
Copies of malware used by intelligence agencies to spy on journalists - gasull
https://wikileaks.org/spyfiles4/
======
girvo
So, it seems the NSW police here in Australia are a customer and use this.

Ignore for a moment whether it's a good or bad thing that police use tools
like these. What I want to know is, what happens once they "get their guy", so
to speak.

Does the malware stay on that computer forever, violating the privacy of
family members, or other users of the computer should it be sold on and not
wiped correctly? What happens if it's _not_ the correct person?

Basically, why are the police spying? To me, that raises some ethical
questions and makes me feel that the police will handle things like this in a
very ham-fisted way, like they usually do with technology. Worrying.

~~~
jamesk_au
(I'm also in NSW)-- The list of "support requests" on the customers page
suggests that the tools are used only in accordance with duly-issued warrants.
Access would need to be removed once the purpose of the warrant had been
fulfilled, but we may never know whether they get that right in practice. Ben
Grubb has collated some background information on the operation of those
laws.[1]

[1] [http://www.smh.com.au/it-pro/government-it/nsw-police-use-
ha...](http://www.smh.com.au/it-pro/government-it/nsw-police-use-hacking-
software-to-spy-on-computers-and-smartphones-wikileaks-
data-20140915-10h530.html)

~~~
meowface
I have not looked at the materials but I suspect most or all Western countries
using this toolkit are using it for specific investigations where warrants
have been issued.

I personally have no qualms with the FBI planting malware as just another form
of surveillance (if they have a warrant to search your home and tap your
phone, why shouldn't they be able to get a warrant to monitor your computer?).
The problem with Gamma Group, and what I suspect is one of the core reasons
for this leak, is that they happily sell their product to extremely oppressive
regimes and give them personal support, knowing full well that the tools are
being used to spy on and find dissidents, protesters, and political opponents.

~~~
__P
There is a weird "Us and Them" vibe from your comment.

Is the US/Australia/Uk's treatment of Julian Assange (as an example) not count
as "oppressive regimes" and "...dissidents, protesters, and political
opponents."?

How is that different to <insert country you were thinking of when you wrote
"oppressive regimes"> ? (I ask honestly, not rhetorically)

~~~
CaptainZapp
I'd wager that the difference is that your chances in the US, Australia, or
the UK that a bunch of thugs kicks in your door at three am, grabs you and
disappears you forever are a whole lot smaller than in some of the real
oppressive countries.

I'm not claiming that everything is perfect in those western countries, but
compared to them there are some truly evil regimes around in countries where
absolutely no checks and balances exists to rein abuse in.

While this may get me down-voted into oblivion, since the author may be easily
one of the most hated people in the tech world, I recommend Evgeny Morozovs
"The Net Delusion" which is a quite insightful take on the abuse of tech by
oppressive regimes.

------
wldlyinaccurate
This company makes millions upon millions of dollars from selling surveillance
malware to (by the looks of the customer list) anyone who will pay.

If I were to set up a company which sold similar products at similar prices, I
would expect the FBI to come knocking at my door very quickly.

~~~
sarciszewski
And they'd probably want to seize all your 0dayz to use to spy on activists
too. :P

------
kissickas
Interesting note on Mongolia on the bottom.

Also good to see that, at least for a time, Gmail was able to detect infected
files (see the Mongolian feedback numbers 10-12)

[https://wikileaks.org/spyfiles4/database.html#feedback](https://wikileaks.org/spyfiles4/database.html#feedback)

~~~
cbhl
Hmm, I'm not sure if that's Gmail detecting an infected file. I'm pretty sure
Gmail just blocks .exe and .bat files altogether (even in .zip archives).

[https://support.google.com/mail/answer/6590?hl=en](https://support.google.com/mail/answer/6590?hl=en)

~~~
kissickas
The file in question was a PDF - can it detect that?

------
BorisMelnik
If I were to download this, I'd do it with some masking tape over my webcam,
booted from Kali Linux, inside a Windows VM from a library or coffee shop.

~~~
tripzilch
> masking tape over my webcam

what people always seem to forget is that it's not the webcam but the
_microphone_ that presents the greatest privacy risk.

if you tape it off, it'll just lower the volume (and possibly dampen higher
frequencies, but you just need 300-3800Hz for voice).

additionally (outside the coffee shop scenario you describe here), what's a
webcam do? ok, it'll see your face. chances are they already know your
identity. maybe it'll catch one second of your underwear, big deal. now
compare to a microphone, much less data, but it picks up every conversation in
the room, regardless if they're "in view". much worse.

~~~
iancarroll
I have my microphone (and webcam) disabled from the BIOS. It's pretty
effective.

~~~
TeMPOraL
Up until you catch a BIOS exploit. If the disabling is done by software, it's
not really disabling.

Physical switches and/or duct tape FTW.

------
aliquis
These periodic reminders that Internet isn't a safe place and that anyone
might be spying on us probably makes a lot of people learn about security,
come up with better passwords, hesitate before downloading unknown software
and so on.

When people get their identities stolen, or lose all the money from their bank
accounts, this might be regarded as "random" events, in the same way that most
people won't get mugged and when it happens it's because of "randomly" being
in the wrong place at the wrong time. But more people have experience dealing
with the government, and though they believe that criminals aren't interested
in them they know that the government might be, and thus the government is
seen as a more tangible threat.

Is it possible that governmental surveillance is on average a good thing,
since it raises people's awareness and makes them protect themselves more?
Having enough money in your bank account to buy food is, after all, a more
basic need in Maslow's hierarchy than not having copies of your e-mail
conversations in a government database.

------
cyphunk
shared pad for compiling patterns:
[https://pad.riseup.net/p/gO8Ng806lNnl](https://pad.riseup.net/p/gO8Ng806lNnl)

~~~
zby
And they all use gmail?!?!?!

~~~
sitkack
It is called NopSec

------
aetherspawn
"Handle with care."

Hey guys, let's unzip this so the next guy can run it and spread the worlds
most advanced malware on our home network.

~~~
rubbingalcohol
It would be fun to install in a VM though! Or maybe not.

~~~
gasull
It will phone home. Don't do it unless it's disconnected from the network. It
might also try to spread the infection through other attack vectors, like
bluetooth, or trying to break out of the VM.

~~~
kordless
> break out of the VM

I wonder if this has happened yet?

~~~
sp0rk
Most definitely. Here is an example:
[http://1337day.com/exploit/22519](http://1337day.com/exploit/22519)

~~~
Dylan16807
Got anything that doesn't involve the 2d/3d video acceleration? Those are a
rather obvious and off-by-default attack surface.

~~~
justincormack
See here
[http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_...](http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php)

~~~
gasull
Down for me. Here's a cached version:

[https://web.archive.org/web/20140703130707/www.vupen.com/blo...](https://web.archive.org/web/20140703130707/www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php)

------
xkiwi
I don't usually click EXE,

But when I do,

I do it on my production computer with 200 VM running.

======

and none of my firewalls pop a warning.

~~~
philtar
My AV deleted it as soon as it was extracted.

~~~
philangist
Ha. What AV do you use?

~~~
doreo
You can just run it through
[https://www.virustotal.com/](https://www.virustotal.com/) to see which AV's
will get it

------
orblivion
I hope Norton is updating their database accordingly.

~~~
rplnt
You can try and submit the files here:
[https://www.virustotal.com/](https://www.virustotal.com/)

~~~
nysv
Pretty depressing. Only 2 out of 54 scanners currently detect something in the
zips of the spyware.

[https://www.virustotal.com/en-
gb/file/6ee40b8e7d49f4ea70b7ce...](https://www.virustotal.com/en-
gb/file/6ee40b8e7d49f4ea70b7ce5ca55a445897395323cd298a40baca76432a3a13bc/analysis/)

[https://www.virustotal.com/en-
gb/file/688f1e15390faf8d977351...](https://www.virustotal.com/en-
gb/file/688f1e15390faf8d977351572a9a5c84d5bb228135ebd6c4c306708a9420f359/analysis/)

~~~
Strom
Those zips are encrypted, that's why. I have included links to the unencrypted
results [1,2], with ~80% detection rate. Notable green checkmark by Microsoft,
perhaps FinFisher made extra sure to not get caught by Microsoft's heuristics?

[1] [https://www.virustotal.com/en-
gb/file/f827c92fbe832db3f09f47...](https://www.virustotal.com/en-
gb/file/f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e/analysis/)

[2] [https://www.virustotal.com/en-
gb/file/0b465877a998a993a64a14...](https://www.virustotal.com/en-
gb/file/0b465877a998a993a64a146c80beaea2adf8e854644709706c6173a853ec8dba/analysis/)

~~~
nysv
Microsoft too detects them now. Too late, but at least they are updating their
signatures fairly rapidly.

Interestingly, both files were first uploaded to VT in 2010, meaning that AV
vendors have had chances to analyze them.

~~~
rplnt
Malware vendors usually use these services to test their load. They wouldn't
release anything that would get detected on day 0. And I think antivirus
vendors do more in-house analysis only if there are reasons to - such as votes
from users, or other AVs detecting the sample.

------
ogijaoijfawje
I know many love to consider Snowden and Assange "heroes", but I think these
two are people we should think outside the box on. Are they acting in the
interest of everyone, themselves, or another party? The releases, interviews,
and otherwise that get released seem very scripted and controlled. The
propaganda machine is skilled and there may be unseen benefits to these leaks.

~~~
DanBC
The releases are outside Snowden's control now. He carefully gave a dump of
information to two newspapers. Those newspapers control the flow of the
information now, and they obviously want to maximise the benefit to themselves
by releasing the information in controlled manner.

~~~
ogijaoijfawje
Snowden is milking the attention as well. Look at the livestream going on
right now, he's discussing the information live.

~~~
throwaway876876
You're deliberately trying to discredit a person who made available proof that
the surveillance machine is out of control.

While everyone else is dissecting the information and trying to digest it and
working on solutions to the surveillance problem; you're obsessed with the
messenger.

Why?

~~~
aliquis
Well, I'd agree with you, but the way you phrased it made me feel uneasy. Are
you saying that source criticism in journalism is overrated, or that Assange
should be an exception to the rules?

This is the Internet. Isn't there enough room here for discussions about both
the message and the messenger? Or is it that when the message gets strong or
important enough, the messenger gets irrelevant in comparison?

~~~
throwaway876876
What has the message to do with the messenger, in this case? Sure we should be
skeptical to all sources - media, individuals, government. Isn't this common
sense? The presented information, however, stands on its own, no matter who
the person who delivered them represents.

What exactly would we gain from discussing the messenger? Would that move
anything forward?

What if we found out Snowden was paid by some russian agency. What exactly
would that change? Would the guys at Stellar say "Oh, the russians paid him?
Everyone stop changing passwords and re-issuing certificates, guys,
everything's fine; he got paid by the russians", and the slides with router
passwords would suddenly disappear from the face of earth?

I hope it's the language barrier and I'm failing to understand your point.

~~~
aliquis
You're probably correct that it's the language barrier. The message has very
little to do with the messenger, and I can't see who's claimed otherwise.

The difference seems to be about whether we SHOULD discuss the messenger.
Assange still has the power to decide what to publish, and maybe more
importantly when to publish it. Everyone who has a message to convey will wait
for the right time to do so. This is true for political statements, for press
releases, for when you ask your girlfriend to marry you or for when you tell
your parents that you failed an exam. It would be silly not to accept that
Assange cares about timing.

A discussion about the messenger shouldn't be seen as a dicussion about the
truthfulness of the message. For example: The Russian government accused the
Ukrainian government of being fascists, and one of their excuses for entering
Crimea was that they needed to protect the Crimean Tatars from these fascists.
But the Tatars are pro-Ukrainian, and many of them fled when the Russians took
control. Those who remained are being harassed, and there are Tatars who were
even denied re-entry to Crimea after having traveled to Ukraine. Sure, there
are far-right extremists in Ukraine. Of course there are. But the Russians
didn't want to admit that the phenomenon is far more prevalent in Russia.
Knowledge of the messenger helps us to put all of this into a context.

All I'm saying is that we should be generous enough not to censor discussions
just because we're not interested in them. In this case, it means discussions
about both the message and the messenger. When combined, the outcomes will
provide us with even more information. Ad hominem arguments like "you're
obsessed with the messenger" are designed to silence one of these discussions.

~~~
pessimizer
>A discussion about the messenger shouldn't be seen as a dicussion about the
truthfulness of the message.

If it isn't seen as a discussion about the truthfulness of the message, it
should be seen as completely worthless gossip. Why would I be discussing
Snowden as a person if I don't know him personally and I don't dispute the
truth of his disclosures? Can't we pick a prettier celebrity to discuss to no
particular end?

The only purpose in gossiping about people who disclose information which
nobody seriously disputes is to confuse the simple-minded.

~~~
zak_mc_kracken
> I don't dispute the truth of his disclosures?

That's the problem you should at least be questioning that truth just like you
question the truth of what the government tells you.

