Total Pageviews

2/20/2012

EFF FBI CIPAV


What is CIPAV and How Does It Work?
The documents discuss technology that, when installed on a target's computer, allows the FBI to collect the following information:
  • IP Address
  • Media Access Control (MAC) address
  • "Browser environment variables"
  • Open communication ports
  • List of the programs running
  • Operating system type, version, and serial number
  • Browser type and version
  • Language encoding
  • The URL that the target computer was previously connected to
  • Registered computer name
  • Registered company name
  • Currently logged in user name
  • Other information that would assist with "identifying computer users, computer software installed, [and] computer hardware installed"3
It's not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace's internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user's browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency's Crypto Unit only needs 24-48 hours to prepare deployment.4 And once the tool is deployed, "it stay[s] persistent on the compromised computer and . . . every time the computer connects to the Internet, [FBI] will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].5

Interestingly, a commentator on Schneier blog had this to say about possibly defeating said trojan:

@ Dirk Praet,
"The real question here however is to which extent governments and their TLA's have agreements with anti-virus and anti-malware vendors to not detect their spyware."
That is a significant consideration, but AVetc software from the major vendors is not going to be the Feebies only concern.
For instance I will assume that as others have noted the spy ware has occasionaly to do an ET and "phone home", the question is how?
The simplest and most visable is if it sends a packet or two of to an 'unknown to the user' IP address that is the Feebies gateway. If the user has IP based whitlist software (which is appearing on homebrew routers) then it's going to throw an exception at the Feebies gateway IP address. Likewise if the user sets the machine up in a "honeypot" style environment.
More covertly it modifies the users browser and hides in their facebook traffic. This would be harder to spot but not impossible. Hardest would be using the timing between packets etc which could be either logged at the ISP or if sufficiently low bandwidth by the end service provider.
Now this makes me think that the Feebies (who supposadly don't currently have ISP cooperation to the level required) would have to either be at some mid point or getting co-operation from the service provider such as facebook the user had this malware downloaded from.
So it's not just the AV vendors you need to be considering but the likes of facebook etc. as well...
Posted by: Clive Robinson at May 12, 2011 1:34 PM

No comments:

Post a Comment