{"id":6901,"date":"2017-03-08T10:30:04","date_gmt":"2017-03-08T18:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/08\/news-692\/"},"modified":"2017-03-08T10:30:04","modified_gmt":"2017-03-08T18:30:04","slug":"news-692","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/08\/news-692\/","title":{"rendered":"CIA hacking tools targeting Windows"},"content":{"rendered":"

<\/p>\n

Credit to Author: Darlene Storm| Date: Wed, 08 Mar 2017 08:22:00 -0800<\/strong><\/p>\n

By releasing information about CIA hacking tools, WikiLeaks has given a new meaning to March Madness.<\/p>\n

The CIA\u2019s project Fine Dining<\/a> is intriguing, since it outlines DLL hijacks for Sandisk Secure, Skype, Notepad++, Sophos, Kaspersky, McAfee, Chrome, Opera, Thunderbird, LibreOffice, and some games such as 2048<\/em>, which the CIA writer \u201cgot a good lol out of.\u201d Yet I was curious about what the CIA does to targeted machines running Windows since so many people use the OS.<\/p>\n

Nearly everything dealing with the CIA hacking arsenal and Windows is labeled as \u201csecret.\u201d Nicholas Weaver, a computer scientist at the University of California at Berkeley, told<\/a> NPR that the Vault 7 release is not all that big of a deal, not too surprising the agency hacks. Yet if \u201cYear Zero\u201d was obtained by a non-government hacker compromising the CIA\u2019s system, then that would be a big deal.<\/p>\n

Weaver said, \u201cSpies gonna spy, that\u2019s dog bites man. Spy dumps data on WikiLeaks, proving that they exfiltrated it from a top secret system? That\u2019s man bites dog.\u201d<\/p>\n

However it was obtained and handed to WikiLeaks for the world to peruse, here are some of the things revealed that the CIA allegedly uses to target Windows.<\/p>\n

Persistence modules<\/a> are listed under Windows>Windows Code Snippets and are labeled as \u201csecret.\u201d This would be used after a target has been infected. In the words of WikiLeaks<\/a>, persistence is how the CIA would \u201ckeep its malware infestations going.\u201d<\/p>\n

The CIA\u2019s persistence models for Windows include: TrickPlay<\/a>, Constant Flow<\/a>, HighClass<\/a>, Ledger<\/a>, QuickWork<\/a> and SystemUptime<\/a>.<\/p>\n

Of course before malware can persist, it must be deployed. There are four sub-pages listed under payload deployment modules<\/a>: in-memory executables, in-memory DLL execution, on-disk DLL loading and on-disk executables.<\/p>\n

There are eight processes listed as \u201csecret\u201d under payload deployment for on-disk executables: Gharial<\/a>, Shasta<\/a>, Speckled<\/a>, Chorus<\/a>, Tiger<\/a>, Greenhorn<\/a>, Leopard<\/a> and Spadefoot<\/a>. The six payload deployment modules for in-memory DLL execution include: Inception<\/a>, two takes<\/a> on Hypodermic<\/a> and three<\/a> on<\/a> Intradermal<\/a>. Caiman<\/a> is the only payload deployment module listed under on-disk DLL loading.<\/p>\n

What might a spook do once inside a Windows box to get the data out? Marked as \u201csecret\u201d under Windows data transfer modules, the CIA purportedly uses:<\/p>\n

Under function hooking in Windows, which would allow a module to be tapped into to do something specific that the CIA wanted done, the list included: DTRS<\/a> which hooks functions using Microsoft Detours, EAT_NTRN<\/a> which modifies entries in EAT, RPRF_NTRN<\/a> which replaces all references to the target function with the hook, and IAT_NTRN<\/a> which allows for \u201ceasy hooking of Windows API.\u201d All the modules use \u201calternate data streams which are only available on NTFS volumes\u201d and the sharing levels include the entire Intelligence community.<\/p>\n

WikiLeaks said it avoided distributing \u201carmed cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such \u2018weapons\u2019 should analyzed, disarmed and published.\u201d Privilege escalation and execution vectors on Windows are among those which were censored.<\/p>\n

There are six sub-pages dealing with CIA \u201csecret\u201d privilege escalation modules<\/a>, but WikiLeaks chose not to make the details available; presumably this is so every cyberthug in the world won’t take advantage of them.<\/p>\n

CIA \u201csecret\u201d execution vectors<\/a> code snippets for Windows include EZCheese, RiverJack, Boomslang and Lachesis \u2013 all of which are listed but not released by WikiLeaks.<\/p>\n

There is a module to lock and unlock system volume information<\/a> under Windows access control. Of the two Windows string manipulation snippets<\/a>, only one<\/a> is labeled as \u201csecret.\u201d Only one<\/a> snippet of code for Windows process functions is marked as \u201csecret\u201d and the same is true for Windows list snippets<\/a>.<\/p>\n

Under Windows file\/folder manipulation, there is one<\/a> to \u201ccreate directory with attributes and create parent directories,\u201d one for path manipulation<\/a> and one to capture and reset file state<\/a>.<\/p>\n

Two \u201csecret\u201d modules are listed under Windows user information<\/a>. One \u201csecret\u201d module each is listed for Windows file information<\/a>, registry information<\/a> and drive information<\/a>. Naive sequence search<\/a> is listed under memory searching. There is one module under Windows shortcut files<\/a> and file typing also has one<\/a>.<\/p>\n

Machine information has eight sub-pages; there are three \u201csecret\u201d modules listed under Windows Updates<\/a>, one \u201csecret\u201d module under User Account Control<\/a> \u2013 which elsewhere \u2013 GreyHatHacker.net got a mention under Windows exploitation articles for bypassing User Account Control<\/a>.<\/p>\n

These examples are mere drops in a bucket when it comes to Windows-related CIA files<\/a> dumped by WikiLeaks so far.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Darlene Storm| Date: Wed, 08 Mar 2017 08:22:00 -0800<\/strong><\/p>\n

\n
\n

By releasing information about CIA hacking tools, WikiLeaks has given a new meaning to March Madness.<\/p>\n

The CIA\u2019s project Fine Dining<\/a> is intriguing, since it outlines DLL hijacks for Sandisk Secure, Skype, Notepad++, Sophos, Kaspersky, McAfee, Chrome, Opera, Thunderbird, LibreOffice, and some games such as 2048<\/em>, which the CIA writer \u201cgot a good lol out of.\u201d Yet I was curious about what the CIA does to targeted machines running Windows since so many people use the OS.<\/p>\n

Nearly everything dealing with the CIA hacking arsenal and Windows is labeled as \u201csecret.\u201d Nicholas Weaver, a computer scientist at the University of California at Berkeley, told<\/a> NPR that the Vault 7 release is not all that big of a deal, not too surprising the agency hacks. Yet if \u201cYear Zero\u201d was obtained by a non-government hacker compromising the CIA\u2019s system, then that would be a big deal.<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11072,11073,714,11079],"class_list":["post-6901","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cybercrime-hacking","tag-malware-vulnerabilities","tag-security","tag-windows-pcs"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6901"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6901\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}