CIPAV or the Computer and Internet Protocol Address Verifier first came to light in 2007 when it was used during an investigation of a teen who had made bomb threats against his high school. There are records of the existence of CIPAV going back to as far as 2005 according to documents obtained by CNET news.
What does CIPAV do?
CIPAV is government spyware (a data gathering tool) that collects and relays information about the current system it has infected back to a server somewhere. The data it is known to collect and send is:
- Current IP address
- MAC address of network devices
- Current open ports
- Running programs
- Operating System (Does this mean there are versions for Mac or Linux?)
- Installed applications, registration and version information
- Default web browser
- Last visited URL
- Logged in user
- Default language
- IP addresses of all outbound and inbound communications
I’m sure the spyware is not limited to just collecting these things as this is what was known publicly in 2007. It appears that much of the information is pulled from the Windows registry. It is unknown whether or not the software captures keystrokes and I’m guessing if it were a feature there would need to be a way to enable and disable it depending on what a warrant allowed the FBI to collect.
How does CIPAV spread?
Apparently it requires some user action. Such as opening a link to a website that contains the spyware. In the 2007 bomb threat case it seems that a fake Myspace account was involved. The user was probably sent a link through the Myspace messaging system which they then opened, infecting their operating system through a browser exploit or some other common method.
I’m guessing it can be spread through any exploit as long as the method of infection is allowed in the warrant. It seems that a good amount of social engineering was used in all the public records of its use though. Maybe this is because the FBI does not have the knowledge to execute more sophisticated methods of infection or maybe they are restricted from doing so. It’s probably just easier to trick a user into visiting a web page or downloading the spyware though. I’m sure many of you have used similar methods for your own projects, if you’re into that sort of thing.
Don’t drop your own docs!
There should be no excuse for getting infected with government spyware like this. In reality, you should be able to have this spyware on your machine, screaming everything back to the FBI and still give them nothing to go on.
First, there’s no reason to conduct any of your business from an IP associated with you these days. Using proxy’s or a similar method (onion routing, etc.) to mask yourself will not work in this instance as the spyware is installed and operating on your machine and will collect your originating IP. Use random wireless access points!
Obviously you don’t want to name the user accounts on your machine with your first and last name or any other name you’re known to use. You should also be using full disk encryption properly to help frustrate an examination that gets to that point.
You could also use a disposable operating system like a Linux live CD. If you combine all the above methods and methods in other articles on this website you should be golden.
If you’re already infected then you are probably under investigation and if you conduct business from an IP address associated with you, they will know who you are through a subpoena to your ISP. If you were operating from a random access point and then sent out your new bomb threat through facebook while logging into your personal hotmail account, well you can probably guess they will know who you are when CIPAV starts talking and they then subpoena hotmail for your docs.
Just use common sense. People get caught because they’re either lazy, ignorant or stupid.
If you want, share your concerns, thoughts, methods and more by commenting below.
No related posts.
7 Comments
Leave a Reply
Related Posts
Hunting Anonymous Pt. 2
To be honest, if I was really worried, I'd wipe all hard drives and re-install because hey, I picked up the newest miley virus and heard that was the only way to get rid of it. I'd then proceed with my normal Internet activities and play the My Little Pony MMORPG. I'd then browse on over to Government Propaganda Online by You're a Slave Media Productions for all of the latest and greatest news and tips on how to turn your neighbor in at the Department of Homeland Security for being different than everyone else. more
Five New Arrests Related to the Online Protests Regarding Operation Payback
The BBC reports that five new people have been arrested in connection to the DDoS attacks on businesses such as PayPal and Amazon. more
Hunting Anonymous
Sure, the install date on my OS might be from a week ago and you can't recover anything from before that date but it's because I had to reinstall. 'cause I was going to my favorite Justin Beiber fan blog and got a virus. Fuck you Beiber. more
Anonymous Domain Registration and Web Hosting
Does your presence and activities on the Internet require that you need to avoid a computer forensics investigation altogether? more
Wired.com recently posted a declassified document on CIPAV that was obtained via the Freedom of Information Act. It can be viewed here http://shuurl.com/I4407 or downloaded here http://shuurl.com/W4408 .
Heya great article. I am wondering when the first sample is going to be available for analysis.
Also I recently posted some code to make live forensics more difficult. Combining it with what you already have mentioned on your blog it should be pretty difficult to perform a forensic investigation on a computer.
great articles, keep them coming.
DiabloHorn.
You CANNOT catch this using a LIVE LINUX CD.
Live OS’s cannot be written to since they are read only.
Puppy
Slax
Knoppix
Mepis
UBCD4WIN
Memory dump 7-23-09 Win XP Pro P4 2Ghz 256mb testbed. MEMORY.DMP Has been compressed with 7zip. The system in which this dump came from I would say has a 95% probability of having been infected with CIPAV. This system was given a fictitious user name everything else was left unchanged. The file link can be accessed by clicking my post name. The system came up clean under several virus scanners including Malwarebytes Anti Malware as well as Avast Anti Virus. System did have an unusual characteristic of the windows firewall turning itself off.
Just a small update, The system when booted would turn off the windows firewall & then “appear” to turn it back on (within a 3 second period) i.e. system would boot, report windows firewall was disabled & then the firewall would appear to be enabled) Occasionally on boot up Comodo firewall would disable citing that it failed to start properly. Currently in the process of running Sophos anti-rootkit on it, Many things have come up (Will take awhile to sort through it all) If anything interesting is found I’ll post it. Still not certain if I’m on to anything or not, But I’ll gladly try to help in the name of privacy & security.
What made you think that it could be CIPAV? It might just be some various malware. I’m guessing someone would need to do some phed-baiting to get an actual copy. I’m not one who usually trolls for pheds though.
There are feds who visit anti-forensics though. So how’s about hookin’ a brother up?
Your copy very well could be though.
Haven’t found out too much on where It’s actually hiding, But I’m sure something is there. To be sure It’s not a known virus I’ve ran it through 6 well known virus scanners (Not Norton)& have come up with nothing. A few more interesting characteristics I’ve noticed, Even with XP set to show all files including hidden & system files search only locates a handful of thumbs.db files about 8 or so in the Yahoo messenger Directory. The other thumbs.db files in the photo folders are viewable but not via the search. I had to download a Effective File search to search & delete them. Another odd thing is File Shredder no longer wipes the free disk space, When you click on start it just makes a “ding” error noise no dialog box or anything. I tried reloading the software, Clearing every bit of it from the registry & applications folder re-installing it & still gave same results. On re-install fshell.dll was locked, Unlocker wouldn’t even unlock it until I told it to delete it on reboot. Then I proceeded to install it again & still it would not disk wipe. The only solution was to run the portable version from a flash drive, I tried copying the portable version from the flash drive to C: & it would no longer do a free space drive wipe. Another thing I have noted is that explorer.exe won’t let go of hardly anything, I almost always have to resort to using unlocker. I have checked with autoruns & various SysInternals software & see nothing that looks suspicious. If anything is there I assume it could be easily hidden. No firewalls Comodo or AVG have reported anything suspicious & I’ve been looking with wireshark & don’t see anything out of the ordinary, Though again I’m sure it knows not to send anything when it sees software like this running & I’m assuming It waits until It’s safe before it reports back. Possibly on system boot before the software has time to load or before shutdown or encrypts it somehow to hide it, That’s all speculation of course. One last thing, Once in awhile the screen will flicker/studder as if a screenshot was taken, I of course tried going to paint & pasting which didn’t work, I figured it was worth a shot though. There is brief hard drive activity during what I believe to be it taking a screenhot. My next step is to run FingerPrint (Probably should have been my 1st step, But I forgot the name & couldn’t find it) I’ll monitor the file system for a few days & see it anything interesting pops up.