
Grasshopper - Jerry2
https://wikileaks.org/vault7/?g#Grasshopper
======
rdtsc
[https://wikileaks.org/vault7/document/DerStarke_v1_4_DOC/pag...](https://wikileaks.org/vault7/document/DerStarke_v1_4_DOC/page-1/#pagination)

\---

Der Starke is a diskless, EFI-persistent version of Triton. Once active on a
target system, the implant executed within diskarbitrationd and typically
performs network ommunications through a browser process so that PSPs like
Little Snitch cannot easily detect it's presence. This Companion User Guide is
meant to supplement the Triton User Guide.

\---

This is obvious to most people here but it might not be to others, if the
attacker got physical access to the machine it's game over.

[https://wikileaks.org/vault7/document/Grasshopper-v2_0_2-Use...](https://wikileaks.org/vault7/document/Grasshopper-v2_0_2-UserGuide/page-16/#pagination)

\---

Grasshopper has the following system dependencies:

Python 3.4: The Grasshopper build system was developed and tested for Python
3.4

\---

Nice! A lot of government projects are stuck on older versions of Python tied
to ancient OS versions.

I gotta say, the rule matcher syntax and the overall design is done very well.
Hat tip to the authors if they are reading this.

~~~
robschia
They are reading everything.

------
belorn
So the CIA is using components from the malware known as Carberp, a suspected
Russian organized crime rootkit, which mean instead of helping people
protection their computer from organized crime they allow the vulnerability to
continue. How is this moral?

~~~
tptacek
It's not an either-or; this is malware, not vulnerabilities. For the most part
it doesn't make sense to think in terms of using malware components to protect
systems from malware.

This misunderstanding has come up on a bunch of other threads too; it seems to
be pretty widespread. You can't really "burn" most persistence techniques,
publishing them in a way that makes them easy to defend against. If you could,
a whole lot of platform security engineering would be much easier.

~~~
belorn
What part of a "persistence method" are not using vulnerabilities? If you
infect the boot loader, bios, firmware, or some other methods to create
persistence then those are vulnerabilities. That a system can get infected in
such way is not by any intended design.

Could give an example of a persistence techniques that is using a intended
feature of a computer system in order to hide the malware in unintended places
in such a way that the system can't remove it (which itself is a unintended
functionality).

~~~
tptacek
That's like suggesting a programmable page table is a vulnerability, because
it can be used to hide a malware stub from processes looking for malware.

However you want to litigate this on a message board, nobody working in
platform security or even malware defense thinks that way.

The difference between a persistence vector and a vulnerability is that you
can patch a vulnerability, but you can't patch "programmable page table".

------
tptacek
Backdoors from the 90s included actual purpose-built compilers. Whatever the
CIA is doing, a good bet is that it's clownshoes stuff.

(I'll leave this comment here, but it responded to the original editorialized
title of the story, which pointed out that this trojan had "its own
language".)

~~~
avenoir
Sub7 had an editor back in the day that would allow you to build a custom
client. I don't remember the technical nature of it. I believe it was just
packing configuration and the client into a single executable w/o recompiling,
but this is the kind of stuff teenage script kiddies were doing back in the
day with VBS and/or Delphi.

------
John23832
At this point I think Wikileaks is largely trash. Their agenda is blatantly
anti-us motivated.

This leak and the previous one are examples. The CIA is a spy organization.
Their job is to spy on foreign influencers. As such, they have spy tools...
Just like Russia, China, the UK, etc. etc. If the headline here mattered, it
would be, "Spy Agency has Spy Tool". There is no evidence _at all_ that this
stuff has been used domestically. But wikileaks buries that headline.

Wikileaks continues to push the agenda that these leaks correlate with the
legitimate PRISM leaks that we saw earlier. They push the narrative that these
tools are being used on americans, should be ashamed, don't trust your
intelligence agencies etc. Fueling the populist anti-intellectual bs we have
going on in the world right now.

Don't get me wrong. The US government should be ashamed of PRISM and the
actions of the NSA, but Wikileaks should be ashamed of these leaks and the way
they're representing this information..

~~~
aargh_aargh
> There is no evidence at all that this stuff has been used domestically.

I read the article and they do not imply any connection to PRISM.

Anyway, why would you be fine with such tools being used on non-US targets?
Would you not be outraged if an equivalent tool was used on US targets by a
non-US government?

~~~
John23832
>I read the article and they do not imply any connection to PRISM.

These leaks attempt to piggy back off of the snowden media frenzy

> Anyway, why would you be fine with such tools being used on non-US targets?
> Would you not be outraged if an equivalent tool was used on US targets by a
> non-US government?

It is the duty of each government to look after the well being of its people
with the resources it has, up to and including spying. Spying has gone on
since the dawn of civilization. My opinion extends to foreign governments
attempting to spy on the US.

Does it help the human race as a whole? No, but that's a much bigger
philosophical debate.

~~~
jessaustin
The activities of CIA are not and have not ever been good for we "people" of
USA. Sometimes if one squints hard enough, it seems that perhaps they have
been _intended_ to be for our good, but usually that's not even the case.

~~~
John23832
You opinions about the CIA's actions are just that. I have negative opinions
about the CIA's actions in many instances as well. Their possession of these
types of tools however, clearly falls within their official stated goal, the
standards we should judge them by.

~~~
jessaustin
It's interesting that 50-USC-46 doesn't seem to actually "officially state"
_any_ goal for the agency. That seems too glaring an oversight to be
unintentional, so your appeal to such standards seems unfounded. I suggest
that by _any_ reasonable standard, CIA should have been shuttered decades ago.
Even the tools seen here are indicted elsewhere in this thread by a
knowledgeable person as "clownshoes".

~~~
John23832
I don't have time to read the entire law regarding the CIA, so I'll take your
word on that, but from their website:

 _The function of the Central Intelligence Agency is to assist the Director of
the Central Intelligence Agency in carrying out the responsibilities outlined
above.

To accomplish its mission, the CIA engages in research, development, and
deployment of high-leverage technology for intelligence purposes. As a
separate agency, CIA serves as an independent source of analysis on topics of
concern and also works closely with the other organizations in the
Intelligence Community to ensure that the intelligence consumer—whether
Washington policymaker or battlefield commander—receives the best intelligence
possible._

Though I will agree with you that this is just a statement on their website,
not law.

>That seems too glaring an oversight to be unintentional, so your appeal to
such standards seems unfounded. I suggest that by any reasonable standard, CIA
should have been shuttered decades ago. Even the tools seen here are indicted
elsewhere in this thread by a knowledgeable person as "clownshoes".

Speculation and opinions are just that, speculations and opinions.

~~~
jessaustin
_Speculation and opinions are just that, speculations and opinions._

Hilarious! We're discussing CIA. The whole point is that they don't submit to
the scrutiny of their employers. "You don't know what we're doing, so we
_could_ be doing the right thing!"

