"The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.

The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."

News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.

There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail.

But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.


Finding out who's behind a MySpace account

An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile -- timberlinebombinfo -- when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages.

In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am."

The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.

That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says.

CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV.

Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order."

(Detailed, original article on: http://www.wired.com/politics/law/news/2007/07/fbi_spyware and a couple of other site dealing with IT a news in common)

:confused:

My question: is this a sophisticated new FedWare which can stay undetected by almost all popular firewall, anit-virus, anti-malware softwares ( :rolleyes: unlikely IMHO)? Or: crock of shit, and there has been somekind of a workaround, with a "little" help from the OS and antivirus corps (Microsoft and alike). Or: a little bit of both? Your oppinion?

Why not just make bomb threats from pay phones--its unlikely the call will be traced unless you make repeat threats--and you should only have to make a bomb threat on the day of the final to grab some extra cram time.

Its only a matter of time IMO that some elite hacker group creates a way to block the FBI's spy-bug, sort of like how peer guardian blocks the RIAA.

In the end, of course, this is a 4th amendment issue and the lawyers will finish what the hackers cannot.

Well my first opinion is that this guy is insanely stupid. He sent bomb threats to his old high school? Wow, someone needs to get a life.

but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

Thats tough: Bring up MS DOS prompt and type "ping -n xx.xx.xx.xxx".

Not to mention when a jerk off like this makes bomb threats, it reflects horribly on us, the ones who are responsible. I bet he has no knowledge of explosives either. Its horrible to see morons like this so inconsiderate of other people. But someone who is sending bomb threats to their old high school is such a waste of life he doesn't really care about anyone else anyway.

Anyway, back to the point... I think the government has the capabilities to make software like this without the help of anti-virus software companies. Doesn't the FBI hire kids who get arrested for hacking into their mainframe? My guess is they accomplished it by themselves.

I'm kind of glad they did it though. Catching a moron like this is always a good thing for everybody. Chances are the govt. will end up finding a way to use it to violate our rights somehow in the future though :mad:. In this situation however, I think they acted within reason and followed protocol properly to catch this guy.

Ofcourse the kid was stupid, no doubt about it. He was using the same mailbox for sending the threats.

The question is: does microsoft implement backdoors for the feds or do the feds engineer next generation spyware (with or without the knowlegde of antivirus companies)?

Why is this important? Well....which should you get rid of in the future? The Windows OS or the antivirus software. Maybe both, and spend full-time on open source -ware (Linux, Solaris, etc). I mean whats the use of encryption when some can get on your computer and monitor all your keystrokes (despite personal firewall and anti-spyware)?

Unfortunately I cannot site source on this but VISTA is "spyware wrapped around an OS". I deeply believe this is true and will absolutely not have that crap on any machine I use or own. I can say that the substantiation for that statement came from a source I deeply trust and had always been very accurate. I would so much want to site source on this but that would be betraying a trust. Therefore my statement is simply a matter of opinion based on the dynamics of it's (VISTA) access needs and construction.

I am hoping that someone will read this and supply the substantiation from a separate source. This really is not a paranoid statement but based on the observable elements of the OS and a personal warning. However I am also apologizing beforehand as I really DON'T like making statements like that without siting source material. But I really am warning folks off of VISTA.

Has anyone tried replacing the version of advapi32.dll found in all 32-bit editions of Windows from Windows 98 onwards, in c:\windows\sysyen and/or c:\windows\system\system32, with the version of advapi32.dll (much smaller in size than even that for Windows 98) from Windows 95 or the original version of NT4? According to info I have received, it is the principal file that the NSA (and presumably also FBI and CIA) uses to snoop online into computers running recent versions of Windows. The versions from Windows 98 on are so much larger because they contain a "trapdoor", and someone decrypted it and found a whole large section in it headed "NSA KEY". That in Windows XP is in the c:\windows\system\system32 folder and is 545 Kb; that in Windows 95 (version 4.0.0.950), and I think it is the same or very nearly so in NT4, is only 14 Kb - the huge size difference difference cannot possibly be explained by the improved functionality of XP over 95 or original NT4.

If anyone would like to try the version of advapi32.dll for Windows 95 (the CD of which I have retained), I could email it or attach it. To install it, wou would need to start your computer in DOS with an emergency boot disk, use the DOS "copy" command to made a backup copy of the original to another folder, then use the "copy" command again to over-write the newer version in c:\windows\system and/or \system\system32 with the Windows 95 version.

The subject of the 'NSA Backdoor Key' is old news.

http://www.google.com/search?q=nsa.key+windows

If they want in, they'll get in regardless of what version of a .dll file you may have.

I believe that is a basic truism. If they want to track someone, the level of sophistication today is well beyond the means of the hobbyist to detect or nullify.

And that brings us back to basic stupidity. Preforming any illegal act via telecommunications or related internet access is asking for problems. That said; an actual threat is likened to the jackass braying in the barn. I really can't fathom someone believing that they would not be approached if they do something of that nature.

Darwin Awards have been around long before someone coined the expression. Be that as it may; we DO live in a world where there are dangers from sick little loud-mouths who would bomb or other wise harm the innocent. I deeply believe that there are Constitutional issues here but there is another side to this issue where the world is so populated with disturbed idiots that some means of alerting the authorities would be in the offing. It was just a question of time and depth of privacy intrusion for such actions to be a daily reality.

Loud-mouth idiots like the person who issued the threat are simply the nails in the coffin. On the other hand know-it-alls like the man who commented on the "hoax" of the backboor:
www.windowsbbs.com/showthread.php?t=2519 - 40k
He deduced his idea from decompiling the .dll and reading the text! That fellow needs to learn a wee bit about commonly compiled executables. He states that since there was only the "word" - "RSA" in the dll that it was not a back-door entity. Decompiling does not yield original source.

He was simply dumb. Only if he would have followed a few rules and his arrest could have been easily avoided.

Like: Using proxies, (if possible) more than one, and in different countries, with different laws regarding user-data and computer crime. Never use the same mailbox twice, use disposable email services. Have a browser where you can disable activeX/Java/Scripts/etc.Always wipe the browser history and encrypt any sensitive data on the hard-drive.

If only he would have used a few of these...

P.S.: My personal favourite. Have a virtual machine with ex:VMWare with and an OS for "cloning" and using the instance for screwing around. After your done, you erase it, and you return to your normal system. "Cloning" an OS of your desire only takes a few seconds, just like erasing it. Evidence is gone with the wind (...I mean with the operation system).

He was simply dumb. Only if he would have followed a few rules and his arrest could have been easily avoided. Like: Using proxies, (if possible) more than one, and in different countries, with different laws regarding user-data and computer crime.(cut)
To get proxy-servers with which to configure your browsers (except IE6 and IE7, with which proxies do not seem to work) and download clients, see http://www.samair.ru and http://www.proxy4free.com . They list frequently updated free public proxy servers by IP address, port number, and country; and whether they are "transparent", "anonymous", and "elite" (or "high-anonymity"). However, not all proxy-servers allow secure log-ins, or file downloads, or access to FTP sites. They are usually slower than direct connection, except when accessing a website in another country through a very high bandwidth proxy located in that other country.