WikiLeaks published new documents from what it calls the Vault 7 trove describing how the CIA targets Windows users. The files pertain mostly to Grasshopper, a framework used to build custom installation executables, and the agency's use of the Carberp malware in its Stolen Goods persistence mechanism. This leak puts the spotlight on another of the CIA's internal tools and on how it repurposes public malware to suit its own purposes.
Grasshopper's user guide explains that it was used to build and execute custom malware. Operators could use various installers, target devices based on what version of Windows they use or what antivirus software is installed, and decide if the malware should create a log file when it's run. This would theoretically improve the agency's chances of compromising their target while reducing the odds of getting caught or affecting other people.
It's kind of like the spying equivalent to Build-A-Bear Workshop. The CIA gathered installers, payloads, and persistence mechanisms so operators could put them together as if they were children making a custom stuffed animal instead of spies designing malware for specific targets. Operators could also customize Grasshopper itself if they wanted to use a particular tool or needed more control over the malware they were trying to build.
One of those persistence mechanisms--tools used to help malware evade detection by security tools and remain on a target machine--was called Silent Goods. Here's what the Silent Goods user manual has to say about its origins:
The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime. The source of Carberp was published online, and has allowed AED\RDB to easily 'borrow' components as needed from the malware. Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analyzed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.
This kind of source code theft is common among malware creators. Few build everything from scratch--most take someone else's work and customize or improve it to suit their own purposes. Many others simply use off-the-shelf malware instead of even attempting to code something themselves. Stolen Goods shows that the CIA is no different. If something works, it works, and the intelligence agency has no qualms about repurposing it.
You can find out more about Grasshopper and Stolen Goods in WikiLeaks' latest release from the Vault 7 trove. The organization previously revealed how the CIA tries to work around end-to-end encrypted communications tools, bypasses Windows antivirus software, and considers the possibility of assassination via remote car hack.
Don't worry, all the car makers with whom we spoke assured us that you probably won't be killed by hackers, and antivirus companies have patched up vulnerabilities revealed in the Vault 7 documents. Companies like Cisco have also been digging through WikiLeaks' materials to find critical security flaws that the organization didn't highlight in its own blog posts.
The documents published today appear to have been written between 2012 and 2014. Not all of them were dated--the Grasshopper user guide has no date, for example, although the admin guide says it was published in December 2013. Microsoft and other security companies may have already addressed the vulnerabilities exploited by the framework and its components.
We reached out to Microsoft for comment on these latest files, and a Microsoft spokesperson stated:
Our investigation confirmed that the information released on April 7 does not impact modern systems. For the best defense against security threats, we recommend Windows 10, which is updated automatically by default.
well MS , I have the feeling that your whole updating system is the spy how about that?
wikileak is a CIA project. FACT :)
Enjoy them rubles.
They only leak what they allow you to know ... but the big deal is threatening world leaders to stay in place or Wiki leaks will expose their secrets without USA being a suspect :)
and the other more important thing , once people trust wiki leaks ? they can tell any Lie they wish and people will believe it ...
want to bet?
let me ask you , where are the "leaks" about 911 ? or about "Israel" ?
Nevermind the fact that there are levels to which you can dial down telemetry (even the useful kind) and disable digital assistants. With a little tweaking you can even disable all the telemetry/logging - even the most harmless basic Win9x-era offline userland logging. Just run Spy Disabler. It's practically a paranoid person's dream. Then I don't have to read the same posts about a subset of the telemetry Google has been collecting (and selling) for a decade.
Speaking of which, with Android the only way to shut that stuff down would be to cook a custom ROM or use a trusted one that might be good... and with iOS good luck.