FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/politics/law/news/2007/07/fbi_spyware

By  Kevin Poulsen  
Wired.com
07.18.07

FBI agents trying to track the source of e-mailed bomb threats against a 
Washington high school last month sent the suspect a secret surveillance 
program designed to surreptitiously monitor him and report back to a 
government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's 
long-suspected spyware capability, in which the FBI adopts techniques 
more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile 
linked to bomb threats against Timberline High School near Seattle. The 
code led the FBI to 15-year-old Josh Glazebrook, a student at the 
school, who on Monday pleaded guilty to making bomb threats, identity 
theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last 
month in U.S. District Court in the Western District of Washington, FBI 
agent Norman Sanders describes the software as a "computer and internet 
protocol address verifier," or CIPAV.


FBI Spyware in a Nutshell

The full capabilities of the FBI's "computer and internet protocol 
address verifier" are closely guarded secrets, but here's some of the 
data the malware collects from a computer immediately after infiltrating 
it, according to a bureau affidavit acquired by Wired News.

* IP address
* MAC address of ethernet cards
* A list of open TCP and UDP ports
* A list of running programs
* The operating system type, version and serial number
* The default internet browser and version
* The registered user of the operating system, and registered company 
  name, if any
* The current logged-in user name
* The last visited URL

Once that data is gathered, the CIPAV begins secretly monitoring the 
computer's internet use, logging every IP address to which the machine 
connects.

All that information is sent over the internet to an FBI computer in 
Virginia, likely located at the FBI's technical laboratory in Quantico.

Sanders wrote that the spyware program gathers a wide range of 
information, including the computer's IP address; MAC address; open 
ports; a list of running programs; the operating system type, version 
and serial number; preferred internet browser and version; the 
computer's registered owner and registered company name; the current 
logged-in user name and the last-visited URL.

The CIPAV then settles into a silent "pen register" mode, in which it 
lurks on the target computer and monitors its internet use, logging the 
IP address of every computer to which the machine connects for up to 60 
days.

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such 
surveillance -- which does not capture the content of the communications 
-- can be conducted without a wiretap warrant, because internet users 
have no "reasonable expectation of privacy" in the data when using the 
internet.

According to the affidavit, the CIPAV sends all the data it collects to 
a central FBI server located somewhere in eastern Virginia. The server's 
precise location wasn't specified, but previous FBI internet 
surveillance technology -- notably its Carnivore packet-sniffing 
hardware -- was developed and run out of the bureau's technology 
laboratory at the FBI Academy in Quantico, Virginia.

The FBI's national office referred an inquiry about the CIPAV to a 
spokeswoman for the FBI Laboratory in Quantico, who declined to comment 
on the technology.

The FBI has been known to use PC-spying technology since at least 1999, 
when a court ruled the bureau could break into reputed mobster Nicodemo 
Scarfo's office to plant a covert keystroke logger on his computer. But 
it wasn't until 2001 that the FBI's plans to use hacker-style 
computer-intrusion techniques emerged in a report by MSNBC.com. The 
report described an FBI program called "Magic Lantern" that uses 
deceptive e-mail attachments and operating-system vulnerabilities to 
infiltrate a target system. The FBI later confirmed the program, and 
called it a "workbench project" that had not been deployed.

No cases have been publicly linked to such a capability until now, says 
David Sobel, a Washington, D.C., attorney with the Electronic Frontier 
Foundation. "It might just be that the defense lawyers are not 
sufficiently sophisticated to have their ears perk up when this 
methodology is revealed in a prosecution," says Sobel. "I think it's 
safe to say the use of such a technique raises novel and unresolved 
legal issues."

The June affidavit doesn't reveal whether the CIPAV can be configured to 
monitor keystrokes, or to allow the FBI real-time access to the 
computer's hard drive, like typical Trojan malware used by computer 
criminals. It notes that the "commands, processes, capabilities and ... 
configuration" of the CIPAV is "classified as a law enforcement 
sensitive investigative technique, the disclosure of which would likely 
jeopardize other ongoing investigations and/or future use of the 
technique."

The document is also silent as to how the spyware infiltrates the 
target's computer. In the Washington case, the FBI delivered the program 
through MySpace's messaging system, which allows HTML and embedded 
images. The FBI might have simply tricked the suspect into downloading 
and opening an executable file, says Roger Thompson, CTO of security 
vendor Exploit Prevention Labs. But the bureau could also have exploited 
one of the legion of web browser vulnerabilities discovered by 
computer-security researchers and cybercrooks -- or even used one of its 
own.

"It's quite possible the FBI knows about vulnerabilities that have not 
been disclosed to the rest of the world," says Thompson. "If they had 
discovered one, they would not have disclosed it, and that would be a 
great way to get stuff on people's computer. Then I guess they can bug 
whoever they want."

The FBI's 2008 budget request hints at the bureau's efforts in the 
hacking arena, including $220,000 sought to "purchase highly specialized 
equipment and technical tools used for covert (and) overt search and 
seizure forensic operations. This funding will allow the technology 
challenges (sic) including bypass, defeat or compromise of computer 
systems."

With the FBI in the business of hacking, security companies are in a 
tight place. Thompson's LinkScanner product, for example, scans web 
pages for security exploits, and warns the customer if one is found. How 
would his company respond if the FBI asked him to turn a blind eye to 
CIPAV? He says he's never fielded such a request. "That would put us in 
a very difficult position," Thompson says. "I don't know what I'd say."

The Washington case unfolded May 30, when a handwritten bomb threat 
prompted the evacuation of Timberline High School in Lacey, Washington. 
No bomb was found.

On June 4, a second bomb threat was e-mailed to the school from a Gmail 
account that had been newly created under the name of an innocent 
student. "I will be blowing up your school Monday, June 4, 2007," the 
message read. "There are 4 bombs planted throughout Timberline high 
school. One in the math hall, library hall, main office and one 
portable. The bombs will go off in 5 minute intervals at 9:15 AM."

In addition, the message promised, "The e-mail server of your district 
will be offline starting at 8:45 am."

The author made good on the latter threat, and a denial-of-service 
attack smacked the North Thurston Public Schools computer network, 
generating a relatively modest 1 million packets an hour. Responding to 
the bomb threat, school administrators ordered an evacuation of the high 
school, but, once again, no explosives were found.

That began a bizarre cat-and-mouse game between law enforcement and 
school officials and the ersatz cyberterrorist, who e-mailed a new hoax 
bomb threat every day for several days, each triggering a new 
evacuation. Each threat used the same pseudonym, but was sent from a 
different, newly created Gmail account to complicate tracing efforts.

On June 7, the hoaxer started issuing threats through other online 
mediums. In his most brazen move, he set up a MySpace profile called 
Timberlinebombinfo and sent friend requests to 33 classmates.

The whole time he was daring law enforcement officials to trace him. 
"The e-mail was sent over a newly made Gmail account, from overseas in a 
foreign country," he wrote in one message. "Seeing as you're too stupid 
to trace the e-mail back lets (sic) get serious," he taunted in another. 
"Maybe you should hire Bill Gates to tell you that it is coming from 
Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy."

As promised, attempts to trace the hoaxer dead-ended at a hacked server 
in Grumello del Monte, Italy. The FBI's Seattle Division contacted the 
FBI legal attach in Rome, who provided an official request to the 
Italian national police for assistance. But on June 12, perhaps fed up 
with the mocking, the FBI applied for and obtained a search warrant 
authorizing the bureau to send the CIPAV to the Timberlinebombinfo 
MySpace profile.

Court documents reveal the search warrant was "executed" June 13 at 5:49 
p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP 
address would have been enough to guide the FBI to the teen's front 
door.

John Sinclair, Glazebrook's attorney, says his client never intended to 
blow anything up -- "it was a prank from the get-go" -- but admits he 
hacked into computers in Italy to launder his activities, and that he 
launched the denial-of-service attack against the school district's 
network.

Glazebrook was sentenced Monday to 90 days in custody, and given credit 
for 32 days he's spent behind bars since his arrest. When he's released 
he'll be on two years' probation with internet and computer 
restrictions, and he's been expelled from high school. The teen is being 
held at the Thurston County Juvenile Detention Center, where he will 
serve out his sentence, says Sinclair.

Sinclair says he was told that the FBI had tracked down his client in 
response to a request from local police -- but that he didn't know 
exactly how the bureau did it. "The prosecutor made it clear that they 
wouldn't indicate how this device works or how they do it," says 
Sinclair. "For obvious reasons."

Larry Carr, a spokesman with the FBI's Seattle field office, couldn't 
confirm that the CIPAV is the same software previously known as Magic 
Lantern, but emphasized that the bureau's technological capabilities 
have grown since the 2001 report. The case shows that FBI scientists are 
equipped to handle internet threats, says Carr.

"It sends a message that, if you're going to try and do stuff like this 
online, that we have the ability to track individuals' movements online 
and bring the case to resolution."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com