Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Privacy Windows Government Operating Systems Hardware Technology

WikiLeaks Reveals Grasshopper, the CIA's Windows Hacking Tool (thenextweb.com) 87

An anonymous reader quotes a report from The Next Web: In case you haven't had your dose of paranoia fuel today, WikiLeaks released new information concerning a CIA malware program called "Grasshopper," that specifically targets Windows. The Grasshopper framework was (is?) allegedly used by the CIA to make custom malware payloads. According to the user guide: "Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating systems." Grasshopper is designed to detect the OS and protection on any Windows computer on which it's deployed, and it can escape detection by anti-malware software. If that was enough for you to put your computer in stasis, brace yourself for a doozy: Grasshopper reinstalls itself every 22 hours, even if you have Windows Update disabled. As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.
This discussion has been archived. No new comments can be posted.

WikiLeaks Reveals Grasshopper, the CIA's Windows Hacking Tool

Comments Filter:
  • Windows Update (Score:3, Informative)

    by phantomfive ( 622387 ) on Friday April 07, 2017 @06:44PM (#54195269) Journal
    malware removed:

    dd if=/dev/zero of=/dev/ntfs
  • At least it's free (Score:4, Informative)

    by Anonymous Coward on Friday April 07, 2017 @06:45PM (#54195289)

    Fortunately, all software authored by the federal government is automatically in the public domain, so perfectly legal to reverse engineer, copy, etc.

    • by Anonymous Coward

      Fortunately, all software authored by the federal government is automatically in the public domain, so perfectly legal to reverse engineer, copy, etc.

      Well, other than when it gets classified as a "Munition", in which case it might be illegal to even possess it.

      Also, this statement in the summary:

      As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.

      No, BeauHD, that's not fucking alarming at all. There's nothing even remotely alarming about that. Big fucking deal, they borrowed some attack code. Quit trying to be edgy, you suck at it.

      • by BlueStrat ( 756137 ) on Friday April 07, 2017 @10:31PM (#54196319)

        As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.

        No, BeauHD, that's not fucking alarming at all. There's nothing even remotely alarming about that. Big fucking deal, they borrowed some attack code. Quit trying to be edgy, you suck at it.

        What IS alarming is that instead of helping US infrastructure protect itself from Russian malware, they simply hop on the gravy-train for their own cut of that sweet, sweet US data security.

        Remind me, *who* exactly are our enemies, again? Having trouble here detecting significant differences.

        Strat

        • by TheGratefulNet ( 143330 ) on Friday April 07, 2017 @10:47PM (#54196379)

          there's a limited amount of pain that a foreign entity or a US corp entity could do to me.

          otoh, the US gov can do a LOT of damage to its own people.

          I worry more about our own spying and malware delivery (btw, what would our founding fathers think about THAT?) than from sources outside the US.

          the terrorists to worry the most about: our own government

          and not the elected ones. its the ones that we don't elect that are above the law, those are what I would be the most concerned about.

          they continue to be untouchable and you can't sue them or stop them.

          damn.

          • by Anonymous Coward

            You need to think of it in terms of expected damage, not just possible damage. Yes the CIA/NSA/whoever could theoretically suddenly decide to put you under surveillance, start monitoring all your communications, misinterpret your emails to Mom as coded threats to blow up the White House, then execute you for treason or send you to Gitmo to rot, but the odds of that happening are infinitesimal, and there's no record of it ever happening to any (innocent) American in the 10 years since PRISM started. Foreig

          • by Anonymous Coward

            Most of your email, and online services are provided by the USA so you kid yourself that CIA is more a threat to the US than other countries.

            Google? USA, Facebook? USA, Microsoft? USA. Most of your data runs over USA owned fibre on its route, how many of your local apps are actually run on Amazon cloud?

            Then there's all of the third country stuff that depends on the US market, and thus complies with US demands. e.g. Samsung?

            And USA has essentially been hacked by Russia, it's so blatant, that Trump *informed*

        • Remind me, *who* exactly are our enemies, again? Having trouble here detecting significant differences.

          Easy. Anyone connected to the internet is your enemy. That makes security a lot easier to understand.

        • What IS alarming is that instead of helping US infrastructure protect itself from Russian malware,...

          Well, since MS is supplying Russia with their OS also, any help they give helps Russia's infrastructure protect itself against US malware.

    • by chill ( 34294 )

      Sorry, you need to read the fine print.

      While gov't can't CREATE copyright, they most certainly can HOLD it. Materials created by CONTRACTORS and not FEDS can be copyrighted with that copyright held by the gov't.

  • by Anonymous Coward

    Just like Windows updates whether you want them or not.

    • by Anonymous Coward

      That's even more annoying when they push a driver update that keeps your computer from booting. With our Dell Latitude E6440 laptops, we currently have a problem with a driver, and even though we have Enterprise edition and WSUS, somehow that driver keeps sneaking itself in. Just tracking hours logged in support tickets, and we know it's many more since we don't do a good job of tracking, we've already wasted nearly ten man-years on this issue. That's over a million dollars not even counting the opportun

      • If you've tried http://winsupersite.com/window... [winsupersite.com] and it didn't work, you're not alone. My guess is MS simply doesn't give a shit and that option never, ever, worked.

        Instead, try https://support.microsoft.com/... [microsoft.com] . Scroll down to the download link to get the "troubleshooter" tool which will let you hide/disable specific updates. This will only help you if the updates are coming in via Windows Update and not some Dell utility.

        • by Anonymous Coward

          We spend seven figures per year with Microsoft, and they don't care that even though we hide updates that that doesn't work. They don't care that we have hundreds of computers that are unbootable because of updates.

  • I think someone misspelled Stasi [wikipedia.org]. Also, cue something about it lying heavy.
  • by CaptainDork ( 3678879 ) on Friday April 07, 2017 @06:56PM (#54195337)

    ... the CIA got a job to do.

    I'd feel better about them if they could keep a secret, but let me restate CaptainDork's corollary:

    For every motherfucker out there with a computer, there's another motherfucker out there with a computer. ~ © 2017 CaptainDork

    • Re: (Score:3, Interesting)

      by rtb61 ( 674572 )

      For any serious computer geek, they often have more than one. I am up to four, generally buying a replacement when ever one breaks whilst also repairing that broken one to become a spare. I just can't bring myself to sell the old ones, so many fond memories. Only two have been hacked, the oldest one on purpose to see how difficult is was to clean up, interesting exercise and good practice (I just installed an app from an expected criminal web site to see what would happen, what changes, what extra installed

      • Re: (Score:2, Interesting)

        I have 8 desktop computers and two portables.

        4 desktops are Windows XP PRO with registry hack to make them appear to be embedded [pcworld.com], like an ATM or something, so they continue to get security updates.

        They are in service on the local WiFi only for closed security camera duty.

        One desktop is Windows 7 and because it has a touch screen, can't be upgraded to Windows 10. Another is Windows 8, updated to Windows 10, the other is Windows 8.1, updated to 10, and my primary is Windows 10 Home Edition.

        I got hit with faux

  • by Anonymous Coward

    Ok so if the CIA knows everything about me, including what kind of porn I like, can the CIA help me to find a date?

    No?

    Well now I'm outraged.

    • Yes, they can.

      The CIA has the capability to spy on you, find what you like, and match it with someone who can win your affection, and appear to return affection as well. In fact, that capability is entirely within their mandate as an espionage and intelligence organization, as you might be a foreign agent on whom a honey trap [wikipedia.org] may work well.

      However, unless they have a good reason to interfere with your romantic escapades, they won't do anything. Mostly, they won't because you're not important enough to justi

  • by Anonymous Coward

    you see this is why linux sucks.

  • is there any evidence of the description being genuine? this looks so blatantly staged as a last straw for the orange one and his gang to climb out of the Russian collusion quagmire that I had to laugh hard when I read this
    • by AHuxley ( 892839 )
      Many security experts, consultants, private sector groups will be looking at this. Strange code would not last long once published.
      Note the code litter is again made to look like another nation.
  • The GNU Project told us about Microsoft malware [gnu.org] long ago, including what is accurately listed "Microsoft Windows has a universal back door through which any change whatsoever can be imposed on the users [informationweek.com]" pointing to a mainstream media news reference from 2007 and another link indicating when this was used, and a pointer to a Condé Nast article talking about the (apparently ongoing) forced Windows Updates. Microsoft is also the first PRISM partner [washingtonpost.com] with the NSA joining on September 11, 2007, according to an internal NSA document [washingtonpost.com] so they have quite a long history of being untrustworthy but the underlying power they're leveraging comes from proprietary software.

    Other proprietors are no more trustworthy. Apple didn't fix an intentional back door for 4 years [wordpress.com], Apple didn't fix an iTunes backdoor [telegraph.co.uk] through which others could have gained control of systems running the software. Apple joined PRISM in October 2012. Other proprietors with names you know (Yahoo, Facebook, Google, YouTube, etc.) joined in between the Microsoft and Apple partnerships.

    The theme remains the same: it doesn't matter who the proprietor is (Microsoft in this case), proprietary software is always untrustworthy and this doesn't change even after applying lots of updates from the proprietor. Just because a new version is out, or a patch released does not mean the back door is shut or that you can verify their work (or even get someone more technically skilled to verify it on your behalf).

    Now we have more confirmation of how the threats come from other directions, not just the proprietor, and that the threat is more organized than we commonly knew. Evidence like this immediately advances the discussion beyond the distraction of calling someone a 'tinfoil hat wearer' or other such nonsense, as did the Snowden documents. And WikiLeaks maintains their perfect record for authenticity in their publications—as far as we can tell these documents are what WikiLeaks claims they are. Proprietary software is always a threat. Software freedom [gnu.org] is no guarantee of safety, but you're better off having software you can inspect, run, share, and modify (AKA control) than not. You simply can't trust proprietors to do right by you and all computer users deserve software freedom.

    • by Somebody Is Using My ( 985418 ) on Friday April 07, 2017 @08:42PM (#54195881) Homepage

      Except this doesn't sound like a backdoor in Windows. The article is short on details, but if it uses a "custom installer", this sounds more like a trojan. Once the software is installed, your machine is compromised but that's pretty much true for every consumer OS. As it is a customized trojan, its signature won't show up in anti-virus databases. Once it is installed, it can co-op the target system, ensuring it can't be easily detected or removed. Its a bit trickier to write this sort of spyware these days, but in no way impossible even for run-of-the-mill criminals, much less an organization with the resources and talent of the CIA

      How they get the target to install the trojan is probably different in each instance, and possibly requires the assistance of software vendors (Microsoft, McAfee, whatever) or the target's ISP so that when the already-running and legitimate software is served the trojan when it checks for an update (alternately, they might just sneak an agent with a USB drive into the target's home and install the trojan when the target is out to lunch or something).

      It's like really nasty spyware customized for a very specific user.

      In fact, that the CIA is forced to use these sorts of tactics speaks against the idea of there being a universal backdoor in Windows (beyond, you know, the usual and sadly universal backdoor of insecure coding and bad security practices on the part of the user).

      • by AHuxley ( 892839 )
        Symantec Endpoint did find Cricket Install under the 'Scheduled Task EXE VARIANTESET"
        But it gets past so many vendors, how good was behavioral detection at the time?
      • by AHuxley ( 892839 )
        The CIA likes a few different methods to get in. Why risk network detection on the way in or out of a complex, secure network? So a lot of methods need a human on site to access a computer system from a trusted location. Why risk a network and firewall when charming local staff gets past a lot of very powerful, bespoke network protections?
        When done, collect the data in person and remove all traces. Or have the network send out trusted data from within.
        Thats why the network vs needs physical access is
  • You can bet that any large OS developer or security product staff has been penetrated by US agents and probably has covertly placed them on staff. The very products that you use to protect your systems probably grant access to US agents.
  • I figured Putin would be releasing that today

  • by grilled-cheese ( 889107 ) on Friday April 07, 2017 @11:34PM (#54196557)
    Your first though is that you're jealous of how good their documentation is.
  • by Anonymous Coward

    Why is this link being routed through a twitter account and then going to thenextweb.com, rather than just going to wikileaks. This is the link without the spyware tracking and the pointless intermediate article:
    https://wikileaks.org/vault7/#... [wikileaks.org]

What is algebra, exactly? Is it one of those three-cornered things? -- J.M. Barrie

Working...