Q&A: Wikileaks, the CIA, ‘Fine Dining’ and DLL hijacks

There's been a lot of talk in the media lately about an alleged CIA project called Fine Dining. We've tried to explain what the fuss is all about by answering a series of questions about the what, the how and the why.

There’s been a lot of talk in the media lately about an alleged CIA project called Fine Dining.

We’ve tried to explain what the fuss is all about by answering a series of questions about the what, the how and the why.

Q1. What’s all this from Wikileaks about “malware-laced spy apps”, including hacked anti-virus programs?

A1. A recent mass leak of CIA documents by Wikileaks, dubbed “Vault 7”, includes mention of an alleged CIA project called Fine Dining.

This project aims to provide CIA field agents who already have insider access to a target organisation with hacked versions of well-known apps that they can run as a decoy, to act as a cover for data-sniffing tools that run in the background at the same time.

Q2. Which decoy apps appear on the list?

A2. VLC Player Portable, Irfan View, Chrome Portable, Opera Portable, Firefox Portable, ClamWin Portable, Kaspersky TDSS Killer Portable, McAfee Stinger Portable, Sophos Virus Removal Tool, Thunderbird Portable, Opera Mail, Foxit Reader, Libre Office Portable, Prezi, Babel Pad, Notepad++, Skype, Iperius Backup, Sandisk Secure Access, U3 Software, 2048, LBreakout2, 7-Zip Portable and Portable Linux CMD Prompt.

Q3. Some reports say that these apps were hacked because they contained a vulnerability called “DLL hijacking” – is that true?

A3. The Fine Dining attack relies on altering each of the apps in some way in advance, and giving the modified app to the field agent, for example on a USB stick. The technique used to modify the apps involves changing or adding a DLL that each app uses so that it loads differently, thus the name “DLL hijack”.

(DLL is short for dynamic link library, a program component that is stored in a separate file from the program’s main executable. DLLs exist so that programs can share common “library code”, thus saving disk and memory space, and making updating easier.)

Because a prepared version of the app is modified in advance, it is a huge stretch to call this an application vulnerability. The DLL hijacking used in Fine Dining is down to the flexibility in how Windows decides which DLLs to choose for programs that run. Windows makes it possible even for system DLLs to be substituted automatically before a program begins to execute.

DLLs are effectively sub-programs in their own right, so, on a correctly-protected computer, installed applications should be protected from this sort of unauthorised modification anyway. However, the Fine Dining attack relies on the the field agents being able to bring in their own apps from outside and to run them at will. (To run the Sophos Virus Removal Tool, they need administrator privileges as well.)

Q4. If a field agent is already an administrator, can’t they pretty much do what they want anyway?

A4. Yes. That’s the whole point. This isn’t so much about what they’re doing but whether they fit the part while they’re doing it. (Much like fine dining, in fact: most upmarket restaurants have a dress code, so you’d do well to turn up looking smart.)

Q5. So this Fine Dining attack isn’t an exploit by which the field agents break into the target in the first place?

A5. No. It’s simply a way of modifying the behaviour of a well-known app so that it does everything it used to, such as editing files, watching movies or scanning for malware, as well as performing hidden tasks that would stand out more obviously if carried out on their own.

Q6. Surely the CIA could achieve the same result simply by creating fake or patched versions of the originals?

A6. Yes. Fake apps have been a staple of cyberattacks for years, especially to steal passwords and data, in just the same way that fake websites are a staple of today’s phishing attacks. DLL hijacking is another way of doing something similar.

Q7. So why bother with DLL hijacking?

A7. The most obvious answer is, “Why not?” Substituting the DLLs used by a decoy program is often quicker than the alternatives. These include: modifying existing program executables (EXE files); creating mock-up versions; or building what is called a “wrapper app” that runs before the legitimate program and then launches it over the top as a decoy.

Notably, the same DLL can often be used with several different apps (a favourite DLL substituted by the CIA seems to a system DLL called MSIMG32.DLL). Patches and mock-ups generally need adapting for each app.

Q8. Why Fine Dining?

A8. Most fine dining restaurants have a dress code, so it matters what you look like while you’re there. So the name is probably a metaphor for eating your fill of other people’s data but looking good while doing it.

Also, building modified software versions, such as hacked firmwares for mobile phones, is often referred to as “cooking”. Good “cooked ROMs” are sought after, although the most popular are ironically often those that remove unwanted bloatware from an official build, rather than those that add extra “secret sauce”.