FBI planted spyware on teen's PC to trace bomb threats

Computerworld - The FBI planted spyware on the computer used by a Washington state teenager to finger him as the person behind a rash of bomb threats e-mailed to his high school, court documents revealed this week.

The 15-year-old, a former student at Timberline High School in Lacey, Wash., pleaded guilty Monday to making the bomb threats, as well as to identity theft charges, according to The Olympian. He was sentenced to 90 days in juvenile detention and must pay the school district $8,852 to cover expenses. The first e-mailed bomb threat was sent June 4.

In several of the messages, the student taunted school authorities and police for their inability to trace the e-mails to him. "Seeing as how you're too stupid to trace the e-mail back lets [sic] get serious," an e-mail on June 5 said, according to an unsealed search warrant application filed with a Seattle federal court in mid-June. "Stop pretending to be 'tracing it' because I already told you it's coming from Italy. That is where trace will stop, so just stop trying."

Within days, however, the FBI had obtained a warrant that allowed the agency to infect the student's computer with a program it called a Computer & Internet Protocol Address Verifier (CIPAV). "If a warrant is approved, a communication will be sent to the computer being used to administer [the MySpace] user account 'Timberlinebombinfo,'" said FBI Special Agent Norman Sanders in the June 12 filing.

The CIPAV, said Sanders, would "cause any computer -- wherever located -- to send network-level messages containing the activating computer's IP address and/or MAC address, other environmental variables and certain registry-type information to a computer controlled by the FBI."

"I'd call that spyware," said Roger Thompson, chief technology officer at Exploit Prevention Labs. "Or it's pretty darn close."

The warrant did not spell out whether the CIPAV could, for instance, capture keystrokes or inject other code into the compromised system, as do commonplace Trojan downloaders. "The exact nature of [the CIPAV's] commands, processes, capabilities and their configuration is classified as a law enforcement sensitive investigative technique," said the warrant applications.

Sanders, however, did say that after making its initial data harvest, the CIPAV would shift into a silent "pen register" mode in which it only recorded the IP addresses, dates and times of each communication. The contents of those communications -- such as e-mail messages -- would not be captured and passed to the FBI, the affidavit said.

It was also unclear exactly how Sanders expected to get the CIPAV onto the suspect's computer, although the warrant application hinted that it would be delivered through MySpace's own messaging service. "The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI," the warrant application read. "The electronic message deploying the CIPAV will only be directed to the administrator(s) of the 'Timberlinebombinfo' account [on MySpace]."