3 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
received Comcast Internet services for the following subscriber:
14
Sam Spiering
:IS
6133 W i w o o d Loop SE, Lacey, WA 98513
Telephdne (360) 455-0569
17
Dynamically Assigned Active Account
Account Number: 8498380070269681
19
On June 4.2007. Cioogle provided subscriber, registration. and IF Address
25
log history for e-mail address "douebriggS11236email.corn"with the following results:
26
E a l d (user deleted account)
nbe
27 Status:
Setvims: Talk, Search History, Gmail
28
*
On June 7,2007, a request to MySpace for subscriber and IP
b.
)
ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
User I :
D 199219316
Fs Name:
it
r Doug
last Name: , Briggs
Male
Gender; .
Dt of B r h
ae i t : 12110J1992
Age; 14
"
US
couq:
Law
City:
stal Code: 985003
Western Australia
Region:
Email'Address:' tirnberljne.sucksB~mai1
.corn
User Name: timberlinebambinfo
Sign up I Address:
P 80.76.80.103
Sign up Date: Juae 7,2007 7:49PM
NIA
Delete Date:
June 7,20077:49:32:247 PM I Address 80.76.80.103
P
Login Date
:page 76:
15. The C P A V will be deployed through an electronic messaging program
,
conaolled by the FBI. The computers sending and receiving the
CIPVA will be machines controlled by the FBI. The electtonic message deploying the
CIPAV will be directed to the administrator(s) of the "Timberlinebambinfo"
Electronic messaging accouuts commonly require a unique user
a).
same and password.
Once the CIPAV is successfully deployed, it will conduct a one-
b.
)
time search of the activat'ing computer and capture the information
desctibed in paragraph seven.
The captured information will be forwarded to a computer
c).
conmlled by the FBI located within the Eastern Disuicc of
,
Virginia.
After the onetime search, the CIPAV will function asa pen register
d).
device anxl record the muting and destination addressing information
for electronic communications originating f o the activahg
rm
computer.
The pen register will recod PB address, dates, m d times of the
e).
electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and
address data to a computer cantroned by bhye
U'mard the
FBI,P r p d o d of (60) days.
w
Showing posts with label spyware. Show all posts
Showing posts with label spyware. Show all posts
Saturday, April 18, 2009
more info released on FBI's home brewed malware, CIPAV
Recently, the Freedom of Information Act was invoked by the EFF, CNET and Wired to declassify documents relating to the FBI's home brewed malware, CIPAV.
The newly released PDF weighs in at a healthy 150 pages, with info on various requests and cases where CIPAV was used.
At this time it does not seem to be public knowledge exactly what the software does and more importantly, how it gets on the "victims" machine.
After a 2007 affidavit some of the security community's finest had put together a pretty good profile of what the software was likely doing:
More clues are likely to emerge from the recently released documents, but my guess is that it will still remain a guessing game as to what exactly the software does.
Regardless of what information the malware collects, the new documents shed some interesting light on the complicated and precise environment that the malware is supposed to run in on one particular case. On page 78 of the PDF it is noted that the software should only be deployed between the hours of 6AM and 10PM PST. Once deployed, messages can read coming from the infected machine at any time. Interesting for sure, perhaps even a bit strange. My guess is that the deployment hours correlate to previous bomb threats, and thus the regulated window, but thats purely speculation.
In the following page of the PDF, 79 it is noted that if the CIPAV does not activate on the victims machine, they will attempt to deploy and activate until successful. This with in the 10 day allotted window for deployment. This seems to be a key factor in understanding how this malware works. An application to collect the above mentioned data could be written in any number of languages and hidden on the machine in an overwhelming number of ways. When you consider the infection from the FBI's point of view, it would probably make the most sense to send a windows based app first, but maybe its all universal now anway?. First thing it does after activation is open up an SSL connection and phone home, IP, MAC, last URL and so on... Now, if activation does not occur right away, they act quickly while the Myspace vunerablilty is still active and send over a totally different app, wait for phone home and repeat.
The Wired article does a great job of looking at the attack vector.
Lots more interesting info coming out of that PDF. I'm looking forward to the next fews days.
The newly released PDF weighs in at a healthy 150 pages, with info on various requests and cases where CIPAV was used.
At this time it does not seem to be public knowledge exactly what the software does and more importantly, how it gets on the "victims" machine.
After a 2007 affidavit some of the security community's finest had put together a pretty good profile of what the software was likely doing:
The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.
- IP address
- MAC address of ethernet cards
- A list of open TCP and UDP ports
- A list of running programs
- The operating system type, version and serial number
- The default internet browser and version
- The registered user of the operating system, and registered company name, if any
- The current logged-in user name
- The last visited URL
More clues are likely to emerge from the recently released documents, but my guess is that it will still remain a guessing game as to what exactly the software does.
Regardless of what information the malware collects, the new documents shed some interesting light on the complicated and precise environment that the malware is supposed to run in on one particular case. On page 78 of the PDF it is noted that the software should only be deployed between the hours of 6AM and 10PM PST. Once deployed, messages can read coming from the infected machine at any time. Interesting for sure, perhaps even a bit strange. My guess is that the deployment hours correlate to previous bomb threats, and thus the regulated window, but thats purely speculation.
In the following page of the PDF, 79 it is noted that if the CIPAV does not activate on the victims machine, they will attempt to deploy and activate until successful. This with in the 10 day allotted window for deployment. This seems to be a key factor in understanding how this malware works. An application to collect the above mentioned data could be written in any number of languages and hidden on the machine in an overwhelming number of ways. When you consider the infection from the FBI's point of view, it would probably make the most sense to send a windows based app first, but maybe its all universal now anway?. First thing it does after activation is open up an SSL connection and phone home, IP, MAC, last URL and so on... Now, if activation does not occur right away, they act quickly while the Myspace vunerablilty is still active and send over a totally different app, wait for phone home and repeat.
The Wired article does a great job of looking at the attack vector.
Lots more interesting info coming out of that PDF. I'm looking forward to the next fews days.
Subscribe to:
Posts (Atom)