Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

Microsoft claims it has patched most of the exploited bugs

Where's James Bond when you need him?

The Equation Group's ODDJOB folder appears to contain spyware that runs on Windows machines up to Server 2008, and, like other NSA software nasties, it is rather modular: you can plug features into it by adding more modules.

The directory contains instructions on how to set up ODDJOB with Microsoft's IIS 7 and, once installed, the malware can be updated remotely to gain new attacks and monitoring tools. It can use HTTP and HTTPS to receive and install its new code.

"ODDJOB will expect an encrypted payload. To encrypt the payload, open the Builder and navigate down to the 'Payload Encryption' section," the instructions read. "Select an Unencrypted Payload, ie, what you want to run on target. Then select an encrypted payload, which is really a dummy file for now. Then select exe or dll, depending on whether the Unencrypted Payload is an exe or dll."

Based on an Excel spreadsheet shared with the malware, ODDJOB is effective on Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7, although in each case only the Enterprise versions of the operating systems, rather than consumer builds.

"This is a worst-case estimate for which Windows releases will work with ODDJOB," the spreadsheet states. "An updated version of bits is available as a download for many of these releases, such as XP SP1. Also, ODDJOB v3 will fallback gracefully from HTTPS to HTTP. So, when in doubt, throw HTTPS at the target."

How's that vulnerability hoarding looking now?

This latest release is going to be uncomfortable reading for the NSA. Not only has some of its classic exploits – thought to be worth maybe a couple of million on the gray market – been burned in a single day, the agency has also known for months that its Equation Group goodies are in the hands of crooks who are going to leak the files.

Could the NSA have considered the programs lost for good, and alerted Microsoft, Cisco and others, to fix the vulnerabilities before the tools were dumped all over on the web? Microsoft says no one has given it any form of heads up on the materials leaked by the Shadow Brokers thus far.

Now all these cyber-arms are in the hands of anyone who wants them. Governments with an interest in hacking America – ie, all of them – can now use these. Even worse, every script kiddy on the planet is going to be downloading these tools and using them this weekend for hacking around online for older, vulnerable gear. ®

Updated to add

Microsoft reckons it has already patched the exploited bugs except for ENGLISHMANDENTIST, ESTEEMAUDIT and EXPLODINGCAN, which don't work on supported versions of Windows, eg: Windows 7, 8 and 10, and so won't be patched anyway. If you've been keeping up with your Patch Tuesday updates, you should be protected, according to Microsoft.

What's rather curious is that a Redmond spokesperson claimed earlier on Friday: "Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

In other words, apparently no one privately tipped off Microsoft about the exploited security bugs so that they could be fixed – not the brokers and not the NSA. And yet it now turns out Microsoft quietly patched a bunch of the SMB vulnerabilities exploited by the US spy agency in March this year. And then the Shadow Brokers went public with the SMB exploits exactly a month later. What fortuitous timing for Redmond!

Today, the software giant's principal security group manager Phillip Misner said: "Microsoft triaged a large release of exploits made publicly available by Shadow Brokers ... Customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched."

How odd, but also: what a relief. If you want to check which exploits affect which operating systems, someone's made a handy table here.


Biting the hand that feeds IT © 1998–2017