The FBI CIPAV: A Digital Surveillance Tool

The FBI developed a computer surveillance program known as the Computer and Internet Protocol Address Verifier, or CIPAV, designed to covertly monitor suspects through their own machines. Court documents from the Josh Glazebrook case shed light on how this tool was deployed against a then-anonymous MySpace user operating under the handle “Timberlinebombinfo.”

According to the federal affidavit, the CIPAV was transmitted through an electronic messaging program controlled by the FBI. Both the sending and receiving machines were under bureau control, and the payload was directed exclusively at the administrator of the target account.

How the FBI Delivered Its Surveillance Payload

The precise delivery mechanism raises significant technical questions. Social engineering — tricking the target into manually downloading malicious code — seems unlikely given Glazebrook’s reported technical background. A more probable scenario involves the exploitation of a software vulnerability, either one that was publicly known but unpatched on the target machine, or a zero-day exploit known only to the FBI.

MySpace offered an internal instant messaging system and a web-based stored messaging inbox that supported HTML and embedded image tags. Since there is no evidence the CIPAV was built specifically for MySpace, the most likely vector was a browser or plug-in vulnerability triggered through the stored messaging system.

Potential Exploit Vectors Security Researchers Identified

Several known vulnerabilities could have served as the entry point at the time:

Windows Metafile (WMF) Vulnerability: An older flaw in how Windows rendered WMF images had been patched but was still widely exploited by cybercriminals to install keyloggers, adware, and spyware. This same exploit had previously appeared in an attack on MySpace users delivered through an advertising banner.

Windows Animated Cursor Vulnerability: Security researcher Roger Thompson, then CTO of Exploit Prevention Labs, suggested this fresher exploit was the most likely candidate. Originally discovered being used by Chinese hackers, it spread rapidly among malicious actors worldwide. For several weeks, no patch existed. Even after Microsoft issued an emergency fix in April 2007, many users never applied the update, making it one of the most commonly exploited browser flaws at the time.

Apple QuickTime Plug-in Vulnerabilities: Flaws in the QuickTime browser plug-in could grant an attacker full remote control of a target machine. Patching required manually downloading and reinstalling the entire QuickTime package, meaning many users remained exposed.

Why Antivirus Software Failed to Detect the CIPAV

Greg Shipley, CTO of security consultancy Neohapsis, noted that traditional antivirus software was essentially powerless against the CIPAV. Without a sample of the FBI’s code to build a detection signature, conventional AV products had virtually no way to identify it.

Some heuristic-based tools that profile application behavior might have flagged anomalous activity, but the CIPAV appeared to demonstrate sophisticated design characteristics. The program was reportedly aware of installed software packages and default browsers, suggesting it could adapt its behavior to blend in with normal system activity.

If the trojan was browser-aware and potentially proxy-aware, using HTTP as its transport protocol, it would create an extremely effective covert communications channel — one capable of evading detection in the vast majority of network environments. Standard antivirus products would remain blind to it unless they obtained a copy of the code and built a specific signature, neither of which was likely to happen.