and Panama could be related to drug money or the US' somewhat rocky relationship with both
countries. Spies do spying, right?
Where's James Bond when you need him?
The Equation Group's ODDJOB folder appears to contain spyware that runs on Windows
machines up to Server 2008, and, like other NSA software nasties, it is rather modular: you can
plug features into it by adding more modules.
The directory contains instructions on how to set up ODDJOB with Microsoft's IIS 7 and, once
installed, the malware can be updated remotely to gain new attacks and monitoring tools. It can
use HTTP and HTTPS to receive and install its new code.
"ODDJOB will expect an encrypted payload. To encrypt the payload, open the Builder and
navigate down to the 'Payload Encryption' section," the instructions read. "Select an
Unencrypted Payload, ie, what you want to run on target. Then select an encrypted payload,
which is really a dummy file for now. Then select exe or dll, depending on whether the
Unencrypted Payload is an exe or dll."
Based on an Excel spreadsheet shared with the malware, ODDJOB is effective on Windows
2000, XP, Server 2003, Vista, Server 2008 and Windows 7, although in each case only the
Enterprise versions of the operating systems, rather than consumer builds.
"This is a worst-case estimate for which Windows releases will work with ODDJOB," the
spreadsheet states. "An updated version of bits is available as a download for many of these
releases, such as XP SP1. Also, ODDJOB v3 will fallback gracefully from HTTPS to HTTP. So,
when in doubt, throw HTTPS at the target."
How's that vulnerability hoarding looking now?
This latest release is going to be uncomfortable reading for the NSA. Not only has some of its
classic exploits – thought to be worth maybe a couple of million on the gray market – been
burned in a single day, the agency has also known for months that its Equation Group goodies
are in the hands of crooks who are going to leak the files.
Could the NSA have considered the programs lost for good, and alerted Microsoft, Cisco and
others, to fix the vulnerabilities before the tools were dumped all over on the web? Microsoft
says no one has given it any form of heads up on the materials leaked by the Shadow Brokers
thus far.
Now all these cyber-arms are in the hands of anyone who wants them. Governments with an
interest in hacking America – ie, all of them – can now use these. Even worse, every script kiddy
on the planet is going to be downloading these tools and using them this weekend for hacking
around online for older, vulnerable gear.
Updated to add
Microsoft reckons it has already patched the exploited bugs except for ENGLISHMANDENTIST,
ESTEEMAUDIT and EXPLODINGCAN, which don't work on supported versions of Windows,
eg: Windows 7, 8 and 10, and so won't be patched anyway. If you've been keeping up with your
Patch Tuesday updates, you should be protected, according to Microsoft.