WikiLeaks Exposes CIA CouchPotato Tool For Hacking Security Camera Video Streams
"CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader." the documentation states.
Part of the documentation warns against launching the CouchPotato DLL out of a process that is critical to system stability, such as services.exe. Apparently the program is not always stable and in some cases "beyond CouchPotato's control," the DLL can exit "ungracefully." It can also leak memory and leave file handles open, all of which can reveal its presence on a target's machine.
It is not known how widely used this program might have been. The manual for version 1.0 is dated February 2014 and contains a few known issues. One of them is potentially high CPU usage. The authors note that on a Windows 7 64-bit VM that was allocated a single CPU core, the process that CouchPotato was injected to was using between 50-70 percent of the available CPU while capturing images.