FBI planted spyware on teen's PC to trace bomb threats

The U.S. Federal Bureau of Investigation planted spyware on the computer used by a Washington state teenager to finger him as the person behind a rash of bomb threats e-mailed to his high school, court documents revealed this week.

The 15-year-old, a former student at Timberline High School in Lacey, Wash., pleaded guilty Monday to making the bomb threats, as well as to identity theft charges, according to The Olympian. He was sentenced to 90 days in juvenile detention and must pay the school district US$8,852 to cover expenses. The first e-mailed bomb threat was sent June 4.

In several of the messages, the student taunted school authorities and police for their inability to trace the e-mails to him. "Seeing as how you're too stupid to trace the e-mail back lets [sic] get serious," an e-mail on June 5 said, according to an unsealed search warrant application filed with a Seattle federal court in mid-June. "Stop pretending to be 'tracing it' because I already told you it's coming from Italy. That is where trace will stop, so just stop trying."

Within days, however, the FBI had obtained a warrant that allowed the agency to infect the student's computer with a program it called a Computer & Internet Protocol Address Verifier (CIPAV). "If a warrant is approved, a communication will be sent to the computer being used to administer [the MySpace] user account 'Timberlinebombinfo,'" said FBI Special Agent Norman Sanders in the June 12 filing.

The CIPAV, said Sanders, would "cause any computer -- wherever located -- to send network-level messages containing the activating computer's IP address and/or MAC address, other environmental variables and certain registry-type information to a computer controlled by the FBI."

"I'd call that spyware," said Roger Thompson, chief technology officer at Exploit Prevention Labs. "Or it's pretty darn close."

The warrant did not spell out whether the CIPAV could, for instance, capture keystrokes or inject other code into the compromised system, as do commonplace Trojan downloaders. "The exact nature of [the CIPAV's] commands, processes, capabilities and their configuration is classified as a law enforcement sensitive investigative technique," said the warrant applications.

Sanders, however, did say that after making its initial data harvest, the CIPAV would shift into a silent "pen register" mode in which it only recorded the IP addresses, dates and times of each communication. The contents of those communications -- such as e-mail messages -- would not be captured and passed to the FBI, the affidavit said.

It was also unclear exactly how Sanders expected to get the CIPAV onto the suspect's computer, although the warrant application hinted that it would be delivered through MySpace's own messaging service. "The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI," the warrant application read. "The electronic message deploying the CIPAV will only be directed to the administrator(s) of the 'Timberlinebombinfo' account [on MySpace]."

The FBI may have used an exploit -- one already in circulation or one of its own -- to plant the CIPAV on the student's machine, said Thompson. Or it might have just gone the simple route, and counted on the suspect's curiosity to get him to launch an attached file or click on a link to a malicious site.

Even if his computer had security software installed and active, the CIPAV could have gotten through, Thompson argued. "In order to evade antivirus, all you've got to do is use a new version of [a piece of malware]. The bad guys do it all the time."

It's also possible, speculated Thompson, that the FBI asked security vendors to whitelist their CIPAV to let it through any defenses. "They've always talked about things like this, whether it was Magic Lantern or Carnivore. But the last time I saw anything from [the FBI] was three, four years ago, and it was pretty rudimentary stuff."

Magic Lantern was the name given to a 2001 FBI effort to develop a keystroke and encryption keylogger. Carnivore, meanwhile, is the label for e-mail tapping software from the same time frame.

When asked if he would agree to whitelist CIPAV, or had in the past when he was with PestPatrol, an antispyware developer acquired in 2004 by CA Inc., Thompson said: "I don't know. We never had to face that decision, because we were never asked."