Enlarge / The logo of the CIA's Engineering Development Group (EDG), the home of the spy agency's malware and espionage tool developers. (credit: Central Intelligence Agency)

WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:

Read 5 remaining paragraphs | Comments

Faveo CVE-2017-7571 Cross Site Request Forgery Vulnerability
ImageWorsener 'iwbmp_read_info_header()' Function Denial of Service Vulnerability
WebsiteBaker CVE-2017-7410 Multiple SQL Injection Vulnerabilities
ImageWorsener 'iwgif_record_pixel()' Function Denial of Service Vulnerability

Rensenware's warning screen asks for a high score, rather than the usual pay off, to decrypt your files.

At this point, Ars readers have heard countless tales of computer users being forced to pay significant sums to unlock files encrypted with malicious ransomware. So we were a bit surprised when word started to trickle out about a new bit of ransomware that doesn't ask for money. Instead, "Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files.

As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows.

Gameplay from TH12 ~ Undefined Fantastic Object on Lunatic difficulty. Players needed to get 200 million points to unlock the "Rensenware" malware.

As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware."

Read 5 remaining paragraphs | Comments

Tryton Trytond CVE-2017-0360 Incomplete Fix Information Disclosure Vulnerability
Nextcloud Server CVE-2017-0888 Content Spoofing Vulnerability
SEC Consult SA-20170407-0 :: Server-Side Request Forgery in MyBB forum
Trend Micro InterScan Web Security Virtual Appliance CVE-2017-6340 HTML Injection Vulnerability
LightDM CVE-2017-7358 Local Directory Traversal Vulnerability
HelpDEZK CVE-2017-7447 Cross Site Request Forgery Vulnerability
Ruby 'dl/handle.c' Security Bypass Vulnerability
Ruby 'initialize()' Function Heap Buffer Overflow Vulnerability

In a previous diary, I explained how pictures may affect your website reputation[1]. Although asuggestedrecommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog, purely for research purposes. And it successfully worked!

My website and all its components are constantly monitored but Im also monitoring online services like pastebin.com to track references to padding:5px 10px"> html lang=en-USheadtitleIndonesian-Defacer/title link rel=icon type=image/x-icon href=https://blog.rootshell.be/wp-content/uploads/2012/02/blackhat-nl.png meta property=og:title content=nginxDEX meta property=description content=Jemb4t meta property=og:author content=Jemb4t meta property=og:image content=http://i.imgur.com/F2KaExC.jpg meta charset=UTF-8 /head script type=text/javascript

As you can see a group of website defacer (MagelangN00bs[3]) is using a direct link to an image on my blog as favicon[4] file. I think that they used my image because it looks like the Indonesian flag with a black hat width:800px" />

Well, nothing fancy, just a logo, some nasty music... Let width:800px" />

And what about the targets? After cleaning the referers (Google being of course the top-1), 90 websites were reported as defaced. Some examples:

  • hxxp://www.dias.net.in (restored)
  • hxxp://unitedyouthmission.com/ (still defaced)
  • hxxp://learnwellme.com/ (restored)
  • hxxp://www.mekallifestyle.in/ (still defaced)
  • hxxp://politicalvartha.com/ (restored)
  • hxxp://www.fundookids.in/ (restored)

The group is still active and new websites are defaced almost every day. Once again, this is agood example of the power of HTTP referers.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status