving the CIPAV data will be machines controlled by the FBI. The electronic message deploying the CIPAV will only be directed to the administrator(s) of the "Timberinebombinfo" account.

It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.

MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.

There are several such holes to choose from. There's an old hole -- patched early last year -- in the way Windows renders WMF (Windows Metafile) images. Cyber crooks are still using it to install keyloggers, adware and spyware on vulnerable machines. Last year it even popped up in an attack on MySpace users delivered through an ad banner.

Roger Thompson, CTO of security vendor Exploit Prevention Labs, says he'd bet on the fresher Windows animated cursor vulnerability, which was discovered being exploited by Chinese hackers last March, "and was quickly picked up by all the blackhats everywhere," he says.

For a couple weeks, there wasn't even a patch available for the animated cursor hole -- in April, Microsoft rushed one out. But, of course, not everybody jumps on every Windows security update, and this hole remains one of the most popular browser bugs among black hats today, he says.

There are also holes in Apple's QuickTime browser plug-in -- fixing it means downloading and reinstalling QuickTime. Like the animated cursor hole, some of the QuickTime vulns allow an attacker to gain complete control of a machine remotely. "They might have embedded something in a QuickTime movie or something," says Thompson.

If you have any theories, let me know. (If you know something for certain, there's THREAT LEVEL's secure feedback form) .

Update:

Greg Shipley, CTO of security consultancy Neohapsis, says it's no surprise that anti-virus software didn't protect Glazebrook (assuming he even ran any). Without a sample of the FBI's code from which to build a signature, AV software would have a tough time spotting it.

Some of the more "heuristic" techniques that profile application behavior might flag it ... maybe. However, IMO one of the most basic signs of good Windows Trojan design is an awareness of installed packages and default browsers, both alluded to in the text. If the trojan is browser-aware (and in turn, potentially proxy-aware) and HTTP is used as the transport protocol, heh, you're pretty fscked. That's the makings of a great covert-communications channel, and one that will do quite nicely in 99.9% of the environments out there ...

In short, stock AV probably isn't gonna flag this thing unless they got a copy of it and built a sig, neither of which is likely.

[Seee]

FREAKIN SCARY!

[Invader Zim]

glad someone thinks so....

[TVCasualty]

Seems like if something can be conceived of, it can be done (in the world of computers, anyway). If it can be done, it will be. Now let your imagination run wild, and stuff like this is only the beginning...

People on some of the weed growing sites have recieved letters or phone calls(!) from law enforcement notifying them that they really need to stop growing all that herb, and the growers called were using proxies! Seems a proxy or encryption can itself be a flag that draws attention where a totally unsecure connection might not. So proxy or not, your activities online are quite transparent to certain people should they choose to look. We can only hope that one day that certain people get real lives.

[Invader Zim]

letters and phone calls? thats just plain F'n weird.....i think, if i was to get one of those calls....i'd head the warning lol. a warrant couldnt be far off

[TVCasualty]

I think it's someone at the fed level just saying "hello" because the locals would most likely be the ones to kick the door down but the feds don't have time/money/inclination to call locals every time they trace an IP address, so they just call/write and scare the shit out of you, which does work. However, the general consensus I've seen is that if you are really small time, which means under 4 lights, you won't get a call after posting tons of pics of your closet. The people reporting the calls were growing with 8-12 lights or more (1000W each) and posting pics, and some of the growers were using proxies.

I always thought that 4 1000W lights was not small time, but then I wasn't cut out to be a drug lord, more like a jester. I guess when you amass a nice big pile of crap worth seizing you're much more likely to attract unwanted attention.