Proxy Servers, etc. Won’t Protect You From The FBI’s Spyware

Published on April 18th, 2009

Posted by Uncle Dave in The Internet, computers, crime

If this tech has been in use for 7 years, what far more sophisticated stuff has been developed since then by more secret groups like NSA and others? The depth that CIPAV goes indicates sophisticated users are kidding themselves that they can protect their identities and activities online.

As first reported by Wired.com, the software, called a “computer and internet protocol address verifier,” or CIPAV, is designed to infiltrate a target’s computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia. The FBI’s use of the spyware surfaced in 2007 when the bureau used it to track e-mailed bomb threats against a Washington state high school to a 15-year-old student.
[...]
“While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,” reads a formerly-classified March 7, 2002 memo from the Justice Department’s Computer Crime and Intellectual Property Section.

The documents, which are heavily redacted, do not detail the CIPAV’s capabilities, but an FBI affidavit in the 2007 case indicate it gathers and reports a computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

After sending the information to the FBI, the CIPAV settles into a silent “pen register” mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects.

The documents shed some light on how the FBI sneaks the CIPAV onto a target’s machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link.

45 users responded in " Proxy Servers, etc. Won’t Protect You From The FBI’s Spyware "

Subscribe to this post comment rss or trackback url

# 1 father time said, on April 18th, 2009 at 4:18 am

If this is true, then how can it be possible that some people can trade child porn online? It would seem a simple matter of breaking the chain of distribution, unless the lawmakers are blocking this to focus on “the terrorists”. If this is BS on both ends, well f me.

# 2 father time said, on April 18th, 2009 at 4:18 am

[Duplicate comment deleted. Please don't double post! - ed.]

# 3 iCIA said, on April 18th, 2009 at 4:31 am

Why can’t my anti-spyware find and remove this illegal program?

# 4 Paddy-O said, on April 18th, 2009 at 4:53 am

Yawn. Any above average AS program will find & remove this program.

Uncle Dave asked, “what far more sophisticated stuff has been developed since then by more secret groups like NSA and others?”

Well, up until Vista, there were 2-3 AV programs that would detect them all, and remove. Vista made it more difficult because MS would no longer permit kernel patching by any security company that wanted Vista cert for their product…

# 5 moss said, on April 18th, 2009 at 5:01 am

There actually are people out there who presumed that because the FBI said they halted the Carnivore program – that they really stopped spying on you?

Poor, gullible, trusting Americans. Yes, especially the nutballs who think the Feds won’t spy on them because they’re on the same side. Har!

# 6 sam said, on April 18th, 2009 at 6:41 am

I never thought a tor/onion proxy could get past the fbi. What it is good for is keeping the webmaster from knowing your ip address Elisha strom was stalking posters on vnn forum tor/onion proxy is easy to install on debian/ubuntu and turn on and off.
https://help.ubuntu.com/community/TOR
https://help.ubuntu.com/community/Security

# 7 ECA said, on April 18th, 2009 at 7:10 am

You need understand something about programs like this. The only way they could work is IF MS had set it up..

This is weird, my letter and spelling start on the RIGHT SIDE.. Im not into hebrew.,

# 8 Paddy-O said, on April 18th, 2009 at 7:13 am

“The only way they could work is IF MS had set it up”

Umm, no. Funny but no.

# 9 Winston said, on April 18th, 2009 at 7:30 am

“Why can’t my anti-spyware find and remove this illegal program?”

I have read that parental monitoring software is intentionally ignored by malware scanners and that is probably done by looking for a CRC code sequence. I suspect that this provides a back door for malware to disguise itself as a parental monitoring program which would then allow it to remain hidden only because the malware scanner does not report it. The code sequence the scanner was looking for could be determined by reverse engineering the scanner and would allow this back door hijacking method to be used without the scanner software authors’ knowledge. At least, if everything is as I assume it is. I have emailed various parental monitoring software companies about this and never received a response.

# 10 Paddy-O said, on April 18th, 2009 at 7:34 am

Parental monitoring s/w is not ignored by any mainstream A/V’s.

# 11 Jägermeister said, on April 18th, 2009 at 7:40 am

Paddy-O – “The only way they could work is IF MS had set it up”

Umm, no. Funny but no.

Why is that “no”? NSA has “helped” Microsoft in the past…

# 12 Jägermeister said, on April 18th, 2009 at 7:41 am

This “new and improved” version of dvorak.org/blog sucks donkey balls.

# 13 Paddy-O said, on April 18th, 2009 at 7:43 am

“Why is that?”
Because it isn’t true. MS does provide source code but doesn’t make holes to order.

# 14 Jägermeister said, on April 18th, 2009 at 7:45 am

Paddy-O – Can you share that source code with me, because it didn’t come with my distro of Windows.

# 15 Paddy-O said, on April 18th, 2009 at 7:48 am

Nope, can’t do that. Get a job at the CIA ,NSA or an MS Sec partner and you might be able to see it…

# 16 tomdennis said, on April 18th, 2009 at 7:52 am

Nice logo and header .

# 17 Toxic Asshead said, on April 18th, 2009 at 7:59 am

Jägermeister,
This new version of the blog was issued by the FBI

# 18 Winston said, on April 18th, 2009 at 8:07 am

Get your FBI spyware documents here (limited time offer):

http://blog.wired.com/27bstroke6/2009/04/get-your-fbi-sp.html

# 19 Jägermeister said, on April 18th, 2009 at 8:12 am

Paddy-O – So, NSA providing code doesn’t bother you?

Toxic Asshead – Especially the eyes…

Winston – Nice link.

# 20 Ken in Berkeley said, on April 18th, 2009 at 8:48 am

Years ago, I recall reading in PC Magazine that all antivirus software makers were required to leave a backdoor in their products for law enforcement officials

# 21 Winston said, on April 18th, 2009 at 8:53 am

My summary o fthe contents of the FBI document linked to above:

R E D A C T E D

# 22 jammer4876 said, on April 18th, 2009 at 9:35 am

Keep right on saying that Paddy-O. You’re either fooling yourself or you’re part of the problem. Of course MS has a back door. Why do you think the monopoly lawsuits suddenly went away? It wasn’t because Gates started a foundation.

# 23 ECA said, on April 18th, 2009 at 10:08 am

yes,
Paddy..
the only way that a program could work under windows and NOT be seen is if MS installed it.
There is NO WAY you could get 200+ companies that do AV and anti BOT ware to AVOID finding it..
Iv used HEAVIER and stronger tools on my PC, and its NOT THERE.
ANYONE running a SLIGHTLY secure computer setup knows the BASICS the only way to GET something on a computer is thru INPUT/OUTPUT source..NO EMAILS/NO INTERNET/NO DVD-CD/NO FLOPPY/NO USB access.. If you want that ACCESS, you send the data to a SECOND computer that does NOT have the important/secure data on. THEN PORT any info you NEED by HAND/KEYBOARD or SCAN the PISS out of any device ADDED to the system.

If you think about it, EVEN a USB keyboard can be bugged..

# 24 ECA said, on April 18th, 2009 at 10:12 am

comment

# 25 billabong said, on April 18th, 2009 at 10:20 am

If you do anything on line that is at all questionable you would be safer doing it in your front yard because fewer people would see it happen.

# 26 Peter_m said, on April 18th, 2009 at 10:24 am

The site redesign is a late april fools joke…
Specially with the right side typing crap…

I don’t get it. The critical piece of the puzzle is the user’s IP address… can’t the IP be obfuscated by a NAT router and a VPN tunel???

# 27 Winston said, on April 18th, 2009 at 12:24 pm

Paddy-O said: “Parental monitoring s/w is not ignored by any mainstream A/V’s.”

That is apparently incorrect.

As an experiment after reading your claim, I installed a demo version of a top-rated system activity monitor, configured it at its most invasive levels and set it to start at system start-up. I then configured the latest version of a top-rated AV program to scan at its highest sensitivity setting. It failed to flag the activity monitor as malware during a memory scan or during a drive scan. Spybot Search and Destroy also failed to flag the system monitor as malware. Only a program called Anti-Logger found the activity monitor.

So, I suspect that most people would never detect a monitoring program unless they ran a program

specifically designed to detect such things. If that monitoring program has effective stealth

mechanisms to avoid even heuristic scanners (by using the “ignore me” code string I previosuly described) and is, as a result, never turned in as malware to the AV or malware detection software authors, it could continue to run everywhere undetected. A root-kit version designed to emulate normal web browsing activity on port 80 for outgoing traffic probably wouldn’t raise firewall alarms or be detected by even by software specifically designed to detect system monitors.

# 28 Paddy-O said, on April 18th, 2009 at 3:14 pm

Winston says:

“It failed to flag the activity monitor as malware during a memory scan
“or during a drive scan.

As is correct. The s/w wasn’t collecting then SENDING anything from your computer. Good to know the s/w you are using isn’t giving false positives. If you’d like some training on how sophisticated A/S s/w works I’d be happy…

# 29 cliouser said, on April 19th, 2009 at 4:03 am

this is really weird.
typing from the right.
punctuation moves left.
new fbi monitoring.

sadly, this does not surprise me.

# 30 kyus3 said, on April 19th, 2009 at 4:35 am

with open insecure wifi networks everywhere, this technology does nothing against people who seriously want to remain anonymous

a clean second hand laptop, any wifi connection you find just going down the street means that you cannot find me, nor prove that it was me.

# 31 kyus3 said, on April 19th, 2009 at 4:42 am

the fact that child porn is freely available on p2p networks shows how out of touch law enforcement is, it would be so easy to stop

# 32 amodedoma said, on April 19th, 2009 at 5:11 am

Personally I’ve always liked to watch what’s running on my PC, get a decent taskmanager and you can watch everything thats running and get all kinds of interesting info about connections and memory use. I started doing this out of an obsession for performance issues, but what with all the trojans and such I’ve also found it useful for cleaning up infected systems too. Seems kinda stupid to me. I mean if you’re gonna do something illegal online and use proxies and ip spoofing it just doesn’t gel that you’d be so stupid as to let this crap install on your machine in the first place. I guess they need to justify the millions they’re spending by telling everybody how clever they are.

# 33 Paddy-O said, on April 19th, 2009 at 5:44 am

amodedoma says:

“Personally I’ve always liked to watch what’s running on my PC, get a
“decent taskmanager and you can watch everything thats running

Unless it is a rootkit designed to not show up as a running process. That is how they get caught. They THINK they know how to secure their system.

# 34 dvdchris said, on April 19th, 2009 at 6:18 am

Ok, first, this right side typing garbage HAS TO GO.
Second, : @amodedoma, suggestions for a decent taskmanager?

# 35 amodedoma said, on April 19th, 2009 at 6:20 am

Yeah I suppose if your dumb enough to leave your MBR’s exposed rootkit could modify your kernel. I guess the point is in this day of WOW computing, where any idiot can use a computer, there’s plenty for the FBI to do. But that’s always been true. There’s no absolute security, if they want in they’ll get in. I’m just saying that this crap is just that, crap. No broad reaching consequences just more of the same.

Is anyone else having problems with the message editor? It’s right justifiying everything the cursor appears to jump to the beginning of the line on punctuation . I’m finding it hard to use. BTW I’m using latest firefox.

# 36 amodedoma said, on April 19th, 2009 at 6:23 am

My favorite taskmanager is IASRN’s TaskInfo. It’s ery complete and useful and not too big.

# 37 amodedoma said, on April 19th, 2009 at 6:24 am

oops that’s IARSN… sorry!

# 38 Paddy-O said, on April 19th, 2009 at 6:25 am

amodedoma says:
Yeah I suppose if your dumb enough to leave your MBR’s exposed rootkit
could modify your kernel.

Well, if you are using Wondoze there’s nothing you can do about it short of a good anti-root kit program. As I said, people get caught because they THINK they know what they are doing. You be careful out there

# 39 amodedoma said, on April 19th, 2009 at 6:49 am

Actually I learn security from European LAN parties where thousands get together with their PC’s. I take a machine I can monitor and actually hope to get infected while I’m downloading hundreds of gigas of piracy playing online games and showing off my robots. Careful I am where careful I need be.

# 40 John said, on April 19th, 2009 at 11:14 am

So, does this spyware run on Linux? And why does your comment box suck so much?

# 41 ECA said, on April 19th, 2009 at 12:54 pm

Task manger, watcher..
Check out the utilities in Spybot advanced TOOLS..
They can even tell whcih programs are linked and GIVE you info in WHO wrote it..

# 42 Rick Cain said, on April 19th, 2009 at 2:06 pm

Whats troubling is that the FBI spyware could be rewritten by a foreign agent and used for nefarious purposes.

# 43 bac said, on April 19th, 2009 at 4:07 pm

Here is a nice utility from Sysinternals called Process Explorer. It is a Windows app.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

# 44 ECA said, on April 19th, 2009 at 6:21 pm

you should get the suit of sysinternals.. Pretty cool, if you KNOW WHAT you are looking at..
I like the one that takes 20 minutes to START windows to check ALL programs that start at startup..

# 45 Central Scrutinizer said, on April 19th, 2009 at 8:07 pm

I’ve been waiting for the FBI to press for legal authority to Big Brother anything with connectivity – not that anyone in “law” enforcement feels the need for such quaint notions anymore. But it seemed a bit curious they didn’t play the “drug war”, “kiddie porn”, or “terrorism” cards any harder than they did if only to make it more convenient / less expensive to remotely observe the boring intimate details of my digital life. And this of course explains why – it’s been terribly easy for a long time. Anyone who thinks Procexp or any other tool will reveal everything lurking in Windows doesn’t know Microsoft very well – remember who bought Sysinternals a little while back. And frankly we can’t call ourselves software wizards if we can’t hide such code in something as ponderous, proprietary and opaque as Windows. Just assume anything you do is being observed, by someone, who probably has something particular he’s assigned to watch for, and try not to do that.

Leave Your Reply Below...

Comment Moderation is Active, so if your comment doesn't
show up immediately, please don't submit it again.

Special Deals 4U

25% off eHarmony subscription with code EHTECH
12-percent discount forever with code TECH
10-percent discount and free month using TECH10
10-percent or 30 dollars off weekly car rental!
Get 10-percent discount on car rental!
Get 10% off rental cars!
Get 10% off Dollar rentals!
Discounts on domain names!