Thursday, April 13, 2017

7-Zip Portable not 7-Zip hacked by CIA

Everyone's favorite freebie zip application has comprised and targeted by your friendly neighborhood CIA agent as revealed in latest WikiLeaks leak, code-named "Vault 7".

Just to be clear 
"7-Zip Portable" was mentioned, and there's allot of confusion of what the difference between "7-Zip Portable" and "7-Zip". This post will clear that up.




Firstly,  7-Zip is safe!


I spoke with Igor Pavlov the owner of 7-Zip,  and he has no idea about "7-Zip Portable". 

I asked him if there are any issues with CIA hack using his open source code base, and he affirmed it was with "7-Zip Portable" was the problem code.

Recent CIA Wikileaks release mentions "7-Zip Portable" hack for spying on users, under the section called "Fine Dining Tool Module Lists" at https://wikileaks.org/ciav7p1/cms/page_20251107.html

For the uninitiated, the Wikileaks"Vault 7" release list a host of exploits for common everyday free and paid  applications by the CIA. The "Fine Dining Tool Module Lists" section list applications whose libraries ( which are loaded to run the program known as dynamically loading libraries (DLL))  have been compromised and replace. This is know as "DLL Hijack" in the document.  A hijacked DLL enables practically anything to be done by the remote collectors; it can collect keystrokes, take screenshots, record microphone, snoop on your mail and the dreaded scenario of complete control over you computer using a remote administration tool RAT.  

This "7-Zip Portable" appears on 2 lines of "Vault 7" leak so can be a little confusing.

DLL Hijack7-Zip PortableUser, Compression, BackupOperator performs backup, encrypted storage while collection is occurring

So what is "7-Zip Portable"? How does it differ from 7-Zip? 


"7-Zip Portable" is exactly same as 7-zip, it just been consumed by PortableApps.com because project is open-source. PortableApps.com removed the installer and repackaged it for their own and even used the same logo. 


PortableApps.com is the world's most popular portable software solution allowing you to take your favorite software with you. A fully open source and free platform, it works on any portable storage device (USB flash drive, memory card, portable hard drive, etc), cloud drive (DropBox, Google Drive, etc), or installed locally. 

The confusing part is it has the same logo, comes from the same open source repo "Sourceforge" (different projects however) and even lists 
7-Zip developers as part of their development effort. 


PublisherPortableApps.com (John T. Haller) and the 7-Zip developers





























  • So, there you are you have been warned.

    A further note, it seems many of the apps from PortableApps.com have been infiltrated. Probably, the same installer used by  PortableApps.com has been compromised.

    For further explanation a good article here
    http://www.filmsforaction.org/articles/wikileaks-cia/







1 comment:

  1. For context, it appears to be a vulnerability within 7-Zip's ability to create self-extracting archives (EXEs). This has been discussed in 7-Zip's forums and can be done by adding an expected DLL like uxtheme.dll to the directory with the 7-Zip self-extracting EXE, at least at the time. All of the exploits used in the Fine Dining exploit were similar DLL preload or replace issues within the apps themselves. Nothing that was added by PortableApps.com was exploited according to the dump. The apps are usually protected from this when running from Program Files courtesy of Windows' UAC protect, but could of course be exploited with a PATH change or if installed to another location or just extracted from a zip download. It should also be noted that the PortableApps.com Platform was updated within a day of the dump to mitigate the exploitable pieces of the affected apps by scanning for added and replaced DLLs. Complete details are here: https://portableapps.com/news/2017-03-13--mitigating-dll-hijacks-with-the-portableapps-com-platform

    ReplyDelete