How did the CIPAV get onto the targeted computer?
Hard to say specifically, but we can deduce some things from the affidavit and MySpace, which the CIPAV took aim at. Some user action was clearly required to infect the PC with the CIPAV. In the warrant application, the FBI used the term activate several times and alluded to a spyware plant failure if the target did not trigger the CIPAV through the targeted MySpace account. MySpace accounts can’t receive traditional e-mail, so one hacker standard — attach the CIPAV to a message and hope the recipient is stupid enough to launch it — wasn’t available. Instead, the most likely tactic would have been to send a URL to the suspect account using MySpace’s own instant messaging and/or Web mail system. If the suspect clicked on the link — it would have had to be enticing, so use your imagination here — and visited the FBI-owned malicious site, an exploit for a zero-day vulnerability (or unpatched one on the suspect’s PC) would have let the government download CIPAV to the target hard drive
