WikiLeaks has released information about Dumbo, a CIA tool that enables the organisation to compromise the webcams and microphones of targets' Windows PCs. However, the malware requires physical access to the PC in order to surreptitiously set it up without the target being alerted.
The tools have been used by the CIA's Physical Access Group (PAG), a branch within the Centre for Cyber Intelligence (CCI).
"Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks," claims WikiLeaks.
It continues: "All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.
"Dumbo is run by the field agent directly from a USB stick; it requires administrator privileges to perform its task. It supports 32-bit Windows XP, Windows Vista, and newer versions of the Windows operating system. [However] 64-bit Windows XP, or Windows versions prior to XP are not supported."
It's not known what role the malware has played in CIA investigations, and whether evidence gleaned from the tool has been used in court.
In addition to the brief explanation, WikiLeaks has also a series of Dumbo user guides, as well as the field guide. A CIA presentation dated June 2012 has also been published. (PDF)
"Dumbo is designed as a PAG [physical access group] entry-operation utility that targets webcams and other monitoring software. PAG requests this capability to deter home security systems that may identify officers or prevent operations," the presentation explains.
It continues: "Dumbo is designed to be configured with a set of processes, installed and run from a thumb drive [USB stick] and exits upon removal of the drive."
Dumbo, it continues "will immediately terminate all configured processes, and disabable all NICs [network interface cards] for the duration of the operation… On removal of the drive running Dumbo, all NICs will restart and terminated processes will be able to restart".
The tool is configurable from the command line, dropping output files directly to the USB stick. However, any programs not on the ‘termination list' can start-up the webcam and record will the USB stick is plugged-in, "however, no data will be exfiltrated [by the webcam] since the NIC will be disabled".
The exposure of Dumbo is just the latest in a series of embarrassing leaks that reveal the depth and extent of US security and law-enforcement agencies' hacking tools.
Indeed, the WannaCry ransomware and NotPetya malware released in May and June respectively deployed leaked US National Security Agency exploits that took advantage of what were then unpatched security flaws to propagate.
An analysis of NotPetya ramsonware, though, indicated that the exploit had been incorporated into the malware before it had been made publicly available, raising questions over the provenance of NotPetya and who, or what groups, might have been behind it.
The Computing Cloud & Infrastructure Summit returns on Wednesday 20 September at the Hilton London Tower Bridge. Hear the latest Computing research, case studies from industry pioneers, and pose your questions to our expert CIO panellists. Attendance is free to qualifying IT leaders and senior IT professionals, but places are strictly limited, so register now
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all