Following up on my story on the FBI's computer-monitoring malware, the most interesting question unanswered in the FBI affidavit (.pdf) is how the bureau gets its "Computer and Internet Protocol Address Verifier" onto a target PC.
In the Josh Glazebrook case, the FBI sent its program specifically to Glazebrook's then-anonymous MySpace profile, Timberlinebombinfo. The attack is described this way:
The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI. The computers sending and receiving the CIPAV data will be machines controlled by the FBI. The electronic message deploying the CIPAV will only be directed to the administrator(s) of the "Timberinebombinfo" account.
It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.
MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.
More:
http://blog.wired.com/27bstroke6/2007/07/fbi-spyware-how.htmlSee prior thread:
FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=102x2921659
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore