Federal agents obtained a court order to send spyware called CIPAV to a MySpace account suspected of being used by a bomb threat hoaxster who was later sentenced to 90 days for hoaxing, according to the CNet News Blog.
While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.
Wired looks at how CIPAV might have worked.
It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.
MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.
There are several such holes to choose from. There's an old hole -- patched early last year -- in the way Windows renders WMF (Windows Metafile) images. Cyber crooks are still using it to install keyloggers, adware and spyware on vulnerable machines. Last year it even popped up in an attack on MySpace users delivered through an ad banner.
The importance of the Internet and telecomms in general to networked insurgency means that "wizard wars" are going to swirl around platforms the way kinetic battles focused on terrain features like Little Round Top. If the US private sector can be mobilized in the information warfare field it can dominate the playing field. But don't count all those offshore programmers out ... like the Russians ... or ideological locals either.
You've heard of vaporware and malware. But what about ransomware? "Imagine opening up the personal documents file on your computer and finding a ransom note warning you that all of your precious files will be deleted unless you wire money to cyber crooks. That's exactly what happened over the past several days to more than a thousand victims, many of them employees at U.S.-based companies and government contractors," according to Security Fix.
According to this Reuters story, this extortion attack played out at some of the nation's biggest corporations, including Booz Allen Hamilton, computer services company Unisys Corp., defense contractor L-3 Communications, computer maker Hewlett-Packard Co. and satellite network provider Hughes Network Systems. These were just the victims that rose to the top of the hit list. There are hundreds more.
Strangely enough, the story makes hardly any mention of the extortion attack itself, saying the malicious code was designed to steal data from infected machines. Russian anti-virus company Kaspersky Lab has a more detailed look at this intruder, including a copy of the ransom note, which demands $300 for a special key supposedly designed to let victims unscramble documents encrypted by the virus.
David Perry, global director of education for anti-virus maker Trend Micro, said he's curious why the attackers in this case asked for such a small amount. ... My theory is that perhaps in the virus writers' hometown, $300 may be a great deal of money. Moreover, it's a decent price point: They're probably far more likely to convince people to cough up $300 than they are $3,000. Besides, $300 is slightly less than it costs just to buy a brand new computer these days.
Yep. Three hundred bucks can buy life or death in certain parts of the world where only the normal curve of intelligence distribution prevails, but where little else is normal.