page-051

1,4 Who Is Building and Using Rootkits?

directory enumeration APIs (i.e., F1 ndFirst()/F1 ndNext{)) using a custom file

system filter driver.�®

As with Sony's DRM rootkit, the problem with this feature is that an attacker

could easily subvert it and use it for nefarious purposes. A cloaked MTPROTECT

provides storage spacc for an attacker to place malware because it may not

be scanned during scheduled or manual virus scans. Once Mark pointed this

out to Symantec, they removed the cloaking functionality.

Law Enforcement

Historically speaking, rookits were originally the purview of Black Hats. Re¬

cently, however, the Feds have also begun to find them handy. For example,

the FBI developed a program known as Magic Lantern, which, according to

reports,could be installed via email or through a software exploit. Once in¬

stalled, the program surreptitiously logged keystrokes. It's likely that the FBI

used this technology, or something very similar, while investigating reputed

mobster Nicodemo Scarfo Jr. on charges of gambling and loan sharking.Ac¬

cording to news sources, Scarfo was using PGP�' to encrypt his files, and the

FBI agents would've been at an impasse unless they got their hands on the

encryption key. I suppose one could take this as testimony to the effective¬

ness of the PGP suite.

More recently, the FBI has created a tool referred to as a "Computer and

Internet Protocol Address Verifier" (CIPAV). Although the exact details of its

operation are sketchy, it appears to be deployed via a specially crafted web

page that leverages a browser exploit to load the software.In other words,

CIPAV gets on the targeted machine via a drive-by download. Oncc installed,

CIPAV funnels information about the targeted host (e.g., network configura¬

tion, running programs, IP connections) back to authorities. The existence of

CIPAV was made public in 2007 when the FBI used it to trace bomb threats

made by a 15-year-old teenager.-"

28. http://www.syniantec.eom/avcenter/seciirity/Content/2006.01.10.html.

29. Ted Bridis, "FBI Develops Eavesdropping Tools," Washington Post, November 22, 2001.

30. John Schwartz, "U.S. Refuses To Disclose PC Tracking," New York Times, August 25, 2001.

31. http;//www.gnupg.org/.

32. Kevin Poulscn, "FBI Spy ware; How Does the CIPAV Work?" Wired, July IS, 2007.

33. Kevin Poulsen, "Documents; FBI Spyware Has Been Snaring Extortionists, Hackers for

Years," Wired, April 16, 2009.

Parti I 21