The newly released PDF weighs in at a healthy 150 pages, with info on various requests and cases where CIPAV was used.
At this time it does not seem to be public knowledge exactly what the software does and more importantly, how it gets on the "victims" machine.
After a 2007 affidavit some of the security community's finest had put together a pretty good profile of what the software was likely doing:
The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.
- IP address
- MAC address of ethernet cards
- A list of open TCP and UDP ports
- A list of running programs
- The operating system type, version and serial number
- The default internet browser and version
- The registered user of the operating system, and registered company name, if any
- The current logged-in user name
- The last visited URL
More clues are likely to emerge from the recently released documents, but my guess is that it will still remain a guessing game as to what exactly the software does.
Regardless of what information the malware collects, the new documents shed some interesting light on the complicated and precise environment that the malware is supposed to run in on one particular case. On page 78 of the PDF it is noted that the software should only be deployed between the hours of 6AM and 10PM PST. Once deployed, messages can read coming from the infected machine at any time. Interesting for sure, perhaps even a bit strange. My guess is that the deployment hours correlate to previous bomb threats, and thus the regulated window, but thats purely speculation.
In the following page of the PDF, 79 it is noted that if the CIPAV does not activate on the victims machine, they will attempt to deploy and activate until successful. This with in the 10 day allotted window for deployment. This seems to be a key factor in understanding how this malware works. An application to collect the above mentioned data could be written in any number of languages and hidden on the machine in an overwhelming number of ways. When you consider the infection from the FBI's point of view, it would probably make the most sense to send a windows based app first, but maybe its all universal now anway?. First thing it does after activation is open up an SSL connection and phone home, IP, MAC, last URL and so on... Now, if activation does not occur right away, they act quickly while the Myspace vunerablilty is still active and send over a totally different app, wait for phone home and repeat.
The Wired article does a great job of looking at the attack vector.
Lots more interesting info coming out of that PDF. I'm looking forward to the next fews days.
No comments:
Post a Comment