CIA Reveals Guidelines for Avoiding Malware and Anti-Virus Detection

 CIA Reveals Guidelines for Avoiding Malware and Anti-Virus Detection

Unless you really like to gamble, you are using some kind of malware or antivirus program to protect your system. But if the CIA really wants in, they’ll get in. And you won’t even know about it.

WikiLeaks reveals in the Vault 7 documents a series of standards that the US Central Intelligence Agency uses to infect networks “of interest” and at the same time avoid detection by anti-malware and anti-virus programs.

Development Tradecraft Dos and DON”Ts

Here are a couple of examples of these standards and protocols from a leaked CIA document titled “Development Tradecraft DOS and DON’Ts”:

  • DO explicitly remove sensitive data (encryption keys, raw collection data, shell code, uploaded modules, etc.) from memory as soon as the data is no longer needed in plain-text form.
  • DO NOT perform operations that will cause the target computer to be unresponsive to the user (e.g. CPU spikes, screen flashes, screen “freezing”, etc.).
  • DO NOT leave data in a binary file that demonstrates CIA, USG, or its witting partner companies involvement in the creation or use of the binary/tool.
  • NEVER use networking protocols which break the end-to-end principle with respect to encryption of payloads.
  • DO NOT read, write and/or cache data to disk unnecessarily. Be cognizant of 3rd party code that may implicitly write/cache data to disk.
  • DO NOT perform Disk I/O operations that will cause the system to become unresponsive to the user or alerting to a System Administrator.

Of course, there’s a lot more of these Dos and Don’ts, with regards as to general, network, disk I/O and even date and time CIA hackers should be using (for instance, DO NOT use a US-centric timestamp formats such as MM-DD-YYYY, but YYYYMMDD instead.).

Basically, this document provides rules that agents should follow when writing malware in order to avoid leaving fingerprints that could implicate CIA, the United States government, or its partner companies in forensic review.

Other CIA Secret Hacking Standards

This document isn’t the only set of standards of this kind. CIA also uses other, similar, secret standards to hide the (encrypt) communication between the CIA hacker and the malware (C//NF) Network Operations Division Cryptographic Requirements.pdf), a series of directory structures and metadata documents to decrease the burden of parsing/tracking of collected data for recipients (NOD CNE Operational Data Exchange Format Specification pdf), for executing code (NOD In-memory Code Execution Specification pdf) and for persisting, or in other words, staying in the target system over time (NOD Persisted DLL Specification pdf).

How Much is Anti-Virus Worth Against CIA

Going back to our original thought, it seems that anti-virus programs, at least commercial ones, such as Comodo, Avast, Symantec and others, don’t have much chance against CIA hackers.

In particular, in AV Defeats, CIA documents several instances how they defeated anti-virus programs. For example, for AVG, they would rename an .exe file to a common installer name setup.exe or installer.exe and this way create a “fake installer” that the user might open.

In another instance, for Avira, CIA hackers defeated this system by adding a RAR signature at the end, containing just a few bytes of data. Apparently, this also works with Pocket Orb and 360-Safe.

Comodo was apparently a big problem for CIA as it can catch and show the entire execution chain. However, it appears that Comodo is ignoring the Windows Recycle Bin. So, what CIA hackers did was “dump” their binaries into C:\RECYCLER (for Windows XP) or C:\$Recycle Bin (for Windows Vista, 7 and 8). There’s no mention of Windows 10 or Windows 10 pro, so it’s likely that this trick doesn’t work for these newer operating systems.

The silver lining with Comodo is that it will still catch things the hacker does when running.

As if that wasn’t enough, CIA hackers are very skilled at avoiding PSP/Debugger/RE. For example, a technique they use to avoid the set time limit that PSP sandboxes have is to use a “sleep” call when the program starts and just let the clock “run out”. While some may skip the sleep calls in the sandbox environment, what hackers do is call a function that take a while to complete before they try to install a malware or perform some other kind of attack. This way, the PSP doesn’t know what to skip.


So those were just a few examples of how CIA hackers avoid detection themselves and also how they make sure their attacks don’t leave any fingerprints. Of course, since these documents date between 2013 and 2016, it’s likely that the CIA has largely given up on these methods and is now employing new ones.

 There is, however, another, more positive side to all this. By discovering all these infestation patterns and backdoors to various AVs, CIA can assist anti-virus companies to make more secure products in turn, CSI, as well as big tech companies like Google, Microsoft, Apple and others tighten up their protection and defend against attacks in the future.


Related post

Leave a Reply

Your email address will not be published. Required fields are marked *