Warrant divulges FBI high tech malware sent to suspected terrorist email

In a very little publicised case of bomb threats that have been going on for months against US public buildings like universities, hotels and airports, an anonymous caller identifying himself as a friend of James Holmes, continuously warned the FBI that if the Colorado cinema shooter was not released a building full of people would be blown up using Ammonium Nitrate.

An Emergency Discloure Request order sent to Google exposed that the caller was using Google Voice VoIP service to carry out the bomb threats while masking his computer IP with a free VPN service called HotSpotShield, also known as AnchorFree.

Subsequent bomb threats included numerous email exchanges, a chat in between the suspect and an FBI agent using Yahoo Messenger and photographs the suspect sent of, supposedly, himself to the FBI, dressed wearing an Iranian camouflage military uniform.

The FBI trojan horse is referred to in the search warrant application as Network Investigative Technique (NIT) and it was sent to the suspect’s Yahoo email address “texan.slayer@yahoo.com” in the form of a link, it should have been executed when the suspected terrorist logged into his email account, connecting to FBI servers and downloading malware to let law enforcement know the following:

– Computer IP address,┬ácomputer network card MAC address, list of open ports, a list of running programs, operating system and Windows serial number, web browser brand and version, computer’s language encoding and default language, computer time zone, previous visited websites and other identifying information that could be of assistance.

The document shows that the trojan horse failed to execute correctly but not before revealing that the person making bomb threats was doing so from Iran.

There is no specific information about how the FBI executed the malware but since a download link is mentioned, I will make a guess, without backing evidence, of how it could have been done, by saying that that the trojan horse could have been embedded in an HTML formatted email and executed with Javascript as soon as the suspect opened the email message.

Leave a Reply