
CIA 'Angelfire' covert Windows malware system - DeusExMachina
https://wikileaks.org/vault7/#Angelfire
======
tptacek
There are multiple companies in the industry where you could get interns to
build a project like this. Implantation (what we used to call "rootkit") tech
is more interesting than banking trojans from a technical perspective, and at
the very high end can reach the level of generating new research results ---
but this isn't that level.

People continue to be enthralled by low-on-the-food-chain software security
work. There are teenagers that have written stuff like this. It's sort of
embarrassing that the CIA commissioned this at all (if that's how it
happened), rather than pooling with NSA and getting a proper, reconfigurable,
deniable tool built.

(But then: leaks of NSA tooling in the last 2 years have demonstrated that
we've all been a bit generous regarding NSA's technical reputation, too).

Virtually everything that Wikileaks has published about the CIA has been like
this. To the extent that it damages national security, it does so by making
CIA look clownish. And yet, despite the extraordinarily low stakes of
publishing, Wikileaks is still milking a drip-drip from the original cache
they obtained of CIA warez. It's cynical, and speaks to a general contempt
they have of their audience.

~~~
dageshi
If you're the CIA/NSA don't you want to use this kind of low level stuff most
of the time because it blends in with the background malware? If it's
discovered which it may almost certainly be at some point there's little to
point at and say "this is malware created by a nation state" vs "this is
malware made by a bored teenager".

Seems like a positive advantage?

~~~
e12e
Seems like the difference of assassination by hit-and-run/"robbery gone wrong"
vs polonium. One screams "state actor", the other is almost entirely
deniable..

------
appleflaxen
jesus christ. the damage our own government has done to microsoft is just
insane. if i was a shareholder I would be so pissed.

big companies go along with this behavior and collude with the government, but
if this has a big enough effect on the bottom line, then it will happen less.

~~~
binarray2000
You must see it in a broader context. I'll paraphrase you:

"jesus christ. the damage our own government has done to [Iraq, Syria, Libya,
North Korea, Vietnam, Serbia, Afghanistan...] is just insane. if i was a
[citizen of these countries] I would be so pissed."

At least, the shareholder has his life and his property (sans the missed
opportunity due to "the damage our own government has done to microsoft").

~~~
appleflaxen
i agree with you completely, but it seems irrelevant to this particular
conversation.

------
ethbro
Is the WikiLeaks site not responding to requests?

~~~
nfriedly
It loaded for me. Here's the text of the post:

\------

Angelfire 31 August, 2017

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire
project of the CIA. Angelfire is an implant comprised of five components:
Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows
Transitory File system. Like previously published CIA projects (Grasshopper[1]
and AfterMidnight[2]) in the Vault7[3] series[4], it is a persistent framework
that can load and execute custom implants on target computers running the
Microsoft Windows operating system (XP or Win7).

Solartime modifies the partition boot sector so that when Windows loads boot
time device drivers, it also loads and executes the Wolfcreek implant, that
once executed, can load and run other Angelfire implants. According to the
documents, the loading of additional implants creates memory leaks that can be
possibly detected on infected machines.

Keystone is part of the Wolfcreek implant and responsible for starting
malicious user applications. Loaded implants never touch the file system, so
there is very little forensic evidence that the process was ever ran. It
always disguises as "C:\Windows\system32\svchost.exe" and can thus be detected
in the Windows task manager, if the operating system is installed on another
partition or in a different path.

BadMFS is a library that implements a covert file system that is created at
the end of the active partition (or in a file on disk in later versions). It
is used to store all drivers and implants that Wolfcreek will start. All files
are both encrypted and obfuscated to avoid string or PE header scanning. Some
versions of BadMFS can be detected because the reference to the covert file
system is stored in a file named "zf".

The Windows Transitory File system is the new method of installing AngelFire.
Rather than lay independent components on disk, the system allows an operator
to create transitory files for specific actions including installation, adding
files to AngelFire, removing files from AngelFire, etc. Transitory files are
added to the 'UserInstallApp'.

[1]:
[https://wikileaks.org/vault7/grasshopper/](https://wikileaks.org/vault7/grasshopper/)

[2]:
[https://wikileaks.org/vault7/#AfterMidnight](https://wikileaks.org/vault7/#AfterMidnight)

[3]: [https://wikileaks.org/ciav7p1/](https://wikileaks.org/ciav7p1/)

[4]: [https://wikileaks.org/vault7/#](https://wikileaks.org/vault7/#)

\------

And here are the documents linked beside the post:

Angelfire 2.0 -- User Guide:
[https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuid...](https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuide/)

BadMFS -- Developer Guide:
[https://wikileaks.org/vault7/document/BadMFS_Developer_Guide...](https://wikileaks.org/vault7/document/BadMFS_Developer_Guide/)

Wolfcreek Docs -- Angelfire User Guide:
[https://wikileaks.org/vault7/document/Wolfcreek-Docs-
Angelfi...](https://wikileaks.org/vault7/document/Wolfcreek-Docs-
Angelfire_UserGuide/)

Wolfcreek Docs -- Angelfire Test Matrix:
[https://wikileaks.org/vault7/document/Wolfcreek-Docs-
Angelfi...](https://wikileaks.org/vault7/document/Wolfcreek-Docs-
Angelfire_test_matrix/)

Wolfcreek Docs -- NotesSee more:
[https://wikileaks.org/vault7/document/Wolfcreek-Docs-
Notes/](https://wikileaks.org/vault7/document/Wolfcreek-Docs-Notes/)

~~~
mysterydip
> It always disguises as "C:\Windows\system32\svchost.exe"

If I ever meet the manager who decided bundling half the services in the OS
into svchost was a good idea, I'll give him a piece of my mind. I've lost more
hours to that (both cleaning malware and troubleshooting performance or
crashes) than anything else on Windows since the 9x days.

~~~
UnoriginalGuy
Seems like a kneejerk reaction.

The reason services are bundled into SVCHOST is that it offers reduced memory
footprint and lower startup costs, which is still significant on resource
constrained systems (which Windows embedded still targets)[0].

If malware didn't copycat SVCHOST they would just copycat one of a dozen other
common Windows processes like conhst, dllhost, csrss, etc.

As an aside, in Task Manager if you go to the details tab, select columns,
command line. You'll see exactly what each instance of SVCHOST is running.
Process Explorer gives you even more information than that.

Process Explorer allows you to turn on Digital Signature checking. Run it as
administrator. Select Columns -> Verified Signer. Options -> Verify Image
Signatures. But also check your CA store to make sure no custom CA has been
injected into the OS.

[0]
[https://blogs.msdn.microsoft.com/oldnewthing/20030918-00/?p=...](https://blogs.msdn.microsoft.com/oldnewthing/20030918-00/?p=42423)

~~~
mysterydip
Now that there are nice tools like Process Explorer, it's less of an issue.
Back in the day, you'd pull your hair out.

Even so, the original premise of performance doesn't hold water to me. I load
a process that has 10 services inside so I can use two of them, and that's
somehow reduced memory compared to just running the two, just in case I want
to run the other 8 later? Some of those services I have disabled and never
want to run. It's still taking up the memory.

~~~
ethbro
Still, if MS is going to do it, then the onus seems to be on them to surface
it in built-in tools.

------
etplayer
Can someonebody please help me understand what this is? Is it software which
Microsoft has included in Windows maliciously for such exploitation, or is it
the fact that the CIA has identified a Windows exploit and taken advantage of
it?

Did Microsoft know that this problem existed, and continued to let it exist at
the CIA's request?

~~~
wepple
Neither. This was not written by Microsoft. This is not an exploit. Further,
you never "identify an exploit" \- you identify a vulnerability, and the
exploit is what you build to take advantage of that vulnerability.

This is software that has been written by presumably US govt to be installed
on a windows machine to maintain control if it once they've compromised it.
Think "really advanced malware". It is supposed to be hard to detect and/or
remove, and allows long term access to that machine.

Edit: hopefully that helps clear up. Also your line of questioning seems to
suspect Microsoft colluding with the govt. zero evidence of that.

~~~
wu-ikkyu
>Also your line of questioning seems to suspect Microsoft colluding with the
govt. zero evidence of that

Snowden leaks indicated otherwise

~~~
wepple
Everything I wrote is referring to this Wikileaks release. There is zero
evidence Microsoft colluded to help the CIA write this malware.

------
rbanffy
Had to update
[https://www.npmjs.com/package/nsaname](https://www.npmjs.com/package/nsaname)
again. It never stops...

~~~
equalunique
Why? Was one of the Angelfire names used on the NPM usage examples?

~~~
rbanffy
No. I added the new names.

------
ArchReaper
I wonder what political news story this is trying to take attention away
from...

~~~
dagenleg
I don't understand what you are implying here. Would you kindly tell us which
political news story are those pesky russian hackers at wikileaks trying to
cover up?

~~~
ArchReaper
Discussion from last:
[https://news.ycombinator.com/item?id=14920664](https://news.ycombinator.com/item?id=14920664)

~~~
dagenleg
What's the point of saying 'Wikileaks is trying to distract us from happenings
in Russia' when you are not even specifying the things we are supposedly being
distracted from?

If you are trying to proliferate the 'Wikileaks are Russian agents' mantra at
least back this up with some facts and observations. Don't simply link to the
circlejerk from previous thread - that's kind of lazy.

~~~
ArchReaper
>What's the point of saying 'Wikileaks is trying to distract us from
happenings in Russia' when you are not even specifying the things we are
supposedly being distracted from?

Am I required to have omniscient knowledge of the subject prior to commenting?
You asked me what I was referring to, and I answered your question.

It has been painfully clear, with almost every release in recent history, that
wikileaks uses releases as distractions to take the spotlight away from other
stories. That's why it's worth bringing this up on every post.

Just because wikileaks wants the story to be about the release, doesn't mean
that's where the real story is. I'm curious as to what the real story is. I do
not know the answer to that question, hence my initial comment.

------
hammock
WikiLeaks was taken down by hackers last night

~~~
sschueller
DNS was hijacked, that's it.

~~~
alexandercrohde
Except I believe people were still showing a successful HTTPS connection, were
they not?

