Only Kaspersky Anti-Virus blocks the CIA utility

The WikiLeaks site published a new set of CIA documents from the Vault 7 collection. This time, a hacker tool called Dumbo was declassified, which is intended to interfere with the operation of cameras and microphones On a computer running Microsoft Windows. The tool works both with devices installed directly on the PC, and with wireless (Bluetooth, WiFi) or connected via cable. You can suspend their work or delete the record.

Dumbo is an auxiliary program for the work of the CIA unit called PAG (Physical Access Group). This unit deals with physical intrusions, hacking, normal operations with physical access to equipment, etc. For example, if you want to install listening equipment in the apartment or office, bugs on a computer, TV, telephones, and so on. PAG is a special division of the Center for Cyber ​​Intelligence (Center for Cyber ​​Intelligence).

Dumbo helps to hide the fact of physical intrusion, that is, to cover up tracks. In general, there is nothing spectacular in this program. To work it requires physical access to the computer.

To be honest, this is a very specialized tool for a specific application in operations of special services. Even if WikiLeaks put binary files, drivers and other program files into open access, hardly anyone would find it practical application. In this regard, the user's manual of July 6, 2015, has a remark that the need for the development of such a tool was formulated by the intelligence community (which includes representatives of the NSA, the CIA, the FBI and other organizations) and is documented 2015-OPS0001013. The goal is to suspend the operation of webcams and remove video recordings that can compromise the work of PAG agents. Well, once it is necessary, qualified programmers made such unpretentious "software" on request of the bosses.

The program runs on the victim's computer from a USB flash drive with SYSTEM privileges. The main executable version of Dumbo 3.0 is called GUI.exe it is accompanied by:

  • driver scanner.sys for 32-bit Windows XP;
  • executable file wscupd.exe to create a blue screen on computers under 32-bit Windows;
  • executable file wermgr.exe to create a blue screen on computers under 64-bit Windows.

The tool works on 32-bit Windows XP, Windows Vista and newer versions of Windows. At the same time, 64-bit Windows XP and older versions of Windows are not supported.

The interface of the program is perfectly simple. The CIA agent inserts the flash drive, then starts cmd.exe and then runs GUI.exe adding the -n key if necessary (do not automatically disconnect the network adapter and Bluetooth on the computer). The program is loaded and then displays four options:

  • System Information
  • Network
  • Camera and microphone
  • Exit options

With the first it is clear – this is information about the system.

In the "Network" section, a list of network adapters is displayed, the initial status of the adapter (before Dumbo captured processes in the system) and the current status, incoming and outgoing traffic. From here, you can disconnect adapters or reset them to their original state.

The main tab "Camera and Microphone" contains the main functionality of the program. From here, the agent accesses the process management options that are running on the computer and accesses the file table with write permission (and their statuses).

Accordingly, the agent can suspend / resume Or delete the process. The files can be done in two ways: either damage (fill in with random data), or damage and delete (fill in with random data and then erase).

The exit options are either via a timer (after which the system returns to its normal state) , Or through a blue screen. It is assumed that the victim will return to the computer, see the blue screen and not be surprised that the surveillance system, web camera and microphone did not record anything about what was happening in his absence.

There is one An interesting point. In the user documentation Dumbo there is a special item dedicated to Kaspersky Anti-Virus. It is noted that this particular antivirus prevents the installation of the driver necessary for the correct operation of Dumbo under Windows XP.

"Good work, Kaspersky."

WikiLeaks continues to declassify the CIA's hacking tools. The total number of documents has already exceeded 8700 pieces. Unfortunately, Julian Assange still does not spread the binary files of exploits and hacker programs themselves, and is limited only by the documentation.