How to Hijack MS WIndows with Russian Software




The latest Wikileaks release contains GRASSHOPPER and what an unusual bug it is. The CIA motto for Grasshopper is "Look before you leap" taken from an old fable warning children to watch where they go and what they say.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating systems," states the CIA user’s guide.

The best way to describe Grasshopper is that it's a delivery system designed to implant and enable "payload" programs and features built by the CIA. Think of Grasshopper as the B-2 Stealth bomber of malware. Grasshopper really doesn't do anything but carry a payload and deliver it on target.

The payload, by the way, can be anything from "deliver the pizza" - better known as surveillance and spyware tools such as key loggers or disk data dumps - all the way to a real offensive software tool designed to destroy anything controlled by the Windows computer and perhaps even kill someone.

One of the most interesting components of Grasshopper is "Stolen Goods". It is true irony indeed that the name matches what the program really is... "Stolen Goods". According to the CIA, Stolen Goods is actually a Russian malware design:

"Stolen Goods 2.1 (SG2) is a persistence module for Grasshopper and Shellterm based on components from 3rd party malware. The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime. The source of Carberp was published online, and has allowed AED\RDB to easily 'borrow' components as needed from the malware. Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analyzed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."

One thing is very clear in 2017; information warfare is a shared concept. The design of Stolen Goods reflects the world of hacking right now in that it is composed of components both home-grown and imported from abroad. This mixture of tools designed and built all over the globe makes computer defense that much harder and clean attribution nearly impossible.

The CIA is admitting in its own documentation to be using Carberp, a Russian hacking tool itself discovered through Moscow criminal networks. It is not unlikely that using known Russian made tools, enabled through Russian internet address sites by operators fluent in the Russian language, one could easily make a cyber-attack appear as if it came from Moscow.

Stolen Goods is designed to hide on a Windows system, allowing it to download payload programs and maintain them. The CIA malware hides inside "the disk sectors where the payload data is written to inspection with tools such as WinHex."

Stolen Good technique of masking itself makes the disk sectors where it is installed "appear as 0's." Also, the infected code in the will be 'hidden' from anti-virus and scanning tools. In fact, the CIA noted that Stolen Goods was so adept at hiding inside the Windows system that it cannot detect itself.

"This, unfortunately, means that the SG2 installer cannot detect a previous install of SG2 (Stolen Goods 2.0)," stated the CIA users guide.

Grasshopper, according to the CIA documents, doesn’t mask itself or the payload by using encryption. Instead, it uses a variety of "obfuscation techniques" to hide itself and the payload from the anti-virus scanners. One such documented method is the "reorder" technique, where the software files on disk are re-arranged in a fashion as to render them harmless looking. The software itself is broken up in ordered blocks and then redistributed in an out of order sequence. Any anti-virus detection software inspecting the file will not see a valid signature of malware and ignore the data.

The other method is called the XOR technique which uses a mathematical operation to encode the data to mask the binary format. However, the XOR masking technique is a well-known method for some malware programs to hide themselves. The CIA documents noted that most anti-virus programs view large blocks of XOR encrypted data with a great deal of suspicion and they recommended not using this technique.

Now for the 500 pound gorilla that Grasshopper reveals; it can utilize the normal Microsoft Windows update service to keep itself alive and download new payloads. I am sure the boys at Redmond Washington and Bill Gates will not be happy to learn that the Windows updater, used by every customer of Microsoft to keep their systems clean of malware and fix errors, is now a tool for the CIA to implant malware. Even downloading Windows 10 via your update process is now a questionable action, considering the CIA hijack design.

"Whenever the system starts and every 22 hours thereafter, the Windows Update Service loads a series of DLLs specified by a list in the registry. When the WUPS stub is loaded and executed by Windows Update, it will start the payload executable with SYSTEM privileges and spawn a process to maintain its place in the list of Windows Update DLLs. Windows Update continues this same behavior whether or not updates have been disabled by the user," notes the CIA documentation.

Of course, Grasshopper can infect and stay present in systems using a variety of other techniques than just your common Windows update that runs every day. It can use the Windows Network manager or detect when a variety of services are started to invoke itself and download more payload software or updates. In order to remain hidden from users, Grasshopper will even take over a service that is not actively running, masking itself as some common software by stealing its name, thread and appearance on your system. This enables Grasshopper to look like just another normal program when you run your system monitor.

It is clear that the CIA has not been a lazy Grasshopper but a very determined and busy ant, slogging along with additional tools such as "Rabbit Stew" a diagnostic program designed to check the installation of Grasshopper to ensure it is correct, “Cricket", a tool that appears to be much like Grasshopper but more tailored toward simple surveillance than payload delivery, and Buffalo/Bamboo for Microsoft service hijacking.

We must thank the ants at Langley. They have given every Windows user reason to be suspicious of Microsoft updates. This also does not bode well for Windows 10, even though the documents note that Grasshopper is designed for XP, Win 7 and Win 8. The reason why Win 10 is more vulnerable is because the new operating system from Microsoft comes with a whole new intrusive set of monitoring and data downloading tools. The Win 10 update and monitoring processes provided the CIA fertile ground to piggy-back new versions of Grasshopper which contain monitoring or "payload" malware hidden deep inside the normal privacy invasion sponsored by Mr. Gates and Company.

Still, the fact that Grasshopper can target the elder Windows XP systems with "fire and forget" payloads is disturbing enough. The British Royal Navy uses Microsoft XP to control the nuclear weapons onboard its ballistic missile submarines. This single factor alone should give one a mind to pause on the Grasshopper's mother who warned:

"If you don't look before you leap... You'll get yourself in trouble."




Grasshopper built with Python

Buffalo and Bamboo

System Presence - hidden between entries or in free space, XOR hidden, payload encryption

Grasshopper is so good - hides from itself - stealth & reinstall

Embedding in MS boot - Russian code & Jedi Mind Tricks


How to hide the Grasshopper

Hijacking Windows Update for Grasshopper

Contact Us: