WikiLeaks Reveals Grasshopper, the CIA's Windows Hacking Tool

An anonymous reader quotes a report from The Next Web: In case you haven't had your dose of paranoia fuel today, WikiLeaks released new information concerning a CIA malware program called "Grasshopper," that specifically targets Windows. The Grasshopper framework was (is?) allegedly used by the CIA to make custom malware payloads. According to the user guide: "Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating systems." Grasshopper is designed to detect the OS and protection on any Windows computer on which it's deployed, and it can escape detection by anti-malware software. If that was enough for you to put your computer in stasis, brace yourself for a doozy: Grasshopper reinstalls itself every 22 hours, even if you have Windows Update disabled. As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.

Windows Update

[phantomfive]

malware removed:

dd if=/dev/zero of=/dev/ntfs

Re: Windows Update

I say fsck /dev/ntfs

Re:Windows Update

And then it gets back in the same way it got in the first time?

Re:Windows Update

[bill_mcgonigle]

Nope, it got reinstalled from the EFI rootkit.

Re:Windows Update

LOL a LINUX joke on SLASHDOT LOL

Re:Windows Update

C:\Windows>dd
'dd' is not recognized as an internal or external command,
operable program or batch file.

Dammit, can't get rid of Windows.

Re: Windows Update

Microsoft resists all standards.

Re: Windows Update

Since Microsoft bought CPM; they have not innovated.

Re:Windows Update

but you must speak with Russian akzent, da?

Re: Windows Update

Microsoft bought CP/M? It must have been recently.

Re: Windows Update

Wot, you don't have Cygwin installed? You should give your geek card back.

Re: Windows Update

[K.+S.+Kyosuke]

It gets repaired to an ext4? ;)

Re:Windows Update

Nope, it got reinstalled from the EFI rootkit.

Nope, it got reinstalled from the Mac App Store.

Re:Windows Update

[AmiMoJo]

Actually quite a good PROTIP there. Many AV vendors offer Linux boot CDs that are more effective at removing viruses than AV software running on Windows. That's because the Linux NTFS driver ignores file/user permissions that prevent Windows software from removing infected files.

Re: Windows Update

Geeks don't use that, for they spend as little time in Windows as possible.

Re: Windows Update

Bs, av software has kernel drivers that dont care about acl

Russia Reveals Grasshopper..

FTFY

At least it's free

Fortunately, all software authored by the federal government is automatically in the public domain, so perfectly legal to reverse engineer, copy, etc.

Re:At least it's free

Fortunately, all software authored by the federal government is automatically in the public domain, so perfectly legal to reverse engineer, copy, etc.

Well, other than when it gets classified as a "Munition", in which case it might be illegal to even possess it.

Also, this statement in the summary:

As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.

No, BeauHD, that's not fucking alarming at all. There's nothing even remotely alarming about that. Big fucking deal, they borrowed some attack code. Quit trying to be edgy, you suck at it.

Re:At least it's free

[BlueStrat]

As if this wasn't alarming enough, the Grasshopper user guide even states upfront that Grasshopper uses bits from a toolkit taken from Russian organized crime.

No, BeauHD, that's not fucking alarming at all. There's nothing even remotely alarming about that. Big fucking deal, they borrowed some attack code. Quit trying to be edgy, you suck at it.

What IS alarming is that instead of helping US infrastructure protect itself from Russian malware, they simply hop on the gravy-train for their own cut of that sweet, sweet US data security.

Remind me, *who* exactly are our enemies, again? Having trouble here detecting significant differences.

Strat

Re:At least it's free

[TheGratefulNet]

there's a limited amount of pain that a foreign entity or a US corp entity could do to me.

otoh, the US gov can do a LOT of damage to its own people.

I worry more about our own spying and malware delivery (btw, what would our founding fathers think about THAT?) than from sources outside the US.

the terrorists to worry the most about: our own government

and not the elected ones. its the ones that we don't elect that are above the law, those are what I would be the most concerned about.

they continue to be untouchable and you can't sue them or stop them.

damn.

Re:At least it's free

But it's Russia! OOGABOOGA PUTIN!!!

Also, CIA malware is unclassified for reasons wikileaks has described (essentially if it was classified it'd be illegal to ever use it), and it's public domain because the government can't copyright things.

Re:At least it's free

[freeze128]

Remind me, *who* exactly are our enemies, again? Having trouble here detecting significant differences.

Easy. Anyone connected to the internet is your enemy. That makes security a lot easier to understand.

Re:At least it's free

You need to think of it in terms of expected damage, not just possible damage. Yes the CIA/NSA/whoever could theoretically suddenly decide to put you under surveillance, start monitoring all your communications, misinterpret your emails to Mom as coded threats to blow up the White House, then execute you for treason or send you to Gitmo to rot, but the odds of that happening are infinitesimal, and there's no record of it ever happening to any (innocent) American in the 10 years since PRISM started. Foreign governments of course have even less reason to care about you.

Non-government malware writers - foreign or domestic - can cause you real harm through all the usual means: ransomware, stealing personal info, hijacking your machine...whatever. Unlikely to happen to any specific individual - depending on their security hygiene - but happens all the time to zillions of people all over the planet.

US corporations, OTOH, are constantly harming you in innumerable ways. Pollution, financial exploitation of customers by banks or investment firms, degradation of employee rights... Advertising alone does more harm to people than anything the government is likely to ever do. Remember advertising by definition is deliberate psychological manipulation designed (usually) to separate you from your money by coercing you into buying shit you otherwise wouldn't have. $200+ billion a year - ~$650 per person per year - is spent on advertising in America, and you can bet they're not getting a negative ROI. (Then add to that whatever value you want to put on all your annoyance and wasted time)

Re: At least it's free

WHAT?! The "land of the free?"
Whoever told you that is your enemy!
Now something must be done
About vengeance, a badge and a gun
Cause I'll rip the mic, rip the stage, rip the system
I was born to Rage Against 'em!
Now action must be taken
We don't need the key, we'll BREAK IN!!

I've got no patience now...
So sick of complacence, now...
I've got no patience, now...
So sick of complacence now..
Sick of, sick of, sick of, sick of...you..
Time...has...come...to...PAY!!!
Know your enemy!

Come on!
Yes, I know my enemies!
They're the teachers who taught me to fight me!
Compromise! Conformity! Assimilation! Submission!
Ignorance! Hypocrisy! Brutality! The elite!
All of which are American dreams!

Re:At least it's free

The original authors - be they Russian or not - have copyright of their code, however.

Re:At least it's free

[chill]

Sorry, you need to read the fine print.

While gov't can't CREATE copyright, they most certainly can HOLD it. Materials created by CONTRACTORS and not FEDS can be copyrighted with that copyright held by the gov't.

Re:At least it's free

The people putting malware into American computers, obviously.

And they've been doing it to our military as well, so maybe a warning of the Mushroom-Cloud variety at Langley would get the point across that any more bullshit of the sort and their budget'll be slashed.

Re:At least it's free

They should sue CIA for stealing their intellectual property.

Re: At least it's free

All software? Who the fuck told you that? Does China just download the US government github or what?

Or is the reason for all these Defence contractors?

Full disclosure: contractor to a contractor.

Re:At least it's free

I don't know where this rumor got started. There is no law or regulation that puts software written by the government into the public domain. Even if there were such a regulation, the government would immediate work-around it by commissioning the software from a contractor -- which of course they already do in most cases.

Re:At least it's free

[painandgreed]

What IS alarming is that instead of helping US infrastructure protect itself from Russian malware,...

Well, since MS is supplying Russia with their OS also, any help they give helps Russia's infrastructure protect itself against US malware.

Jiminy Cricket!

a minced oath for "Jesus Christ"

"einstalls itself every 22 hours"

Just like Windows updates whether you want them or not.

Re:"einstalls itself every 22 hours"

That's even more annoying when they push a driver update that keeps your computer from booting. With our Dell Latitude E6440 laptops, we currently have a problem with a driver, and even though we have Enterprise edition and WSUS, somehow that driver keeps sneaking itself in. Just tracking hours logged in support tickets, and we know it's many more since we don't do a good job of tracking, we've already wasted nearly ten man-years on this issue. That's over a million dollars not even counting the opportunity cost or pissed off customers. Thank you Microsoft.

Re:"einstalls itself every 22 hours"

[sexconker]

If you've tried http://winsupersite.com/window... and it didn't work, you're not alone. My guess is MS simply doesn't give a shit and that option never, ever, worked.

Instead, try https://support.microsoft.com/... . Scroll down to the download link to get the "troubleshooter" tool which will let you hide/disable specific updates. This will only help you if the updates are coming in via Windows Update and not some Dell utility.

Re:"einstalls itself every 22 hours"

We spend seven figures per year with Microsoft, and they don't care that even though we hide updates that that doesn't work. They don't care that we have hundreds of computers that are unbootable because of updates.

Re: "einstalls itself every 22 hours"

Why should they care, you are still paying? You aren't going anywhere. Windows users will put up with ANYTHING.

Re: "einstalls itself every 22 hours"

That is the way of their kind. they want to prevent us from working.

Re: "einstalls itself every 22 hours"

Interestingly, the long boot times just seem to be on the new computers. I followed the super site suggestions, and the boot is longer. There is still the pause, and verify happening. It is still, turn the computer on, get a cup of coffee, and then proceed to do what I want. Checking the logs? It's still indexing? Why? Why not free one or two cores for the operator? Indexing is not a priority issue. Getting the game started is.

Re: "einstalls itself every 22 hours"

Microsoft is horrible. When I complained about this, they sent people to my work to beat me up. They'll probably send people to your house, now.

Stasis?

[TeknoHog]

I think someone misspelled Stasi. Also, cue something about it lying heavy.

It's OK ...

[CaptainDork]

... the CIA got a job to do.

I'd feel better about them if they could keep a secret, but let me restate CaptainDork's corollary:

For every motherfucker out there with a computer, there's another motherfucker out there with a computer. ~ © 2017 CaptainDork

Re:It's OK ...

[rtb61]

For any serious computer geek, they often have more than one. I am up to four, generally buying a replacement when ever one breaks whilst also repairing that broken one to become a spare. I just can't bring myself to sell the old ones, so many fond memories. Only two have been hacked, the oldest one on purpose to see how difficult is was to clean up, interesting exercise and good practice (I just installed an app from an expected criminal web site to see what would happen, what changes, what extra installed, how difficult to clean, rather than reinstall) and the last one I was indifferent to as I guessed the source of the hack and they cleaned it up themselves afterwards (better they come through windows(snicker snicker) than the storm troopers come through the doors). The other two never hacked, well, admittedly I never really turned them back on again once they were fixed, so they have not been near the internet for, well, over a decade (oh I forgot smart phone but I never do anything serious on that, never ever and screw you M$ for not understanding that, spying on desktops ass holes). I'll guess I have to repurpose a windows box to a Linux Box for internet access.

Re:It's OK ...

[CaptainDork]

I have 8 desktop computers and two portables.

4 desktops are Windows XP PRO with registry hack to make them appear to be embedded, like an ATM or something, so they continue to get security updates.

They are in service on the local WiFi only for closed security camera duty.

One desktop is Windows 7 and because it has a touch screen, can't be upgraded to Windows 10. Another is Windows 8, updated to Windows 10, the other is Windows 8.1, updated to 10, and my primary is Windows 10 Home Edition.

I got hit with faux ransomeware years ago. It was simply a wallpaper that fired up on startup. I went into Safe Mode and told it to stop the shit.

Other than that, I've been OK.

I don't run anti-virus. Those are so yesterday and usually come in through email attachments. As a retired systems analyst and network administrator, computers are not my first jigsaw puzzle.

I have put out a request for more surplus desktops from family and friends but people just don't have desktops anymore.

Re:It's OK ...

This is STILL child's play.
Of course the only likely durable universal backdoor is very early in the bootstrap startup process, with the exe's as tiny as possible, and using the registry as a repository of everything if something gets exposed. And you get in 1st position before AV shit starts up.
As the browser is part of their OS, you can bet something is in that too.

Allowing some halfwit installer to load a shopping list of anything from an unprotected registry shopping list - and before unwelcome firewalls or VPN's get busy. (the fix is an external hand compiled packet filter).
And then the payload downloading fixes, or overlays, even sourcing from controller chip firmware.
This implies registry logging and load checking is also looser than diarrhea, and the process monitor may not be displaying the truth.

GMER - Rootkit Detector and Remover www.gmer.net/ will make matters a bit better for the professionally curious - as they compare old and new over time. However GMER may not know about really obscure layouts or jump vectors.

Booting off media that does not change, as used by internet cafes, or read only solid state media will also make matters awkward.
Of course all these firmware and hardware commands still give the authorities the top advantage - but one guesses they don't like that as hardware is all different - requiring a bespoke solution..

One assumes the bios bootstrap then download is the way to go, as there will be outrage if hardware toolkits get open sourced pr

Re:It's OK ...

[CaptainDork]

Bullshit.

It's TL;DR and starts off with buzzwords to make you feel good about yourself.

You got no cred.

You are dismissed.

CIA dating service

Ok so if the CIA knows everything about me, including what kind of porn I like, can the CIA help me to find a date?

No?

Well now I'm outraged.

Re:CIA dating service

can the CIA help me to find a date?

It's in the works. SDAC1433_HONEYPOT.

It's the girl you looked at the other day and thought, "WOW".

Re:CIA dating service

[Sarten-X]

Yes, they can.

The CIA has the capability to spy on you, find what you like, and match it with someone who can win your affection, and appear to return affection as well. In fact, that capability is entirely within their mandate as an espionage and intelligence organization, as you might be a foreign agent on whom a honey trap may work well.

However, unless they have a good reason to interfere with your romantic escapades, they won't do anything. Mostly, they won't because you're not important enough to justify jumping through the legal hoops. If you're not a US citizen, a lot of those hoops fall away automatically, but not all.

Re:CIA dating service

Busted! Joke's on you, I haven't left Mom's basement in weeks. If that fembot shows up, I'll put her to work on Touhou on lunatic difficulty.

"Intelligence" agencies are criminal gangs

with government support.

Re:"Intelligence" agencies are criminal gangs

Exactly right. Just like Special Circumstances in your favorite Culture novels.

Re:"Intelligence" agencies are criminal gangs

Special Circumstances dealt with potential external threats. I don't recall a lot of instances where they were worried about their own citizens.

Re:]e4?

goat

As usual no linux version...

you see this is why linux sucks.

Re:As usual no linux version...

A linux port is in the works! It will contain its own compiler toolchain and recompile itself every 22 hours.

Re:As usual no linux version...

Its called systemd. Pretty soon the kernel will require systemd to interface to UEFI.

staged

[ben_peter3785]

is there any evidence of the description being genuine? this looks so blatantly staged as a last straw for the orange one and his gang to climb out of the Russian collusion quagmire that I had to laugh hard when I read this

Re: staged

You go ahead and stay enraged that Hillary isn't president, while the rest of us discuss malware and computer security.

Oh, be careful that your yahoo email doesn't get phished. By The Russians, of course.

Re:staged

[AHuxley]

Many security experts, consultants, private sector groups will be looking at this. Strange code would not last long once published.
Note the code litter is again made to look like another nation.

Software freedom: best defense against malware

[jbn-o]

The GNU Project told us about Microsoft malware long ago, including what is accurately listed "Microsoft Windows has a universal back door through which any change whatsoever can be imposed on the users" pointing to a mainstream media news reference from 2007 and another link indicating when this was used, and a pointer to a Condé Nast article talking about the (apparently ongoing) forced Windows Updates. Microsoft is also the first PRISM partner with the NSA joining on September 11, 2007, according to an internal NSA document so they have quite a long history of being untrustworthy but the underlying power they're leveraging comes from proprietary software.

Other proprietors are no more trustworthy. Apple didn't fix an intentional back door for 4 years, Apple didn't fix an iTunes backdoor through which others could have gained control of systems running the software. Apple joined PRISM in October 2012. Other proprietors with names you know (Yahoo, Facebook, Google, YouTube, etc.) joined in between the Microsoft and Apple partnerships.

The theme remains the same: it doesn't matter who the proprietor is (Microsoft in this case), proprietary software is always untrustworthy and this doesn't change even after applying lots of updates from the proprietor. Just because a new version is out, or a patch released does not mean the back door is shut or that you can verify their work (or even get someone more technically skilled to verify it on your behalf).

Now we have more confirmation of how the threats come from other directions, not just the proprietor, and that the threat is more organized than we commonly knew. Evidence like this immediately advances the discussion beyond the distraction of calling someone a 'tinfoil hat wearer' or other such nonsense, as did the Snowden documents. And WikiLeaks maintains their perfect record for authenticity in their publications—as far as we can tell these documents are what WikiLeaks claims they are. Proprietary software is always a threat. Software freedom is no guarantee of safety, but you're better off having software you can inspect, run, share, and modify (AKA control) than not. You simply can't trust proprietors to do right by you and all computer users deserve software freedom.

Re:Software freedom: best defense against malware

[Somebody+Is+Using+My]

Except this doesn't sound like a backdoor in Windows. The article is short on details, but if it uses a "custom installer", this sounds more like a trojan. Once the software is installed, your machine is compromised but that's pretty much true for every consumer OS. As it is a customized trojan, its signature won't show up in anti-virus databases. Once it is installed, it can co-op the target system, ensuring it can't be easily detected or removed. Its a bit trickier to write this sort of spyware these days, but in no way impossible even for run-of-the-mill criminals, much less an organization with the resources and talent of the CIA

How they get the target to install the trojan is probably different in each instance, and possibly requires the assistance of software vendors (Microsoft, McAfee, whatever) or the target's ISP so that when the already-running and legitimate software is served the trojan when it checks for an update (alternately, they might just sneak an agent with a USB drive into the target's home and install the trojan when the target is out to lunch or something).

It's like really nasty spyware customized for a very specific user.

In fact, that the CIA is forced to use these sorts of tactics speaks against the idea of there being a universal backdoor in Windows (beyond, you know, the usual and sadly universal backdoor of insecure coding and bad security practices on the part of the user).

Re: Software freedom: best defense against malware

This isn't slashdot/2002 any more? We can't run around like puppies the first time escaped from the yard because we installed linux and are micro$oft free now?

Re:Software freedom: best defense against malware

[Motherfucking+Shit]

Your argument stops with heartbleed.

Which was found and fixed. It took a long time, but it still happened because people can look at the source. What unknown critical Windows vulnerabilities are being exploited right now? We can't find out.

Re:Software freedom: best defense against malware

[AHuxley]

Symantec Endpoint did find Cricket Install under the 'Scheduled Task EXE VARIANTESET"
But it gets past so many vendors, how good was behavioral detection at the time?

Re:Software freedom: best defense against malware

[AHuxley]

The CIA likes a few different methods to get in. Why risk network detection on the way in or out of a complex, secure network? So a lot of methods need a human on site to access a computer system from a trusted location. Why risk a network and firewall when charming local staff gets past a lot of very powerful, bespoke network protections?
When done, collect the data in person and remove all traces. Or have the network send out trusted data from within.
Thats why the network vs needs physical access is often mentioned a lot.
A person walks in and talks directly to the manager of an office for a few minutes. Is that person who walked in now "trusted"? They start working with computers in the office?
No need to worry about cards, networks, freewalls, computers, passwords as staff are happy to help and share their own.
The stranger talks a lot about head office and tech support, upgrades and adds a bit of jargon. The manager seems fine with it, the usb stick slides in.
A cleaner holds a door open at 6 pm in an office for a person who forgot their ID at their desk. The person must be telling the truth as they got into the building and past all the security. Why try a very secure HQ when some remote office has the same network access and much less security?
A lot of the work might be done in nations where expected support is from the USA and English is a second language at best.
The only way for nations to protect agains this is not to have anything interesting on anything Windows and encrypt everything interesting to their own standard.
Nations have to learn not to trust their own internal networks, site security, the charming person for "support" or who their own staff offer to help.
Expect anything in any office or consumer or public space to be accessed by a person with a "story". Great network security is nice but secure the vital data from walk in efforts.

Re:Software freedom: best defense against malware

[thejynxed]

Still your point is invalidated, as was already confirmed in a previous Wikileaks release on the CIA's toolkits - Linux has been pwned just as thoroughly as Windows ever was, despite being "open" and "free". The difference is, you put your trust in software the you don't pay for that virtually anyone can tamper with, and in at least one case that I know of from the good old newsgroup flamewar days, has tampered with intentionally to cause problems (and the bugs intentionally introduced by this person resulted directly in Heartbleed and a few others that have been popping up years later).

Also to remind you, that you are putting your trust in software that is overwhelmingly being maintained by people on the corporate dole, no matter how free and open it claims to be, and people on the corporate dole invariably have ulterior motives.

Re:Software freedom: best defense against malware

"forced to use these sorts of tactics speaks...." that even the mandated backdoor code in microsoft is worse than some found in the wild, cut and pasted rootkit from russia. Even the CIA would prefer not to use microsoft code.

Re:Software freedom: best defense against malware

If your putting trust in the software you using you don't understand security. Always start from a position of 'not trusting' for software, politicians, news and three day old fish.

GNU dude where's my Basic Income?

The GNU Manifesto by Richard Stallman (01 Jan 1985)
In the long run, making programs free is a step toward the post-scarcity world, where nobody will have to work very hard just to make a living. People will be free to devote themselves to activities that are fun, such as programming, after spending the necessary ten hours a week on required tasks such as legislation, family counseling, robot repair and asteroid prospecting. There will be no need to be able to make a living from programming.

Good luck with Linux, luser.

Whatchagonnado when your hardware spooks on you?

Internal Rot

[JimSadler]

You can bet that any large OS developer or security product staff has been penetrated by US agents and probably has covertly placed them on staff. The very products that you use to protect your systems probably grant access to US agents.

No Trump piss video?

[bdrasin]

I figured Putin would be releasing that today

You might be a developer if...

[grilled-cheese]

Your first though is that you're jealous of how good their documentation is.

Requires Python

I will admin I am typing this on a Windows machine, but this Grasshopper won't hop on my lawn, I don't have python installed.

Most of your stuff is American

Most of your email, and online services are provided by the USA so you kid yourself that CIA is more a threat to the US than other countries.

Google? USA, Facebook? USA, Microsoft? USA. Most of your data runs over USA owned fibre on its route, how many of your local apps are actually run on Amazon cloud?

Then there's all of the third country stuff that depends on the US market, and thus complies with US demands. e.g. Samsung?

And USA has essentially been hacked by Russia, it's so blatant, that Trump *informed* Russia ahead of the air-raid in Syria so Russia could remove Russian and Syrian military people and equipment. (CONFIRMED by the Pentagon!! Go read their press report yourself). He blows up two helicopters, convieniently placed in the middle of *AIRPLANE* landing strip. Seriously go look at the footage, there is one helicopter placed slap bang in the middle of a long landing strip, one on each landing strip. There is no way that is the normal landing strip, the helicopters would be blocking the landing of aircraft. So these cheap targets have been placed there.

Given Russia were informed and they informed Syria, Trump is a confirmed traitor.

So even if you don't fear incompetent Trump, do you fear competent Putin??

Re:Most of your stuff is American

You did well until the Russia hacked USA part. That tired fake narrative needs to atrophy.

Re:Most of your stuff is American

You're a moron.

lolloloo

thats what i have been thinking this whole time lol

Runs on Linux too for everyone gloating!

...

Spyware link to spyware article

Why is this link being routed through a twitter account and then going to thenextweb.com, rather than just going to wikileaks. This is the link without the spyware tracking and the pointless intermediate article:
https://wikileaks.org/vault7/#...

pismire

That is my preferred name for this malware, regardless of the name master Po uses.