Information Security News
mailing list archives
FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 19 Jul 2007 00:33:01 -0500 (CDT)
By Kevin Poulsen
FBI agents trying to track the source of e-mailed bomb threats against a
Washington high school last month sent the suspect a secret surveillance
program designed to surreptitiously monitor him and report back to a
government server, according to an FBI affidavit obtained by Wired News.
The court filing offers the first public glimpse into the bureau's
long-suspected spyware capability, in which the FBI adopts techniques
more common to online criminals.
The software was sent to the owner of an anonymous MySpace profile
linked to bomb threats against Timberline High School near Seattle. The
code led the FBI to 15-year-old Josh Glazebrook, a student at the
school, who on Monday pleaded guilty to making bomb threats, identity
theft and felony harassment.
In an affidavit seeking a search warrant to use the software, filed last
month in U.S. District Court in the Western District of Washington, FBI
agent Norman Sanders describes the software as a "computer and internet
protocol address verifier," or CIPAV.
FBI Spyware in a Nutshell
The full capabilities of the FBI's "computer and internet protocol
address verifier" are closely guarded secrets, but here's some of the
data the malware collects from a computer immediately after infiltrating
it, according to a bureau affidavit acquired by Wired News.
* IP address
* MAC address of ethernet cards
* A list of open TCP and UDP ports
* A list of running programs
* The operating system type, version and serial number
* The default internet browser and version
* The registered user of the operating system, and registered company
name, if any
* The current logged-in user name
* The last visited URL
Once that data is gathered, the CIPAV begins secretly monitoring the
computer's internet use, logging every IP address to which the machine
All that information is sent over the internet to an FBI computer in
Virginia, likely located at the FBI's technical laboratory in Quantico.
Sanders wrote that the spyware program gathers a wide range of
information, including the computer's IP address; MAC address; open
ports; a list of running programs; the operating system type, version
and serial number; preferred internet browser and version; the
computer's registered owner and registered company name; the current
logged-in user name and the last-visited URL.
The CIPAV then settles into a silent "pen register" mode, in which it
lurks on the target computer and monitors its internet use, logging the
IP address of every computer to which the machine connects for up to 60
Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such
surveillance -- which does not capture the content of the communications
-- can be conducted without a wiretap warrant, because internet users
have no "reasonable expectation of privacy" in the data when using the
According to the affidavit, the CIPAV sends all the data it collects to
a central FBI server located somewhere in eastern Virginia. The server's
precise location wasn't specified, but previous FBI internet
surveillance technology -- notably its Carnivore packet-sniffing
hardware -- was developed and run out of the bureau's technology
laboratory at the FBI Academy in Quantico, Virginia.
The FBI's national office referred an inquiry about the CIPAV to a
spokeswoman for the FBI Laboratory in Quantico, who declined to comment
on the technology.
The FBI has been known to use PC-spying technology since at least 1999,
when a court ruled the bureau could break into reputed mobster Nicodemo
Scarfo's office to plant a covert keystroke logger on his computer. But
it wasn't until 2001 that the FBI's plans to use hacker-style
computer-intrusion techniques emerged in a report by MSNBC.com. The
report described an FBI program called "Magic Lantern" that uses
deceptive e-mail attachments and operating-system vulnerabilities to
infiltrate a target system. The FBI later confirmed the program, and
called it a "workbench project" that had not been deployed.
No cases have been publicly linked to such a capability until now, says
David Sobel, a Washington, D.C., attorney with the Electronic Frontier
Foundation. "It might just be that the defense lawyers are not
sufficiently sophisticated to have their ears perk up when this
methodology is revealed in a prosecution," says Sobel. "I think it's
safe to say the use of such a technique raises novel and unresolved
The June affidavit doesn't reveal whether the CIPAV can be configured to
monitor keystrokes, or to allow the FBI real-time access to the
computer's hard drive, like typical Trojan malware used by computer
criminals. It notes that the "commands, processes, capabilities and ...
configuration" of the CIPAV is "classified as a law enforcement
sensitive investigative technique, the disclosure of which would likely
jeopardize other ongoing investigations and/or future use of the
The document is also silent as to how the spyware infiltrates the
target's computer. In the Washington case, the FBI delivered the program
through MySpace's messaging system, which allows HTML and embedded
images. The FBI might have simply tricked the suspect into downloading
and opening an executable file, says Roger Thompson, CTO of security
vendor Exploit Prevention Labs. But the bureau could also have exploited
one of the legion of web browser vulnerabilities discovered by
computer-security researchers and cybercrooks -- or even used one of its
"It's quite possible the FBI knows about vulnerabilities that have not
been disclosed to the rest of the world," says Thompson. "If they had
discovered one, they would not have disclosed it, and that would be a
great way to get stuff on people's computer. Then I guess they can bug
whoever they want."
The FBI's 2008 budget request hints at the bureau's efforts in the
hacking arena, including $220,000 sought to "purchase highly specialized
equipment and technical tools used for covert (and) overt search and
seizure forensic operations. This funding will allow the technology
challenges (sic) including bypass, defeat or compromise of computer
With the FBI in the business of hacking, security companies are in a
tight place. Thompson's LinkScanner product, for example, scans web
pages for security exploits, and warns the customer if one is found. How
would his company respond if the FBI asked him to turn a blind eye to
CIPAV? He says he's never fielded such a request. "That would put us in
a very difficult position," Thompson says. "I don't know what I'd say."
The Washington case unfolded May 30, when a handwritten bomb threat
prompted the evacuation of Timberline High School in Lacey, Washington.
No bomb was found.
On June 4, a second bomb threat was e-mailed to the school from a Gmail
account that had been newly created under the name of an innocent
student. "I will be blowing up your school Monday, June 4, 2007," the
message read. "There are 4 bombs planted throughout Timberline high
school. One in the math hall, library hall, main office and one
portable. The bombs will go off in 5 minute intervals at 9:15 AM."
In addition, the message promised, "The e-mail server of your district
will be offline starting at 8:45 am."
The author made good on the latter threat, and a denial-of-service
attack smacked the North Thurston Public Schools computer network,
generating a relatively modest 1 million packets an hour. Responding to
the bomb threat, school administrators ordered an evacuation of the high
school, but, once again, no explosives were found.
That began a bizarre cat-and-mouse game between law enforcement and
school officials and the ersatz cyberterrorist, who e-mailed a new hoax
bomb threat every day for several days, each triggering a new
evacuation. Each threat used the same pseudonym, but was sent from a
different, newly created Gmail account to complicate tracing efforts.
On June 7, the hoaxer started issuing threats through other online
mediums. In his most brazen move, he set up a MySpace profile called
Timberlinebombinfo and sent friend requests to 33 classmates.
The whole time he was daring law enforcement officials to trace him.
"The e-mail was sent over a newly made Gmail account, from overseas in a
foreign country," he wrote in one message. "Seeing as you're too stupid
to trace the e-mail back lets (sic) get serious," he taunted in another.
"Maybe you should hire Bill Gates to tell you that it is coming from
Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy."
As promised, attempts to trace the hoaxer dead-ended at a hacked server
in Grumello del Monte, Italy. The FBI's Seattle Division contacted the
FBI legal attach in Rome, who provided an official request to the
Italian national police for assistance. But on June 12, perhaps fed up
with the mocking, the FBI applied for and obtained a search warrant
authorizing the bureau to send the CIPAV to the Timberlinebombinfo
Court documents reveal the search warrant was "executed" June 13 at 5:49
p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP
address would have been enough to guide the FBI to the teen's front
John Sinclair, Glazebrook's attorney, says his client never intended to
blow anything up -- "it was a prank from the get-go" -- but admits he
hacked into computers in Italy to launder his activities, and that he
launched the denial-of-service attack against the school district's
Glazebrook was sentenced Monday to 90 days in custody, and given credit
for 32 days he's spent behind bars since his arrest. When he's released
he'll be on two years' probation with internet and computer
restrictions, and he's been expelled from high school. The teen is being
held at the Thurston County Juvenile Detention Center, where he will
serve out his sentence, says Sinclair.
Sinclair says he was told that the FBI had tracked down his client in
response to a request from local police -- but that he didn't know
exactly how the bureau did it. "The prosecutor made it clear that they
wouldn't indicate how this device works or how they do it," says
Sinclair. "For obvious reasons."
Larry Carr, a spokesman with the FBI's Seattle field office, couldn't
confirm that the CIPAV is the same software previously known as Magic
Lantern, but emphasized that the bureau's technological capabilities
have grown since the 2001 report. The case shows that FBI scientists are
equipped to handle internet threats, says Carr.
"It sends a message that, if you're going to try and do stuff like this
online, that we have the ability to track individuals' movements online
and bring the case to resolution."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
- FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats InfoSec News (Jul 19)