Updated April 18th 2009


The following document is being updated with the intention of providing an individual with options to secure one's personal machine. Irrespective of any specific person, entity or government, a trojan is a trojan is a trojan. After reading about the U.S. government's CIPAV, I was disheartened at the government's lack of 1) creativity and 2) oversight with regards to the delivery of the CIPAV and or any other trojan.

Food for thought... Imagine being sent a random URL and curiously clicking on the hyperlink. Imagine that hyperlink was sent by someone who was aware of the FBI's intention to infect their machine. Guess what? You will now likely become the target of an investigation. There is no mention of the separation of targets on any documentation released by the F.B.I. in the FOIA request released to Wired Magazine. While the need for the U.S. government to remain secretive in its investigative methods is understandable (they don't want criminals becoming aware of their investigative methods), it is also understandable that technology can be quite easily manipulated.

So let's start off by look at the following statement in one of the F.B.I.'s affidavits [1]: (page 65)

    "Conceptually. IP addresses are similar to telephone numbers, in that they are used to identify computers that exchange information over the Internet. An IP address is a unique numeric address used to direct information over the Internet and is a series of four numbers, each in the range 0-255. separated by periods (e.g., 121.56.97.178). In general, information sent over the lntemet must contain an Originating IP address and a destination IP address. which identify the computers sending and receiving the information. Section 216 of USA Patriot Act (P.L. 107-56) amended 18 U.S.C. 503121 et seq to specifically authorize the recovery of "addressing" and 'routing" information of"

      While absolutely true, this is also a broad statement. So let's look at the following discussion: [2]

        Well, let me ask you you think 171.70.120.60 is. I'll give you a hint; at this instant, there are 72 of us.

        Here's another question. Whom would you suspect 171.71.241.89 is? At this point in time, I am in Barcelona; if I were home, that would be my address as you would see it, but my address as I would see it would be in 10.32.244.216/29. There might be several hundred people you would see using 171.71.241.89;

        One of the big issues with the Tsinghua SAVA proposal in the IETF is specifically the confusion of the application layer with the IP layer. They propose to embed personal identity into the IP address, and in that there are a number of issues. Internet Address != application layer identification.

        What we can do with IP addresses is conclude that the user of the machine with an address is likely to be one of its usual users. We can't say that with 100% certainty, because there are any number of ways people can get "unusual" access. But even so, if one can show a pattern of usage, the usual suspects can probably figure out which of them, or what other "unusual" user, might have done this or that.

        That is the model forensic analysts follow. And the address is personal information to the extent that it limits the set of usual suspects to a set that includes you or I.

      Any network engineer, security engineer, forensics engineer or any other individual with even a basic understanding of interconnecting networks can tell you, IP is not an identifier. So imagine you purchased a wireless router. Deployed it for home use and someone compromised a connection from that router to the Internet. Guess what? Their actions lead right back to your home. We can go a little bit more granular and state "the F.B.I. is also tracking a MAC address. If someone compromised a connection to your router, nothing stops them from looking at the DHCP table stored on your router and changing their IP address (the attacker's) to a valid MAC address (yours). This is rather elementary on a point and click level. [3,4]

      For those using Mozilla Firefox, I suggest downloading and using NoScript [5]. From their website:

        03/18/2008, "Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits" (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).

      In order for this particular backdoor (CIPAV) and many others to be effective, the user needs to either visit a page in which they'll be infected, likely via a browser delivered trojan. This particular attack vector can be accomplished one of many ways and is likely ONLY to infect Windows based operating systems. I state this with certainty without having to get into a discourse on operating systems and their security. The first is to get a visitor to a specific website which upon visiting will perform some covert installation and or running of the program. The second would be via say e-mail delivery which wouldn't make any sense for the F.B.I. It wouldn't make any sense since they'd have an address to work with and there are other methods to correlate connections via a simple tap of the line (monitoring IP connections to and from point A to point B). It's much more cost effective to present simple connections and force a defendant to prove reasonable doubt. More than likely when someone is guilty, they'll show their guilt and likely want to plea out some form of deal. It's just how it goes.

      In either case, we can deduct that the F.B.I. doesn't have any counter hacking teams in place targetting a machine. It would be wreckless to do so, if you read [2], then you'd understand why I can't forsee them doing that and would only hope liberties aren't trampled on at such an extreme level. Not only should there be a concern for the malicious prosecution of a potentially innocent target, they'd have to begin an investigation on the notion that "an attacker exists and might be coming from... we have no definitive proof therefore we need to load CIPAV for discovery". I completely understand where the government is coming from and sincerely applaud their initial effort for trying however, I'm also a stickler for accountability and believe there should be oversight. This not only protects the innocent individuals but also protects the government from being viewed as Orweillian. This document is NOT about circumventing law or technology so do not confuse my intention. The document is merely meant to promote safety and security. While it may be viewed as "antigovernment" it is not (repeat not) my intention whatsoever. With that said, the original writing remains.

      "Justice denied anywhere diminishes justice everywhere." - Martin Luther King

      [1] http://blog.wired.com/27bstroke6/2009/04/get-your-fbi-sp.html
      [2] http://markmail.org/message/34upryjlx7wv5alz#query:ip%20is%20personal%20nanog%20%2Bfred+page:1+mid:smpfzqtrycc37g4j+state:results
      [3] http://www.nthelp.com/NT6/change_mac_w2k.htm
      [4] http://www.irongeek.com/i.php?page=security/changemac
      [5] http://noscript.net/





      ORIGINAL RAMBLING





      Cogitationis poenam nemo patitur



      THIS DOCUMENT IS NOT WRITTEN WITH THE INTENTIONS OF BREAKING ANY LAWS. IT IS WRITTEN SOLELY TO DEMONSTRATE HOW TO SECURE ONE'S PERSONAL MACHINE. YOU ARE YOU OWN JUDGE AND SOLELY YOU WILL DETERMINE WHAT IS RIGHT AND WHAT IS WRONG. THIS DOCUMENT WAS WRITTEN WITH GOOD INTENTIONS ON HOW TO KEEP ONE'S MACHINE SECURE FROM VIRUSES/ADWARE/KEYSTROKE LOGGER BASED PROGRAMS IRRESPECTIVE IF SAID PROGRAMS WERE INSTALLED BY *ANY* GOVERNMENT AGENCY. IF IT EXISTS ON YOUR MACHINE, THIS DOCUMENT WILL GIVE YOU GUIDANCE ON DETECTION AND EVASION. REGARDLESS OF TRIVIAL DISCLAIMERS SUCH AS THIS, YOU ARE ULTIMATELY YOUR OWN BOSS, YOU ARE YOUR OWN JUDGE OF CHARACTER, ETC, ETC. I WILL NOT BE HELD RESPONSIBLE FOR YOUR ACTIONS SO IF YOU'RE READING THIS DOCUMENT WITH INTENTIONS ON SAVING YOUR ASS, IN ALL HONESTY I HOPE YOU SHOOT YOURSELF IN THE FOOT WITH YOUR ACTIONS. HOWEVER, IF YOU ARE SEEKING TO REMEDY POTENTIAL ISSUES SUCH AS SOMEONE SNOOPING, I HOPE YOU FIND THIS DOCUMENT INFORMATIVE. DOCUMENT NEEDN'T BE SIGNED ITS OBVIOUS WHO WROTE IT SHOULD SOMEONE SEEK OUT THE AUTHOR. JUST DIDN'T FEEL LIKE DEALING WITH THE POLITICS AGAIN. LEST THIS TIME I TELEKINETICALLY HIJACK MARS ROVER WHILE IN A SUBMARINE.

      I couldn't resist temptation here so here goes (possible countdown to a formal visit... two months?) anyhow... Big Brother is out on the prowl and has now turned pseudo black hat in its efforts to fight "crime". While this is an applauded action I'll take an alternative view here and provide information on how to detect and deter CIPAV and other programs like this. Why the hell would I do that you ask. Simple, if the government can do it so too can others and ultimately it will only be a matter of time before they can and will. Besides, the 9th Circuit ruled it was illegal for the feds to do this (http://blog.wired.com/27bstroke6/2007/07/appeals-court-c.html) hence this write up. TAKE NOTE THIS DOCUMENT WILL BE UPDATED AS TIME GOES ON AND MORE INFORMATION IS DISCOVERED ON MALICIOUSLY INSTALLED TROJAN|MAL|SCUM|SPYWARE PROGRAMS ARE DETECTED. SO PLEASE CHECK BACK FROM TIME TO TIME

      So what is CIPAV? "Computer and Internet Protocol Address Verifier". Fair enough. What does CIPAV obtain and how does it do this? Well according to ComputerWorld, [1] this is the information CIPAV obtains:

      • IP address
      • MAC (media access control) address for the network card
      • List of open TCP and UDP ports
      • List of running programs
      • Operating system's type, version, and serial number (in Windows, the serial number is the 25-digit alphanumeric product activation key)
      • Default browser and its version
      • Default language of the operating system
      • Currently logged-in user (username), and registered company name (the latter is optional in Windows)
      • Last visited URL

      According to the affidavit filed by an FBI agent and all other *known* information about CIPAV, the feds leveraged a mechanism to have the file downloaded and run/installed a-la malware. So what's the big hoopla about? There is and was speculation about antivirus vendors allowing the government to pull a fast one on its users [2] and here is my take on this a stone cold matter of fact logical view... One - even if a vendor did allow this, they would be taking on an enormous risk of financial loss since they couldn't be trusted. I can't think of any particular instance of them being able to specially craft an all inclusive "don't detect this program" that wouldn't have been caught by thousands constantly scrutinizing computer security programs on a daily basis. However, I can imagine a vendor such as Symantec of McAfee carefully crafting an update at say a registered user and having that user's AV program download a backdoored update of sorts. This is not to say those companies mentioned have done so, but I can infer based on their answers, if subpoenaed they'd likely cave.

      Enough rambling though, this is my take on how to block programs like CIPAV and others. Firstly, this CIPAV is not likely nothing more than something targeted at Windows and we can infer this based on that statement garnered from Computerworld: in Windows, the serial number is the 25-digit alphanumeric product activation key ... Serial number, in Linux or BSD. Right. Anyhow, the first thing I would do in a situation regarding Windows is download the following, and this is two fold, one it protects my machine from intruders, secondly it alerts me to any funny activity coming to or leaving my machine. Remember the key with this document is to prevent anything from leveraging my machine. An attack is an attack is an attack. If something is coming to or leaving my machine, I'd want to know about it, especially if its leaving my machine without me sending it.

      Windows Protection Tools 101:

      • Comodo Personal Firewall [3]
      • Spybot Search and Destroy [4]
      • Lavasoft's AdAware [5]
      • Crap Cleaner [6]
      • AVG Antirootkit [7]
      • Avast Antivirus or Kapersky Labs AV [8]::[9]
      
      Alwil Software  AS
      Prubezna 76
      Praha 10, Czech republic 11000
      CZ
      
      Administrative Contact:
      Baudis, Pavel  baudis@ASW.CZ
      Alwil software
      Prubezna 76
      Praha 10 110 00
      CZ
      +420 2 74005 666 fax: +420 2 74005 555
      
      
      Pinkas, Robert GRISOFT, s.r.o. Lidicka 31 Brno 602 00 CZ Administrative Contact, Technical Contact: Pinkas, Robert robin.pinkas@grisoft.com GRISOFT, s.r.o. Lidicka 31 Brno 602 00 CZ +420-5-49524011 fax: +420-5-49524394
      Comodo CA Ltd 3rd Floor Building 26 Office Village Exchange Quay Salford, Manchester M5 3EQ GB Administrative, Technical Contact: Abdulhayoglu, Melih domain-admin@comodogroup.com Comodo CA Ltd 3rd Floor Building 26 Office Village Exchange Quay Salford, Manchester M5 3EQ GB +44.1618747070 +44.1618771767
      Kaspersky Labs 10,Geroev Panfilovtsev Moscow 123363 RU Administrative Contact, Technical Contact: Kaspersky Labs domain-management@kaspersky.com 10,Geroev Panfilovtsev Moscow 123363 RU +70957978700 fax: +70957978700

      This is why these tools were chosen - if the US government needed to contact these vendors, they'd likely have a hell of time getting someone from another country to want to play by US rules. This is not to say that they wouldn't but there is a strong likelihood that none of these companies listed above have any incentive to do so. In fact, if any of these companies did and somewhere down the line it was discovered, that would hurt their credibility as security tools period. Unlike US companies such as Symantec, McAfee, I'm a stickler for believing that is easier to pull the rug from under someone's feet in this industry: "You do remember you have an Umpteen million dollar contract coming up". For the companies abroad, it's a bit more difficult. Not only that, what is the likelihood of having EVERY single vendor follow the "we'll allow this backdoor" mentality. For those muttering "I'm not using some Czech company" whatever makes you happy.

      I'd start off with a clean install of Windows XP if I had to choose from using any version of Windows. Not a Vista fan nor do I intend on using Vista if I have to. In fact if you can skip Windows altogether, go get yourself Linux, BSD, etc., but moving along... With a clean install of Windows, I'd head over to Microsoft's Windows Update site and make sure I had all their "quote" security patches. No need to ramble on about Microsoft's delays in fixing things at times. I'm looking to secure said machine with all known patches at that point in time period. If I have MS Office installed, heading over and installing any office updates as well.

      After my clean install of Windows, I'd install all of the tools mentioned above. I would install BOTH Avast and Kaspersky but there is zero reason to have both start. The reasoning for installing both is for me to run one or the other at will. I'd make sure both were updated and when possible configured to automatically update themselves. This is crucial in keeping some form of security... Updates. Analogy for those who don't know compsec that well. Associate your Antivirus program with a pharmacy. Your pharmacy has the cures for known ills doesn't it. However, your pharmacy needs to be informed of new diseases for which there is medicine available, this is akin to your AV program updating. Think of the AV program as a pharmacy, the updates as the pharmacy getting new drugs from the pharmaceutical vendors. Bottom line, if your antivirus software isn't constantly updated, it's as useful as tits on a bull.

      One of the most informative of tools is Spybot Search and Destroy. There is an option in Spybot for "Tea Timer". Tea timer is a resident watchdog that alerts you to any modifications occurring within your registry. Something is changed, Spybot will alert you. After installing Spybot, I'd make sure Tea Timer is set to run. Updates updates updates. It's up to you to keep Spybot updated. After the Spybot installation, I'd install (in no particular order) the rest of the software mentioned.

      Comodo... Following this will be some screenshots for clarity. Comodo is a nifty little personal firewall, professionally, I use Cisco Pix', Juniper Netscreens and Stonesoft Stonegates now, but we're talking about a personal machine here. With Comodo installed, I set the security configuration to custom. This allows me to see what is attempting to leave my machine and determine what I'd like to do next - allow it or deny it.





      I select "Component Monitor" and place it in learn mode. One of the nice things about the component monitor is, it shows you most of the DLL files it knows of and allows you to block or allow and you can sort this by any field listed. With this said, You can select company and quickly get an assessment of what is leaving, who it belongs to etc. Now it doesn't take a security expert here to determine what some of these files are, you can Google most of the files you see and you will likely see a slew of information regarding what is currently on your machine. With this information you can then determine what is allowed to leave or what should be blocked. It *shouldn't* take a rocket scientist to be able to see that r3gsrv.eve is not legitimate. I could write a book on obscurity. Again*, take the time to know what is on your machine else it will be your own fault should your machine get compromised.





      After Component Monitor is adjusted to my liking, I then click on "Advanced". I begin with "Application Behavior Analysis". No need for an encyclopedia here. Everything is selected. Click on Miscellaneous, and it's up to you whether you want the items in their monitored and or reporting.





      Spybot... Fire it up. Your first move should be to click on check for updates. Always (I repeat always) update your software before running them. Else re-read the pharmacy analogy. After updating Spybot, click on Immunize. Regardless if this is a clean install, click on Search and Destroy and then "Check for Problems". Would it kill you to do a check. Think of these steps as a first line of defense. So what it can take a few minutes of your computing time, you'll be better off in the long run. Same goes with Avast, AVG, and or Kaspersky's AV programs. Update, run, update run.



      Moving along to "American" tools. I will now name other tools to keep on your machine:

    • Autoruns (pre-Microsoft if you could find it) [10]
    • Process Explorer (same as above) [11]
    • SpywareBlaster [12]

      Rinse and repeat the "Update" theme.

      Autoruns is an extremely useful tool but for the average user, its overkill. It's mentioned here with the hopes that one would want to see the things starting up on their machines. Not from a Windows (msconfig) perspective, but all across the board. It will allow one to see what libraries are loaded, who owns them, their path, etc. You can double click on a file to go right to the registry, etc. So keeping in tuned for those not in the computer security realm, familiarity with your system is key. If you are unsure with a vendor of a program, Google it. If you can't find it, disable it until you do. Remember if you didn't add it, how did it get there. If there is no vendor signature attached, there is no need to let it through. This isn't to say that some of this information can't be fudged, but use some common sense. If you see listener.exe starting up, and you see it belongs to Microsoft Corporation, do you let it through unchecked? I wouldn't. I don't care who it belongs to, I'd like too see where its going and why.

      For this, a certain level of paranoia creeps in so on this note, I fire up Wireshark before I have network connectivity. Now remember, Comodo is starting blocking everything on my test machine. With Wireshark started, Comodo starts on blocking mode, after all it up and running, Comodo goes to its normal mode. Now, I know at this stage nothing is seeping out prior to the normal programs starting since Comodo blocked it, and I also know Comodo is going to alert me to any activities. Since I'm playing the paranoia part, Wireshark is now looking at everything on the network level coming in and out.

      If you're further paranoid, you can simply block any known government related IP ranges from accessing your machine or any range you choose not to receive traffic from. Don't like certain addresses in China, look up their address, get their CIDR blocks [13] and block them with Comodo. This is sort of a moot point though since they can easily use a DSL connection from a normal ISP to do their jobs.

      Your home network... You should definitely lock this down as you do not want anyone snooping your information at any given point. If you choose WEP then you might as well choose nothing at all and remember to change your keys at least once a month. No need to reinvent wheels here on securing your wireless home connection. Link is provided for this [14]

      Now, I can guarantee you it will be extremely difficult for something to occur on your system without you knowing something is odd outside of Joanna Rutkowska finalizing Blue Pill and having that installed on your machine. With this said I'd like to ramble on for few minutes more. As stated originally, this document was not written for idiots to run amok causing idiotic chaos such as the moron who was sending bomb threats to his school. He deserves whatever punishment they dish out to him. Regardless of any person, company, government, etc., your machine is your machine. How you choose to maintain it is up to you however, as with many people who surf the net, many tend to perform financial transactions online. You're at risk obviously not from government (well hopefully not) but from malicious individuals who are extremely crafty and will often seek methods to circumvent security tools.

      Internet Explorer the moronic of the moronic browsers. Avoid using this browser at all costs if you can. Not going to reinvent other wheels here but it's a nightmare. Firefox, not as bad, but personally, I use Opera for visuals when possible, but most of the time I use Lynx||Links when possible.

      Security doesn't always have to be so difficult. It is up to you the individual to properly maintain your machine and protect yourself. So whether you're an extremely clueless individual, or an extremely clueful one - and I've even seen these get compromised - its all up to you on what your machine does and how it does it. Your name doesn't have to be "Edward (Brill) Lyle", Kevin Mitnick, Kevin Poulsen, etc., to defend yourself.

      If you're EXTREMELY paranoid, install Squid block out all, set your firewall to block everything leaving until you approve it. Then head over and pay John Young's Cryptome a visit. Look up NSA IP space ranges, block those out, whois entire blocks of addresses. Purchase yourself some White Noise generating bulbs, maybe TCP over bongos...

      As for *nix... This could be a book in its own. I'll get to it some other day. As for now, how about you waste some time cleaning and locking down your machine. Your personal information will appreciate you doing so.


    • [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9028298
      "Computer World: FAQ: What we know (now) about the FBI's CIPAV spyware"
    • [2] http://news.com.com/2100-7348_3-6196990.html "C|Net News: Security firms on police spyware, in their own words"
    • [3] http://www.comodo.com/products/free_products.html
    • [4] http://www.safer-networking.org/ - Spybot Search and Destroy
    • [5] http://www.lavasoft.de - AdAware
    • [6] http://www.ccleaner.com/ - CCleaner (formerly Crap Cleaner)
    • [7] http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0 - AVG Anti Rootkit
    • [8] http://www.avast.com/ - Avast
    • [9] http://www.kaspersky.com/ - Kaspersky AntiVirus (NOT FREE)
    • [10] http://download.sysinternals.com/Files/Autoruns.zip - Autoruns
    • [11] http://download.sysinternals.com/Files/ProcessExplorer.zip - Process Explorer
    • [12] http://www.javacoolsoftware.com/ - Spyware Blaster
    • [13] http://www.domaintools.com/services/
    • [14] Google search for WPA setups