back to article WikiLeaks exposes CIA anti-forensics tool that makes Uncle Sam seem fluent in enemy tongues

WikiLeaks released the third tranche of its leaked CIA documents trove on Friday, which in this episode focuses on anti-forensics tools. The previous two releases from Vault7 have focused on manuals and supporting documents for the spy agency's hacking tools. The first set of leaked files, released on 7 March, described …

  1. The Man Who Fell To Earth Silver badge
    WTF?

    你所有的基地都屬於我們。

    Вся ваша база принадлежит нам.

    1. Anonymous Coward
      Anonymous Coward

      Re: 你所有的基地都屬於我們。

      你欺騙醫生jones

    2. Anonymous Coward
      Anonymous Coward

      Re: 你所有的基地都屬於我們。

      So it lets them pretend that they speak English too?!

    3. Robert Baker

      Re: 你所有的基地都屬於我們。

      І шіІІ лот вцч тніѕ товвассоліѕт'ѕ, іт іѕ ѕсгатснеД

  2. ElReg!comments!Pierre

    Funny that

    Certainly puts into perspective all these claims of "ennemy nation-state-sponsored" attempts to destroy the Free World (TM). All claims based on "some comments in the code in [Chinese/Korean/Russian]"

    Heh.

    1. Crazy Operations Guy

      Re: Funny that

      I've never trusted those conclusions anyway, since the exploit author may live in one nation but sells the exploit to an agency of another nation. I doubt that the CIA is writing all its code in-house, and probably ends up out-sourcing it to foreigners.

      I wouldn't be surprised to find out there is a black-hat that has been selling the same malware code to both the Russians and NATO members.

      1. Alumoi Silver badge

        Re: Funny that

        I wouldn't be surprised to find out there is a black-hat that has been selling the same malware code to both the Russians and NATO members.

        Guilty as charged. Anon for obvious reasons.

    2. Anonymous Coward
      Anonymous Coward

      Re: Funny that

      Comments in compiled C/C++ code? LOL! Lots of malware analysis experts around...

      Also, from a quick glance, it looks to me the foreign text there looks to be there to show Marble can work on wchar_t data, but the algorithms to obfuscate text looks to be designed to avoid text strings to be identified as such - they are too easy to detect. A malware may need to perform its own text matching in the target system language.

      1. Robert Carnegie Silver badge

        Re: Funny that

        Error message text is probably embedded in the C executable binary file. Some of it may be quite informal. I don't know if you also get variable names.

        Across in, let's see, I think it was comments on this week's "On Call" article (lightning which damaged the PC in a novel way), were a couple of mentions of error code of such various sorts where amongst the debris of your data appeared the word "bollocks". This word is used in Britain to mean "Oh dear what a shame", so it would implicate British programmers.

        The story suggests that this could be fake evidence created by the CIA with a reverse function provided to translate back to American English. So I wonder what the original American text may have been for "bollocks" and what it was changed back to. Perhaps "Oh Sunhat" in the original version, and more computer-istic "inoperative statement" afterwards. Actually that derives from the Nixon administration, where the White House was caught lying and issued a sort-of-correction on lines of "What we told you yesterday is now an inoperative statement. The operative statement (what we're now trying to get you to believe) is as follows." In other words, the inoperative statement is known to be bollocks - in the sense of "not what I like to swallow."

        1. allthecoolshortnamesweretaken
          Pint

          Re: Bollocks

          This word is used in Britain to mean "Oh dear what a shame"

          This would deserve several upvotes (and pints).

    3. macjules

      Re: Funny that

      Just another slow news day in the broom cupboard in the Ecuadorian Embassy.

  3. Christian Berger

    Attribution is a myth

    It simply doesn't work. Everybody can pose as everybody else. Secret services commonly make false flag operations.

    So whenever someone claims that a certain piece of malware comes from country X, you should either laugh at them or punch them in the face. There is no way they could know that... unless they wrote it themselves.

    1. Anonymous Coward
      Anonymous Coward

      Re: Attribution is a myth

      Way to give up and pretend something isn't possible because you can't imagine it!

      The [lack of] power in the human mind is [not] astonishing!

      Think about this, genius. The persons at the end of the line of the data movement is the culprit, no matter what language or IP they borrowed along the way. You can't hide a device "phoning home," ever. There will be packets, and when you exclude all the wacky "no, we're the Chinese" obfuscation attempts, you come up with the answer. Just because some desktop jockey can't image it, doesn't mean it can't be solved. Perhaps you should stick to changing the toner in the printers today, guy? Calling a real process a myth is not a strong argument.

      1. Crazy Operations Guy

        Re: Attribution is a myth

        But even then, where it phones home is no clue as to who actually owns it. Its not unreasonable to believe that someone like the US would use a couple machines in China to attack Russia. China is a big enough country were it'd be perfectly possible for the CIA to plant someone in the Chinese government to infect computers and to perform all the the malware-control work form within that network and just transfer the data manually.

        It'd be perfectly possible for the CIA to compromise a friend of a Chinese government official (Doesn;t even need to be someone very far up). This 'friend' then gives the dupe a hard drive full of movies or games or some other data that they'd want. The media on the drive contains a malware package to turn the dupe's computer into a malware C+C machine when they go to open any of it (Hell, the media itself could actually work with the dupe even suspecting that something is wrong). The malware then collects its data and stores it onto the drive which is then taken back to the friend for more media. The 'friend' pulls off the retrieved data and puts on new media containing updated attack code and commands. This would proceed for quite some time until found out. But even then, it'd looks like just a regular malware infection, not a spy operation. The data retrieved would be hand-delivered to the US embassy to be passed back to the CIA itself.

        In that scenario, the malware neither phone home to, or appears to originate from, the US. If the campaign was launched against the Russians, all evidence points to the Chinese being behind the attack, as all the data is coming and going from a Chinese Government IP address. With it just looking like two people exchanging pirated and/or illegal media, no one but a paranoid lunatic would think that the CIA was behind it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Attribution is a myth

          where it phones home is no clue as to who actually owns it

          Lucky then that all of our security services can confirm that everything leads back to Putin.

          1. Crazy Operations Guy

            Re: Attribution is a myth

            "Lucky then that all of our security services can confirm that everything leads back to Putin."

            I would assume they have a lot more information than just where the malware phoned home before accusing a foreign country of such things. The problem is the that the first rule of counter-intelligence is to never reveal how you figured out how the enemy is doing it, lest they change their tactics and become undetectable. By keeping your methods a secret, it is possible to confuse enemy spies by feeding misinformation through that leak. Like if you know your enemy is just stealing information from a diplomatic courier, you are going to keep sending couriers as usually, but giving them false information for the enemy to steal, and since they have no reason to know that you know about the theft, they'll believe the data valid.

            My grandfather used to work in intelligence back during WW2 and continued into the Cold War. The technology changes, but the techniques never really did. Social Engineering, Phishing, Spear-phishing, false-flags, false-false-flags, blackmail, bribery, etc have all existed in one form or another since the dawn of civilization.

            1. Christian Berger

              Re: Attribution is a myth

              Well you assume that. There is no actual need for evidence if your assumption is in line with politics. Just thinl about the first Gulf War which was started by something we now know was a lie.

              If you believe that secret services somehow have superpowers that can defy logic, you would have to ask yourself why they didn't use them to afcually do something in the firsr place.

              1. Derezed

                Re: Attribution is a myth

                "Just thinl about the first Gulf War which was started by something we now know was a lie."

                What seriously? I never knew that Iraq never invaded Kuwait. It goes to show you learn something new every day!

                On a separate note, it's good to know that only the CIA and GCHQ manufacture evil software and that it is beyond impossible that Russian, Chinese or other powers can create software to spy on our nation...all government sponsored malware is created in the West and anyone who says otherwise is a CIA stooge. It is such a relief to know that only our own security services have malicious and evil intent towards us. Was there a garage sale of tin foil hats around here?

                1. You aint sin me, roit

                  Re: Attribution is a myth

                  "What seriously? I never knew that Iraq never invaded Kuwait. It goes to show you learn something new every day!"

                  Yes, I wondered about that too... pretty sure I remember oil fields set on fire by the Iraqis, a limited action to liberate Kuwait and some criticism that the first war wasn't prosecuted all the way back to Baghdad.

                  Which led to Bush the younger starting the second Gulf war to finish what his daddy started.

                  I'm still surprised they didn't *find* (know what I mean...) any WMD. I don't classify myself as an evil genius, but if I were to start a potentially illegal war on the flimsy basis of the presence of WMD, my first thought would be

                  "If we don't find any WMD then we'd better bring some that we can find."

      2. Duncan Macdonald
        FAIL

        Re: Attribution is a myth

        If you send the data back using a Usenet group then there is no way to tell who the receiver is as news servers propagate the information across the internet. Like broadcast radio it is effectively impossible to tell who the listeners are. The only disadvantage is that the relay time from a message being added to Usenet to it appearing at a distant server can be minutes (or even hours) instead of the fraction of a second for a direct TCP or UDP link.

        For example an encrypted RAR file could be added to the alt.binaries.etc newsgroup using GigaNews in one country and then at some future time be read using NewsDemon in another country.

        1. Crazy Operations Guy

          Re: Attribution is a myth

          "to it appearing at a distant server can be minutes (or even hours)"

          With many targets for espionage, a delay of even days or weeks tends to be acceptable. Most intelligence work's priority is protection of transfer medium rather than how quickly the data can be transferred. If it takes weeks for a spy to get specs on an adversary's new bit of kit, they spying country can accept several weeks delay in getting it as the adversary isn't going to be deploying, let alone replacing, that new piece of kit anytime soon (Like the Harrier jet or the Minuteman ICBM). Protecting their source is going to be much more important in that case.

          But back to the original topic, the only real way to determine who is spying on you is to observe the actions of everyone else and see how they react. Especially if the information is that your country is planning to move troops form one location to another. If any country moves their troops closer to the destination or away from the source, it becomes obvious who is and is not spying.

        2. Bill Gray

          Re: Attribution is a myth

          @Duncan Macdonald: "If you send the data back using a Usenet group...it is effectively impossible to tell who the listeners are."

          The thought has occurred to me that if I really wanted to communicate with someone anonymously, I'd post my encrypted message on an agreed-upon place such as El Reg.

          eab8c02f7197787897560569942100fe1198b4140834b8d40781ae200143

          1a47c9b41a1d8dea25ed5ed26842a62ba55a9dcfba71f81627f70263f0a7

          b4ca1ecc0e535e74f56e9739cc5bac3ec30ac86c3775cae4115c278ac2a3

          1a2824f659591f2ab75161cd931309eab5036aa9908144b8f7d76e002ea1

          02b71ae4d25beab9003cc2eb57c039fed2b3bc7ca6408c148e51bd6d1e02

          e83f3c86bc945e467b8a5b1b0e5bd37d9d2ac29923fe4e3c31c116ac1e7f

          c4e14bb313a1139460365906ea9e8d124a54a3d83468a226713f8f71a396

          f1906c750eaf37ad90fc51316d92539363652257809580c3a939e371621d

          8025d2d19323379589fde285b4746685aa8289b3c734ba8bc2a216a436af

          745e034ad95227b200de4b5e9b09d78ae64e4b3ad3b359d62bc9d89efead

          (OK, that's actually from /dev/random. Of course, I _would_ say that...)

          1. John Miles

            Re: eab8c02f7197787897560569942100fe1198

            For some reason Space Core Directives come to mind

          2. Wensleydale Cheese

            Re: Attribution is a myth

            "745e034ad95227b200de4b5e9b09d78ae64e4b3ad3b359d62bc9d89efead

            (OK, that's actually from /dev/random. Of course, I _would_ say that...)"

            If you are a player in the spying game, can you be 100% certain that your /dev/random hasn't been compromised?

            1. Bill Gray

              Re: Attribution is a myth

              "...If you are a player in the spying game, can you be 100% certain that your /dev/random hasn't been compromised?"

              If I thought I was a target of a major spy agency, I'm not sure I'd trust anything these days short of creating a one-time pad using dice in a room with copper walls. Seems as if no matter how paranoid you are, it's hard to keep up. As it stands, my life is sufficiently uninteresting (from their viewpoint) that I can post under my own name.

              I have some plans, time permitting, to use a junk Webcam pointed at a fish tank, bird feeder, etc. as a source of entropy : https://github.com/Bill-Gray/miscell/blob/master/vid_dump.c , with said entropy fed into a Fortuna-like scheme. As you say, still not 100%... but not even the one-time-pad in a copper-lined room would be; I don't see that as reason to give up.

              As a concerned (US) citizen, I do think that things should be made as difficult for snoopers as possible. It's my patriotic duty (to my country and, for that matter, other countries... though not to their governments) to ensure they waste time trying (and failing) to decipher 9f7f860a9676ada7bda50a4057d464b6f644c45a05abf86a7e6fcd5f9a7c39ae361d1cc99. (Which may just be random. Or it may be a message to Russians/terrorists/The New-York Times... I probably should just add some random text to all e-mails and posts; this also has the advantage that, if I _do_ have to communicate secretly someday, the switchover would go unnoticed.)

    2. Uffish

      Re: Attribution is a myth

      It might also be that a country's spooks have real reasons to think that the malware came from enemy 'X' but don't want to disclose their sources - hence "We found tell-tale signs of 'X' in the code".

      Whatever the truth is, none of the spooks will have any interest in disclosing it so you just have to hope that your spooks are on your side.

  4. Primus Secundus Tertius

    Obscure comments

    In most of the computer programs I ever dealt with, the comments did not need further obfuscation.

    1. usbac Silver badge

      Re: Obscure comments

      As a developer myself, I wish I could up-vote you 100 times!

  5. William Higinbotham

    I can only look at all this as if I am at the Guggenheim Museum and admire the art form. Always evolving.

  6. Anonymous Coward
    Anonymous Coward

    People with an axe to grind

    Will read this as proof "the DNC emails weren't hacked by Russia, it was someone else making it look like they did and US intelligence was fooled". Just because you can replace some text strings with Russian doesn't mean experienced intelligence operatives will be fooled.

    I'll bet when the CIA does this they know they won't fool the Chinese equivalent of the CIA into thinking something the US did was done by Russia. The CIA is doing this with lower tier targets in mind, like if they hacked some random Chinese bank or Iranian bank trying to track terrorist financing, They probably contact some security firm who will have a quick look, see the Cyrillic alphabet, and say "our detailed analysis concludes it was Russians trying to steal some money, here's our bill for $5000. We can fix your security to insure they aren't successful in taking millions from you for another $50,000, just sign here!"

    1. Robert Carnegie Silver badge

      Re: People with an axe to grind

      I think we usually hear that the actual foreign-state hackers include complete patriotic propaganda messages in their work - and the specific up to date ones, too. Technically those still could appear in false-flag efforts, but it seems more likely that it's real enthusiasts for whichever nation is involved, maybe not even paid but just happily changing the U.N. web site to a Syrian flag or making the BBC tweet trash talk about Ukraine. The basic futility of such exercises in a situation where people are getting killed for wearing a hat that suggests the wrong political sympathy also supports a point of view that this isn't the CIA faking it. But it could be.

      1. Yet Another Anonymous coward Silver badge

        Re: People with an axe to grind

        So the Russian hackers wrote the code in Russian so people would think it was the CIA trying to make it look like Russian hackers.

        Of course perhaps they thought of this and wrote it in Russian so that people would think it was the Russians trying to make it look like the CIA were trying to make it look like the Russians trying to make it look like the CIA.

        Everyone knows the milk marketing board is behind it all

  7. Mahhn

    Only one?

    (yes I know it's not true but) So, it's possible there is only one government hacking group in the world, the CIA. In order to keep their job and get more fun-ding, they pretend to be the enemy one day, then the hero the next. Hell, it might be so compartmentalized that the CIA peeps that have coffee together in the afternoon, not realizing they have been playing war with each other all day.

    1. Crazy Operations Guy

      Re: Only one?

      I wouldn't be surprised if all nations didn't just end up contracting with the same group of black-hats that are playing all sides. Telling the Americans that Russia has a new tool, and they have their own tools for detecting it, and then telling the Russians that the US has discovered their attack vector, but their group can make something the Americans can't detect.

      Reminds me of a story I read about scientists during the Cold War that set up "Think Tanks" in both the US and Russia. They'd communicate between each other claiming the other group is their spies so they can build something that would defeat the other sides' new toys. Then they'd also need access to both sides' current toys so they can evaluate them for weaknesses and areas for improvement. They'd go to the governments of either side with something the other team built, claim the other side is building it, and then ask for money to design something to counter it (which they'd send that new project to the other team for them to present it to the other government). Can't remember if it was fiction, but I'm pessimistic enough to believe that something like that could happen...

    2. herman

      Re: Only one?

      Hmm, you mean like the antivirus companies who write new viruses when business is slow?

  8. Anonymous Coward
    Anonymous Coward

    Even CIA programmers like to have juvenile fun

    An interesting choice of variable names...

    BOOL SetScrambler(WCHAR *&wcChoice)

    {

    //Validate args

    if (wcChoice == NULL)

    return FALSE;

    BOOL bRet = TRUE;

    WCHAR *wcCopy = _wcsdup(wcChoice);

    WCHAR wcSeps[] = L"\".";

    // account for full paths

    WCHAR *fuckme = wcsrchr(wcCopy, '\\'), *wcName = NULL;

    if( fuckme == NULL )

    {

    wcName = wcstok(wcCopy, wcSeps);

    if( !wcName )

    {

    free(wcCopy);

    return FALSE;

    }

    wcName = wcstok(NULL, wcSeps);

    }

    else

    {

    wcName = fuckme + 1;

    wcstok(wcName, wcSeps);

    }

  9. itzman
    Paris Hilton

    Are there no honest spies left?

    I mean you used to know if they spoke with thick german accents, they were German, or at least Bristsih actors with colds.

    Now who knows what to believe, or who to trust?

    It really is...most unsettling.

    Anyone else noticed that whatever icon you select, a troll shows up?

  10. Sanctimonious Prick
    Black Helicopters

    Shock! Horror!

    This just couldn't be true!

    ./tic

  11. Anonymous Coward
    Anonymous Coward

    A alternate view. Wiki releases code to change languages to make uncle sam look bad and be trying to hide his/her tracks with false flag ops. Ok its plausible but ask yourself this, what about recursion?

    What if the wiki code is a false flag, to make us all think that, and muddy the waters more.

    That would be a absolute barnstormer of a false flag idea, just like a nation state that has invested massive resources into psyops for decades would be proud of!

    Who to trust, not Julian either. Keep all options on the table...

  12. Stevie

    Bah!

    Gobachev Sings Tractor! Turnip! Buttocks!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like