Enlarge / A screenshot of foreign language samples used by a CIA tool to hide the nation of origin of CIA code implants, leaked on Friday by WikiLeaks.

Up until this week, WikiLeaks' "Vault 7" releases of files from a Central Intelligence Agency software development server have largely consisted of documentation for the various malware projects the CIA's Engineering Development Group created to aid the agency's mission. But on Friday afternoon, WikiLeaks began actually releasing portions of the CIA's development library. And while the release contains no malware, it's potentially the most damaging information released so far in that it could undermine ongoing CIA operations.

The release was of a repository of code for the CIA EDG's obfuscation tools called Marble. The tools were used to conceal the signature of the implants developed by CIA from malware scans, to make it more difficult to reverse-engineer them if they were detected, and to figure out where the malware came from. University of California at Berkeley computer security researcher Nicholas Weaver told the Washington Post's Ellen Nakashima, "This appears to be one of the most technically damaging leaks ever done by WikiLeaks, as it seems designed to directly disrupt ongoing CIA operations.”

There's nothing particularly magical about the CIA's tools, other than that they were developed and tested by a professional team and the code itself is extremely well-documented. Implant code for Windows systems was obfuscated with a tool called Marbler, a C++ application that obscures text strings and binary objects within implants in a number of ways. Those methods include "scrambling" binary content using a number of bit-shifting techniques, and inserting snippets of foreign languages(such as Chinese or Farsi) with a feature called "WARBL." The characters in the sets included with the code appear to be mostly gibberish placeholder text (even including "Lorem ipsum" in Western characters in some cases), so they were either meant to be substituted in small chunks for strings that would give away that the code was written in the US or were supposed to be replaced with custom text before building for a specific project.

Read 1 remaining paragraphs | Comments

Internet Storm Center Infocon Status