WikiLeaks Releases More Info On CIA Malware
WikiLeaks has released documentation on another CIA cyber-weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users can download files via SMB
The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain.
Pandemic was developed for computers with shared folders
According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer.
Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead (SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files).
According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders.
The role of this cyber-weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.
Detecting "patient zero" is hard, but not impossible
Once Pandemic has infiltrated a network, it's very hard to detect the source of the original infection and clean the "patient zero" host.
This is because Pandemic's file system driver will know when a local user is manually accessing one of the shared files and will execute the clean version of the file, and not the malware-laced version it delivers via SMB. In order to detect Pandemic-infected PCs, sysadmins must download and scan files from other computers via SMB (shared folders).
Incident response teams who fear or suspect they might be prone to CIA surveillance can search Windows registry keys for the above mini-filter drivers using Windows Flt* functions, as a sign of infection.
WikiLeaks' dump is part of a larger series called Vault 7, which contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders.
You Might Also Read:
WikiLeaks Has Published The CIA’s Secrets For Infecting Windows:
Wikileaks Vault 7 And The CIA Hacking Arsenal:
CIA leak 'absolutely' an 'inside job':