Registration was successful!
Please follow the link from the email sent to

Not Their Finest Work: CIA #Angelfire Windows Hacking Tool Was Riddled With Bugs

© REUTERS / Larry Downing/FilesThe lobby of the CIA Headquarters Building is pictured in Langley, Virginia, U.S.
The lobby of the CIA Headquarters Building is pictured in Langley, Virginia, U.S. - Sputnik International
WikiLeaks has published its latest instalment of documents in the Vault 7 series, containing information on Angelfire – a tool the US Central Intelligence Agency (CIA) employed to load and execute malware, targeting Microsoft Windows operating systems and computers. Its user manual suggests the application was riddled with issues.

According to the leaked user manual, Angelfire is comprised of five components; Solartime, malware that modifies a computer's boot sector in order to load Wolfcreek; Wolfcreek, a self-loading driver for loading other drivers and user-mode applications; Keystone, responsible for starting other implants (technical term for malware); BadMFS, a covert file system which stores all other components, and encrypts and hides them.

In essence, Angelfire is but another resource in the CIA's apparently vast hacking arsenal, aimed at Windows users.

However, there is much to suggest the tool is a sub-par effort — despite BadMFS' obfuscatory promise, and the manual's claim that Angelfire aims to provide a "robust environment" for users, its authors concede there are "some limitations" they should be aware of prior to use.

Internet users reading the international media project WikiLeaks. (File) - Sputnik International
WikiLeaks Publishes Info on CIA's Tool to Secretly Load Implants on Computers

A lengthy table listing issues then-known to the tool's development team follows.

Sloppy Work

The litany of bugs identified by developers suggests Angelfire could even fail at the first hurdle. Its initial compotnent, Solartime, does a heuristic check of an operating system at boot time to determine if it's possible to patch it — yet, it's possible this check will succeed, while the OS has changed in a manner that would cause a crash if patched.

"The heuristic algorithm is imperfect and can still have false positives. Solartime has a more restrictive setting that will only allow the patch to proceed if the OS has not changed. The downside is, if a new service pack or hotfix is applied, Solartime will not launch on bootup," the manual says.

​Furthermore, BadMFS cannot be installed if there is insufficient space on a drive, raising the prospect users could be alerted to the existence of the allegedly covert file with a standard system warning that it could not be copied. To remedy this prospective blunder, the manual suggests shrinking the file, to a minimum of two megabytes in size.

Other glitches could similarly notify users of the presence of malicious software installed — or in the process of being installed — on their computers.

For example, anti-virus and cybersecurity products could detect the presence of BadMFS by the existence of a file named "zf" — and users may see popup alerts if one of the Angelfire components crashed, which other issues suggest is a likely eventuality.

In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, which would be inconsistent with the actual svchost.exe path on a system

​Other issues have no remedy — for instance, if Angelfire's container file is deleted, but Angelfire has not been uninstalled, it will continue to work on reboot until the disk clusters the container file occupies are overwritten by the computer's file system.

If this happens, the integrity check of the container file will fail, and Angelfire will allow the boot process to continue as normal — again allowing users to unthinkingly evade the tool's clutches.

In sum, Angelfire was evidently far from the CIA's best work — other tools in the intelligence agency's technological armory, documented in previous Vault 7 releases, appear to have been far more effective. 

We Have the Technology

  • CherryBlossom was a tool via which the agency sought to leverage common vulnerabilities in WiFi routers, sold by companies such as D-Link and Linksys. The techniques ranged from hacking network passwords to rewriting device firmware to remotely monitor traffic flowing across a target's network. The CIA's router-hacking approach began with a tool — "Claymore" — that scanned a network to identify devices, and then launched two exploiters — "Tomato" and "Surfside" — which stole WiFi devices' administrative passwords. 
  • HighRise was an Android application designed for Android mobile devices, which provided a redirector function for SMS messaging — in effect, allowing the CIA to intercept and redirect any text messages received by a particular device. 
  • Dumbo allowed for the identification, control and manipulation of webcams and computer microphones, on any computer running Microsoft Windows. CIA agents could record and monitor all audio/visual traffic from and to that resource, and delete or manipulate recordings to hide actual evidence of the intrusion operation.
  • DarkSeaSkies allowed agents to execute malicious code from an USB, CD, DVD, or portable hard drive, during a Mac's boot-up, even if the Mac's firmware is password-protected. 
To participate in the discussion
log in or register
Заголовок открываемого материала