is there a way to know if CIPAV is on your pc? (i explain what CIPAV is)

CIPAV is Computer and Internet Protocol Address Verifier

it’s a piece of spyware that the gov can put on your computer without the user knowing according to the wikipedia article.

does anyone know if there is any truth to this?

can cis prevent this?

if not is there a way to find out if it’s on you computer and get it off?

From what I read here it’s likely that they are using some zero-day, that’s not disclosed public, or wasn’t at the time. From that information a HIPS should be able to detect this tool, it’s unlikely that a AV will flag this as ‘CIPAV’. But as the tool needs to gather several details and has to submit them via some form back to the FBI it’s likely HIPS would detect some suspicious activity, unless we go in to theories like ‘M$’ backdoor by NSA kind of stuff…

As the pdf document (pg 17, 21a) suggests that ‘multiple CIPAV’s need to be deployed’ to increase the chance of activation they don’t seem to have a 100% infection vector, they are depending on some ‘flaw’ to get the user to ‘infect’ the machine(s).

wow i’m surprised anyone even replied to this let alone give that much insight in their reply. thank you for such an informative reply.

can anyone confirm HIPS can prevent this?

i’d really like to see what melih’s thoughts are on this as well

Not unless you have a sample of the ‘malware’…

can you elaborate? why would i have to have a sample?

Well if you don’t know exactly how it behaves and what it does, you can’t claim HIPS can find it…
Maybe they have created something they tested against all AV’s and known HIPS products and found a way to fly under their radars… unlikely but possible.

The recent HBGary issue shows that there are governments and people who look for 0-day holes in products and then don’t tell the vendor, so they can use this hole for this kind of applications.