The Feds have a little software update for you! Click here!

The FBI used an HTML exploit in a MySpace message to plant CIPAV on the computer of a kid making bomb threats.

CIPAV is a grown up version of their old emailable keystroke logger. Once you receive it, it installs a larger rootkit program using a bootstrap loader. The rootkit sits under your software firewalls and virus scanners, so they can't detect it.

Once CIPAV is in there, it sends back all sorts of goodies, then monitors your net traffic.

They can plant CIPAV on you by any sort of exploit that allows them to execute a file on your system.

Great story about it here.

At any rate, not to make you paranoid or anything, but you could get it from a U2U, I would suppose (don't U2U's support embedded scripts?). So if you post something heinous and MaskedRevolutionary (made that up) sends you a congratulatory U2U, it could contain something 'extra'.

I can see the pratical applications for such a thing, but man this has far reaching implications too. An undetectable rootkit, i figured such existed, but hoped the use of such a program would be limited.

I dont really think im on an FBI watchlist to warrent such a program on my PC, but it still scares the hell out of me. Do you know of any way to detect it outside of the firewall rules and virus definitions? Hell would anti-virus software vendors even classify this as a virus considering its use in law enforcement?

if anyone finds a way to detect this spyware... please post. i dont like this ...at all!

I'm guessing a full system recovery would remove it if it was present - no idea on how to detect it.

Problem with the recovery is you will loose any thing you havent backed up - and then how would you know you havent re-infected your machine when you put all your files back on?

Oh yhea just thought of a low tech way of detecting this - try to trick the man into turning up at your door, but there is a risk you will end up in Gitmo!

Originally posted by InSpiteOf Do you know of any way to detect it outside of the firewall rules and virus definitions? Hell would anti-virus software vendors even classify this as a virus considering its use in law enforcement?

It's sort of an issue of who gets installed first, but if it is among the first tasks, a rootkit can hide from nearly anything, including any user software, and most rootkit detectors.

The only real way to find a crafty rootkit is to pull the hard drives and scan them under a clean OS, using a program that does file compares or signatures on all the OS files to make sure none of them are modified, then examines the stuff that gets loaded at start up.

And even then, what you really need to do is have a list of known clean signatures on every executable in the system, so that every time you load a new program, you can store that signature, and do periodic sweeps of your drive with a clean system.

It's a mess. The military has spent a good bit of money on the problem.

Probably the easiest way to deal with it is to use a throw-away machine on the internet that doesn't have your real name or what have you, and reload the entire drive every day. You should also expect that CIPAV is sending back your hard drive serial numbers, mac addresses for your ethernet and 1394 ports and what not initially, so that they can tie your postings to the hardware later in case you get rid of CIPAV that way.

My understanding here is that all the collected data is sent back to Quantico so in theory you could use another inline host with an open source sniffer. Watch all traffic leaving your original host and you could determine its destination. Sure its a bit of work but assuming you had the correct IP ranges you could setup the sniffer to trigger. This really gives anonymous applications like the Onion Router another serious look.

When mail, phone records and just about any other personal data is being viewed at will comments from the article such as the following don't come as a surprise.

such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet

Hello warrantless taps, goodbye freedom.

brill

Originally posted by brill
My understanding here is that all the collected data is sent back to Quantico so in theory you could use another inline host with an open source sniffer. Watch all traffic leaving your original host and you could determine its destination.

Which is really why you need a hardware firewall. We've got one here. SW firewalls are great sort of, they're cheap anyway.

We had considered building drive controllers that constantly scanned files for modifications, ones that shouldn't be modified anyway like your OS executables, and for changes to known good programs and their DLLs, like Word or what have you, and the list of executables that load on start up.

Done from a separate hardware platform that doesn't execute any x86 code, it ought to cover a lot of sins. You might also be able to prevent execution of any non-signed executable. That wouldn't prevent you from being tricked into executing data, but most processors and OS's since XP SP2 can refuse to execute data spaces. That would cover a lot of holes right there.

That's not to say you couldn't still do something, OS's are complex and people are clever.

Originally posted by Tom Bedlam
It's sort of an issue of who gets installed first, but if it is among the first tasks, a rootkit can hide from nearly anything, including any user software, and most rootkit detectors.

Im sorry i need a little more clarification. From the way im reading this sentence, your saying if my firewall or virus scanner was installed first, it could potentially detect this rootkit?

Can you also recomend a relatively inexpensive hardware firewall?


[edit on 19-7-2007 by InSpiteOf]

Originally posted by InSpiteOf
Im sorry i need a little more clarification. From the way im reading this sentence, your saying if my firewall or virus scanner was installed first, it could potentially detect this rootkit?

Can you also recomend a relatively inexpensive hardware firewall?

Oh, sorry, I wasn't very clear about that. In terms of rootkits, the first rootkit in can pretty much hide from anything. In terms of user programs, they have a tough time detecting a rootkit ever.

You could conceivably build a pretty good rootkit detector if it was guaranteed to be the first one that loaded.

There are some freeware rootkit detectors of varying degrees of capability.

We run one from Microsoft, you can get it free here.
I don't know if it would spot CIPAV. I've seen "defender" mysteriously fail to spot some programs on purpose, so it's possible that this would also, caveat emptor.

There's a nice document at that link that describes how it works. We are writing a rootkit here that does something beneficial (you'd install it on purpose), and we use this program to see if we can be spotted.

As far as hardware firewalls go, ours is actually a pretty capable Linux computer system that sits in a rack with the servers so it wasn't cheap. It watches for all sorts of different attacks, not that you couldn't get something past it, I suspect.

If I get some time I will look around and see if there's anything in the home user market.

PS - when you run Rootkit Revealer, it will list a lot of stuff even if you don't have an infection - use discretion if you start deleting stuff, some of it is necessary for you to run!

[edit on 19-7-2007 by Tom Bedlam]

Originally posted by Tom Bedlam

At any rate, not to make you paranoid or anything, but you could get it from a U2U, I would suppose (don't U2U's support embedded scripts?). So if you post something heinous and MaskedRevolutionary (made that up) sends you a congratulatory U2U, it could contain something 'extra'.

Your fear of the government will keep you in check better than any surveillance they may or may not be capable of tracking you with. The sheer manpower needed to facilitate a large-scale cyber-veillance program means its (if nothing else) statistically improbable that any of us will be watched and even less probable that something would come of the surveillance (MYSTERIOUS DEATH! CANCER! SECRET GITMO PRISONS! SACRIFICE TO THE GREYS!)

Just trying to keep it in perspective.

=)

Originally posted by Tom Bedlam

Originally posted by brill
My understanding here is that all the collected data is sent back to Quantico so in theory you could use another inline host with an open source sniffer. Watch all traffic leaving your original host and you could determine its destination.

Which is really why you need a hardware firewall. We've got one here. SW firewalls are great sort of, they're cheap anyway.

We had considered building drive controllers that constantly scanned files for modifications, ones that shouldn't be modified anyway like your OS executables, and for changes to known good programs and their DLLs, like Word or what have you, and the list of executables that load on start up.

Done from a separate hardware platform that doesn't execute any x86 code, it ought to cover a lot of sins. You might also be able to prevent execution of any non-signed executable. That wouldn't prevent you from being tricked into executing data, but most processors and OS's since XP SP2 can refuse to execute data spaces. That would cover a lot of holes right there.

That's not to say you couldn't still do something, OS's are complex and people are clever.

Are you referring to something like a PIX firewall? If so how can you trust the code running on it? A Linux solution (big linux advocate here) certainly has its merits in that most of the code is open source which leads me back to my point in that if you used an open source sniffer you would be able to see every TCP/UDP transaction leaving your network. I'd say we agree here wholeheartedly.

brill

Originally posted by CaptainJailew

Your fear of the government will keep you in check better than any surveillance they may or may not be capable of tracking you with. The sheer manpower needed to facilitate a large-scale cyber-veillance program means its (if nothing else) statistically improbable that any of us will be watched and even less probable that something would come of the surveillance (MYSTERIOUS DEATH! CANCER! SECRET GITMO PRISONS! SACRIFICE TO THE GREYS!)

Just trying to keep it in perspective.

=)

I don't believe a lot of man power is required. Perhaps in the initial setup and provisioning, but once in operation it would be mostly run via software and automation. They've been monitoring communications heavily for a while which to me indicates that its far too valuable a source of information to dismiss. I think a lot of people are stuck on the notion that there's some mystery machine(s) setup that just picks up trigger words. I think the US government has gone far beyond these simple tactics and into heavy data mining.

brill

[edit on 19-7-2007 by brill]

Avoid the problem all together : Use Linux or Unix.

haahah then i must already have it because im on myspace man there is no such thing as privacy anymore in this world is there. bring it back!!

Originally posted by brill
Are you referring to something like a PIX firewall? If so how can you trust the code running on it? A Linux solution (big linux advocate here) certainly has its merits in that most of the code is open source which leads me back to my point in that if you used an open source sniffer you would be able to see every TCP/UDP transaction leaving your network. I'd say we agree here wholeheartedly.

brill

It's an eSoft Instagate 806, which is a Red Hat box. We've had eSoft firewalls since the TeamInternet 100 came out.

Since it inspects the traffic but doesn't execute it, I'd say you were probably not prone to an attack there. That doesn't mean you couldn't. To be more fire-proof, the firewall should have one of my putative disk controllers capable of inspecting its executables independent of the OS.

Really, that would be an ideal application. The firewall shouldn't change any executables except on updates. You could also have it reload the sw everytime it boots, I suppose, with the exception of the configuration files.

Originally posted by NoobieDoobieDo
Avoid the problem all together : Use Linux or Unix.

Or even better...Don't be a terrorist.

Originally posted by brill


I don't believe a lot of man power is required. Perhaps in the initial setup and provisioning, but once in operation it would be mostly run via software and automation. They've been monitoring communications heavily for a while which to me indicates that its far too valuable a source of information to dismiss.

At some point a human's sense of judgement over whether or not a certain email, phonecall or voicemail warrants further investigation will be needed. What I'm saying is that either a) all communications will be monitored by non-sentient computers, so I don't really care if the comp knows I'm a transexual, bestiality-loving whatever whatever because I don't think its an invasion of privacy for a computer to "scan" these lines of text or b) If humans are the ones who will be seeing/monitoring all of our communications then it would take such a massive amount of people to read EVERY COMMUNICATION that it would end up being an ineffectual system.

I just don't see an impact.

So do these root kits only effect Windows OS's? Or do they do this to MAC and Linux/Unix as well?

Originally posted by LordBaskettIV
So do these root kits only effect Windows OS's? Or do they do this to MAC and Linux/Unix as well?

Well, Windows is the low-hanging fruit.

I have seen people break into *ix systems as well, so it's not like it can't happen, but I don't think there's as many holes.

There are a few Linux rootkits, MAC I don't know.

brill