It’s that time again. Wikileaks has published another set of documents allegedly stolen from the CIA. This time, the documents detail the use of a tool named Grasshopper. Lets try to get ahead of the media cycle and explain, in plain English, what Grasshopper is.

“Grasshopper appears to be a .exe builder which simplifies the process of identifying and deploying malicious code on a target machine.”

Source: https://wikileaks.org/vault7/document/Grasshopper-v2_0_2-UserGuide/page-6/#pagination

What does that mean? Essentially, Grasshopper automates the process of developing an executable file which will run on a victim machine. This isn’t special. Any child hacker will know that Metasploit will do this for you, for free, without having to join the CIA or anything! If you’re so inclined, you can totally pretend you’re a superspy, here: https://www.offensive-security.com/metasploit-unleashed/binary-payloads/

Building an executable by hand is tough, but with an executable builder, it’s super easy! Just pick the victim from a list, identify what is running on the victim machine, and a menu will guide you through the process of identifying the right Vulnerabilities, Exploits, and Payloads you can use against that machine. It’s Hacking for Dummies! No more messy “learning how to code” needed!

To go into detail, we gotta get technical. I have to explain to you a bit about the fundamentals of malware. For malware to work, you need to have a Vulnerability, an Exploit, and a Payload.

Vulnerability: A flaw in a piece of code. These are usually accidentally introduced by programmers. After one too many late night coding sections, a coder inadvertently misplaces a semi-colon, or forgets to sanitize a user input. Lets say a programmer for some server made a user login page without any basic sanity checks and it looks kinda like this:

Technical bits:
UserInput{
$USERNAME&&$PASSWORD
SUBMIT;
}

(Note to coders: I know! Don’t write me. Trying to keep this basic.)

Exploit: This is the code that leverages the vulnerability. Lets look at the above function. A hacker may write a script that takes advantage of the lack of input sanitation. Instead of entering the user name, the hacker may write something like ;cat /etc/passwd. Let me break it down:

Technical bits:
; = “ESCAPE!”
cat = “DISPLAY”
/etc/passwd = “the file containing all the passwords for this machine.”

So when that UserInput function above is ran….the computer sees:
USERINPUT…ESCAPE!…. DISPLAY PASSWORD FILE.

Next thing you know, the hacker has your password file.

Payload
This is the part that most people traditionally think of as “malware.” This could be nearly anything, and is somewhat dependent on the type of vulnerability. A vulnerability which allows for root level remote code execution can run most anything, a vulnerability which only allows a hacker to read the contents of memory won’t allow for any code execution. If the vulnerability allows for local code execution, you can execute the payload locally (while sitting at the machine). If the vulnerability allows for remote code execution, you can run the payload remotely against the vulnerable machine sitting on the internet. A hacker’s payload could be wipers (things that erase a hard drive, like what the Iranians have been deploying against the Saudis), ransomware (famously being deployed against hospitals), trojans (used to allow a hacker to gain remote access), keyloggers (usually deployed by parents or jealous former lovers), or even just everyday spambots (used to try to sell you garbage).

SO YOU WANNA BE A HACKER SPY….

1) Apply at CIA.gov
2) Go through years of rigorous training
3) Pass an insane background check
4) Get specialized training for Grasshopper
5) Deploy to a crappy part of the world
6) Find a target machine
7) Identify what is running on that machine
8) Using a set of easily navigated menus, use Grasshopper to select what type of Windows machine the victim has, then select a vulnerability likely to work against the victim, then select what kind of payload you want to run on the machine. Save a copy of Totally_Not_Spying.exe
9) Sneak in and run Totally_Not_Spying.exe on the target machine
10) Try to escape without getting charged for espionage and beheaded by some cut-rate dictator

OR….just watch this Youtube video:

That’s right kids! All the functionality Wikileaks just told you the CIA has…..yep…you have it to. Just download Metasploit and follow one of the innumerable guides posted on YouTube and, just like that, you’ve skipped all that difficult polygraph stuff the CIA would have made you do!

A note on Wikileaks

Thus far, Wikileaks’ #Vault7 dumps have failed to impress. No one should be surprised that the CIA hacks targets. Most Americans would rightly be upset if the CIA stayed in the stone age.

I continue to wait for Wikileaks to demonstrate something spectacular. Do they have evidence that the CIA engages in bulk data collection? Do they have evidence that the CIA has been holding onto critical bugs (like a heartbleed level vulnerability?) No? Or maybe they do, but haven’t published it yet. THOSE would be notable. To date, Wikileaks has only demonstrated that spies sometimes spy. This isn’t remarkable, and neither are the techniques they’ve demonstrated, to date.

Until next time! Bye for now!

-Jonathan Nichols
@WvuAlphaSoldier

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s