WikiLeaks’ latest leak shows how CIA avoids antivirus programs


WikiLeaks released its third package of CIA documents on Friday which highlight source code used by the CIA to avoid antivirus programs. 

The source code is for a tool called “Marble,” what is known as an obfuscator or packer.

Obfuscators are principally designed to jumble the execution of malware so that programs designed to spot malware have trouble determining what it is.

The Marble toolkit includes a variety of different algorithms to accomplish that task. 

In its release, WikiLeaks describes the primary purpose of Marble as being to insert foreign language text into the malware to cause malware analysts to falsely attribute code to the wrong nation.

This appears to be an inaccurate description of the primary purpose of the code, however.

While the code can insert any language text or sequence of characters into the code, or English text, the point appears to be more about eliminating the original intent of coders than causing an incorrect attribution. 

Analysts are more likely to lump together multiple uses of the same packer algorithm featuring text from multiple languages then they are to assume the languages accurately describe the country of origin. Though language artifacts in the code are the easiest investigatory tool to explain to a non-technical audience, the are neither the only nor the most telling piece of evidence used in an attribution. 

Nicholas Weaver, a researcher with the International Computer Science Institute at the University of California at Berkeley, said in a statement that releasing the packer will allow antivirus companies to block CIA malware, but notes that is only in the public interest if “disrupting the CIA’s operations for the sake of disrupting the CIA’s operations is in your ‘public interest.'”

While releasing information about security flaws in products being exploited by the CIA may one day be independently discovered and exploited by malicious hackers, obfuscators can only be used to help prevent attacks by the group using that specific obfuscator — in this case, the CIA.   

Now, Weaver said, WikiLeaks is forcing antivirus companies to block the CIA packer because, by releasing it publicly,  “[t]hey practically guarantee that a bunch of digital miscreants will start using it as well, because ‘hey, a CIA packer for my malcode, cool!'” Weaver said. 

Marble is the third in a series of leaks from WikiLeaks that purportedly come from a secure CIA network. The first two largely described CIA hacking techniques.

See all Hill.TV See all Video

Most Popular

Load more


See all Video