This story is over 5 years old.


The CIA Allegedly 'Borrows' Code From Public Malware Samples

We all do it.

Whether they admit it or not, everyone has probably borrowed a little bit of code for their own project at some point. It may turn out that the Central Intelligence Agency isn't any different.

On Tuesday, Wikileaks published a large cache of files allegedly related to CIA and other intelligence agency hacking techniques. As part of that cache, one document mentions how the CIA supposedly pinches bits from public malware samples to use in its own custom code.


"The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware," the document reads.

"The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions," it continues. The document adds that the purpose is to allegedly focus on developing smaller and more targeted solutions.

The file has a selection of various areas, each mentioning malware that can accomplish different tasks. "Data Destruction Components" includes a reference to Shamoon, a piece of malware that wipes hard-drives clean. (In December, Motherboard reported, based on a leaked document, that the US Defense Security Service, a department that helps with information security issues, warned contractors to keep an eye out for this attack, after a recent increase of infections).

Elsewhere in the file, the CIA allegedly points to the well known DarkComet remote access trojan for activating webcams. DarkComet dates way back to 2008, and has been commercially available. Its creator discontinued the software after DarkComet was used by the Syrian government.

In another document, the CIA allegedly talks about combing through the 400 GB dump of Hacking Team internal emails and source code, "in the interest of learning from and leveraging existing work."

Many of the malware entries include a link to another alleged CIA documents, laying out what the agency thought of the component and which include a high level description of what it has been used for.

"This method is quite obvious and trivial to implement, since it involves using a signed driver to perform raw disk access. The biggest issue/limitation is that it requires the installation of a driver on the target system," the file reads, concerning the "Issues/Limitations" of a Shamoon component.

However, the CIA may not have taken code from all of these samples. A column in the file, labeled "Component Reuse," includes the entry "None" for some of the pieces of malware.

Whether it's surveillance vendors deploying code from consumer spyware developers, or the CIA allegedly using snippets from public samples, it looks like "borrowing" is all part of the malware game.