FBI planted spyware on teen's PC to trace bomb threats

15-year-old pleaded guilty after G-men dropped CIPAV on his machine

The U.S. Federal Bureau of Investigation planted spyware on the computer used by a Washington state teenager to finger him as the person behind a rash of bomb threats e-mailed to his high school, court documents revealed this week.

The 15-year-old, a former student at Timberline High School in Lacey, Wash., pleaded guilty Monday to making the bomb threats, as well as to identity theft charges, according to The Olympian. He was sentenced to 90 days in juvenile detention and must pay the school district US$8,852 to cover expenses. The first e-mailed bomb threat was sent June 4.

In several of the messages, the student taunted school authorities and police for their inability to trace the e-mails to him. "Seeing as how you're too stupid to trace the e-mail back lets [sic] get serious," an e-mail on June 5 said, according to an unsealed search warrant application filed with a Seattle federal court in mid-June. "Stop pretending to be 'tracing it' because I already told you it's coming from Italy. That is where trace will stop, so just stop trying."

Within days, however, the FBI had obtained a warrant that allowed the agency to infect the student's computer with a program it called a Computer & Internet Protocol Address Verifier (CIPAV). "If a warrant is approved, a communication will be sent to the computer being used to administer [the MySpace] user account 'Timberlinebombinfo,'" said FBI Special Agent Norman Sanders in the June 12 filing.

The CIPAV, said Sanders, would "cause any computer -- wherever located -- to send network-level messages containing the activating computer's IP address and/or MAC address, other environmental variables and certain registry-type information to a computer controlled by the FBI."

"I'd call that spyware," said Roger Thompson, chief technology officer at Exploit Prevention Labs. "Or it's pretty darn close."

The warrant did not spell out whether the CIPAV could, for instance, capture keystrokes or inject other code into the compromised system, as do commonplace Trojan downloaders. "The exact nature of [the CIPAV's] commands, processes, capabilities and their configuration is classified as a law enforcement sensitive investigative technique," said the warrant applications.

Sanders, however, did say that after making its initial data harvest, the CIPAV would shift into a silent "pen register" mode in which it only recorded the IP addresses, dates and times of each communication. The contents of those communications -- such as e-mail messages -- would not be captured and passed to the FBI, the affidavit said.

It was also unclear exactly how Sanders expected to get the CIPAV onto the suspect's computer, although the warrant application hinted that it would be delivered through MySpace's own messaging service. "The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI," the warrant application read. "The electronic message deploying the CIPAV will only be directed to the administrator(s) of the 'Timberlinebombinfo' account [on MySpace]."

The FBI may have used an exploit -- one already in circulation or one of its own -- to plant the CIPAV on the student's machine, said Thompson. Or it might have just gone the simple route, and counted on the suspect's curiosity to get him to launch an attached file or click on a link to a malicious site.

Even if his computer had security software installed and active, the CIPAV could have gotten through, Thompson argued. "In order to evade antivirus, all you've got to do is use a new version of [a piece of malware]. The bad guys do it all the time."

It's also possible, speculated Thompson, that the FBI asked security vendors to whitelist their CIPAV to let it through any defenses. "They've always talked about things like this, whether it was Magic Lantern or Carnivore. But the last time I saw anything from [the FBI] was three, four years ago, and it was pretty rudimentary stuff."

Magic Lantern was the name given to a 2001 FBI effort to develop a keystroke and encryption keylogger. Carnivore, meanwhile, is the label for e-mail tapping software from the same time frame.

When asked if he would agree to whitelist CIPAV, or had in the past when he was with PestPatrol, an antispyware developer acquired in 2004 by CA Inc., Thompson said: "I don't know. We never had to face that decision, because we were never asked."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?