Microsoft Subnet An independent Microsoft community View more

NSA exploits targeting Windows

The power-mad snoops at the NSA are spying on everyone and can exploit nearly every major software, hardware and firmware that exists, but here are some NSA exploit products targeting Windows.

You may or may not recall when the Economic Development Administration took a kill it with fire approach to two malware infections. It boiled down to: 2 malware infections + the destruction of $170,500 in hardware (mice, keyboards, printers, cameras, PCs) = $2.7 million taxpayer dollars. While that seemed beyond extreme at the time, it may no longer seem extreme at all thanks to Jacob Applebaum revealing the NSA's Advanced Network Technology (ANT) division's catalog of exploits. In fact, according to documents obtained by Der Spiegel, the NSA-developed custom BIOS exploits that hang around even after the operating system have been reinstalled.

The NSA's internal catalog of exploits also detail persistent backdoors in hardware, firmware and of course much for all the Homeland Security warnings about tainted hardware coming from China to spy on us. Der Spiegel reported that the NSA intercepts and plants its spyware on computer equipment as it is being shipped. "If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops," where those NSA agents install undetectable malware or compromised hardware. The power-mad snoops at the NSA and Tailored Access Operations (TAO) hacks are spying on everyone and can exploit nearly every major software, hardware and firmware that exists.  

Jacob Applebaum delivered a keynote speech at the 30th Chaos Computer Club conference in Germany. His talk, To Protect and Infect [pdf], explained numerous NSA/ANT-developed spying weapons. Although Microsoft Windows was not alone on the list - it also included Linux, FreeBSD and even Sun Solaris - since this blog is part of the Microsoft Subnet, we'll look at some of the ways TAO spies can hack us via Windows.

Let's start with how the TAO exploit Windows crash error reports to conduct surveillance. Der Spiegel wrote:

When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.

The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.

This is an example of the NSA spies having fun at Microsoft's expense:

Apparently, the NSA also loves to exploit security holes in Internet Explorer in precisely the same manner as cyber criminals do. "Microsoft's Internet Explorer, for example, is especially popular with the NSA hackers -- all that is needed to plant NSA malware on a person's computer is for that individual to open a website that has been specially crafted to compromise the user's computer." They used to use spam, but that is so "yesterday;" now the NSA prefers to crack email and other accounts with its secret service called Quantum Theory.

Quantum has the greatest success against Yahoo, Facebook and static IPs, but also can successfully target Hotmail, MSN mail, Twitter, YouTube, LinkedIn and others listed below.

Regarding Windows PC exploits, and yet more reasons to move away from XP, the TAO hackers developed:

A $50,000 per unit SOMBERKNAVE exploit; it's "a Windows XP wireless software implant that provides covert internet connectivity for isolated targets."  SOMBERKNAVE, VALIDATOR and OLYMPUS combined can exploit Windows XP and extract data from an air-gapped system.

GINSU "supports any desktop PC system that contains at least one PC connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 2003, XP, or Vista." The cost per unit was listed as $0.

WISTFULTOLL is a plug-in to exploit Windows 2000, 2003 and XP; it harvests and returns forensic data for the low, low cost of $0 per unit.

NSA WISTFULTOLL Windows exploit

But as you see by these very few examples from the catalog of 50 NSA exploit products, it is certainly not only Windows that is a target.

The exploit catalog is from 2008, so newer Windows operating systems are almost assuredly vulnerable to the TAO hackers and their endless exploits to own BIOS, servers, routers, switches, firewalls, hard drives and smartphones.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10