Silk Road forums

Discussion => Security => Topic started by: yum on February 17, 2012, 12:25 pm

Title: how to detect and possibly remove cipav from your computer
Post by: yum on February 17, 2012, 12:25 pm
How would one go about firstly detecting cipav on one's computer ( the FBI spy trojan) and then remove it? Are there any special ports or ip ranges I should look out for and possibly block?
Title: Re: how to detect and possibly remove cipav from your computer
Post by: kmfkewm on February 17, 2012, 12:33 pm
CIPAV is a blanket term for "FBI exploit that pwns you and sends back your IP address" so it isn't going to leave a specific fingerprint unless they re-use the same CIPAV. You could look into snort and other intrusion detection systems. You could also use computer security techniques to try to make it so they can't manage to pwn you with a CIPAV (ASLR, etc) or to limit the damage their CIPAV can do (Isolation, etc).
Title: Re: how to detect and possibly remove cipav from your computer
Post by: sourman on February 17, 2012, 01:51 pm
Let's see.. where to start?

If they actually manage to get a CIPAV on your machine, I doubt it would be possible to find it without either analyzing the OS offline or sniffing network traffic on the wire for any unauthorized connections. IIRC, CIPAV is just a really good rootkit deployed by federal law enforcement's version of an exploit kit. Your best bet is not to get infected in the first place. If you run SR from within a virtual machine or sandbox while using the latest version of TBB with all scripting disabled and a solid, non-US made security software suite with HIPS capabilities running and set NOT to automatically trust digitally signed/popular executables, I doubt they would have an easy way in.

To really minimize the risks, just boot the OS into RAM on a roaming laptop without a hard drive and don't use an internet connection tied to you. Even if they get a CIPAV to install, they won't be able to verify anything but the IP of, say, the open wifi you're using. As soon as you turn off the computer, everything saved to RAM is gone. Unless they have some super duper secret method of embedding complex trojans in your CMOS, the CIPAV won't automatically come back. If CIPAV (or a similar trojan) has keylogging abilities that can hide from all known HIPS and "anti-logger" type software, then you have another problem on your hands: they may not be able to track you down, but they can steal some of your login info and any files you had sitting around instead. This is even worse, which is why everyone should change very sensitive passwords literally as often as possible. Two factor authentication, anyone?
Title: Re: how to detect and possibly remove cipav from your computer
Post by: pine on February 17, 2012, 03:00 pm
Let's see.. where to start?

If they actually manage to get a CIPAV on your machine, I doubt it would be possible to find it without either analyzing the OS offline or sniffing network traffic on the wire for any unauthorized connections. IIRC, CIPAV is just a really good rootkit deployed by federal law enforcement's version of an exploit kit. Your best bet is not to get infected in the first place. If you run SR from within a virtual machine or sandbox while using the latest version of TBB with all scripting disabled and a solid, non-US made security software suite with HIPS capabilities running and set NOT to automatically trust digitally signed/popular executables, I doubt they would have an easy way in.

To really minimize the risks, just boot the OS into RAM on a roaming laptop without a hard drive and don't use an internet connection tied to you. Even if they get a CIPAV to install, they won't be able to verify anything but the IP of, say, the open wifi you're using. As soon as you turn off the computer, everything saved to RAM is gone. Unless they have some super duper secret method of embedding complex trojans in your CMOS, the CIPAV won't automatically come back. If CIPAV (or a similar trojan) has keylogging abilities that can hide from all known HIPS and "anti-logger" type software, then you have another problem on your hands: they may not be able to track you down, but they can steal some of your login info and any files you had sitting around instead. This is even worse, which is why everyone should change very sensitive passwords literally as often as possible. Two factor authentication, anyone?

This is why I think the Silk Road should allow you to use OTP or one time passwords. Like you get with using a bank online. A little calculator like widget that allows you to have a different password every single time you access the site. That way LEO impersonating sellers or buyers is impractical.
Title: Re: how to detect and possibly remove cipav from your computer
Post by: sourman on February 17, 2012, 09:49 pm
Yeah, OTP or two factor (personal password + one time pass) would definitely help eliminate the keylogger threat. LE would be PISSED lol.
Title: Re: how to detect and possibly remove cipav from your computer
Post by: Holly on February 18, 2012, 01:43 am
Holy shit this sounds mega tweak o.O how vulnerable do you think we are to this kinda stuff?
Title: Re: how to detect and possibly remove cipav from your computer
Post by: kmfkewm on February 18, 2012, 03:18 am
Holy shit this sounds mega tweak o.O how vulnerable do you think we are to this kinda stuff?

are you using a hardened fully patched system?
Title: Re: how to detect and possibly remove cipav from your computer
Post by: a_blackbird on February 18, 2012, 03:26 am
I wonder how many different OSes they have CIPAV variants for.  Certainly every flavor of Windows is vulnerable, and they may well have Linux and OSX versions, too - but what about when you start getting into the less-common desktop OSes - *BSD, Solaris... ?  Heh, I'd like to see the Fedz root my 68000-series Amiga.   :o
Title: Re: how to detect and possibly remove cipav from your computer
Post by: Holly on February 18, 2012, 04:09 am
Holy shit this sounds mega tweak o.O how vulnerable do you think we are to this kinda stuff?

are you using a hardened fully patched system?

Probably not, you should make a detailed guide!