Slashdot Mirror

← Back to Stories (view on slashdot.org)

CIA Malware Can Switch Clean Files With Malware When You Download Them Via SMB (bleepingcomputer.com)

Posted by BeauHD on from the dirty-files dept.

An anonymous reader quotes a report from Bleeping Computer: "After taking last week off, WikiLeaks came back today and released documentation on another CIA cyber weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users download files via SMB. The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain. According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer. Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders. The role of this cyber weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

62 comments

  1. That's all well and good. by Anonymous Coward · · Score: 2, Funny

    ...But can it get into Madagascar after they've closed their port?!

    1. Re: That's all well and good. by mspohr · · Score: 1

      More importantly, does it run on Linux?

      --
      I don't read your sig. Why are you reading mine?
    2. Re: That's all well and good. by Anonymous Coward · · Score: 0

      I wrote malware like this on my dad's computer 20 years ago, he was so mad. Lol

  2. It'sa me, Mario! by Anonymous Coward · · Score: 0

    An Luigi, too!

    This first post brought to you by the Super Mario Brothers.

    1. Re: It'sa me, Mario! by Anonymous Coward · · Score: 0

      Fail. Sorry but the princess is in another forum.

  3. Original maybe, ingenious really? by Dr.+Evil · · Score: 3, Insightful

    Not every permutation and combination of malware not seen before is "ingenious".

    File system filter driver dynamically installs malware. Got it. Isn't this the kind of thing a file system filter driver is supposed to do? "filter can mean log, observe, modify...." https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/what-is-a-file-system-filter-driver-

    Handy tool, but unless I'm missing something, "ingenious" is way overstated. 25 years ago, this might have been novel.

    1. Re:Original maybe, ingenious really? by 110010001000 · · Score: 2

      I'm still trying to figure out how it only supports 20 files max. I am suspecting variable names like "filename1", "filename2", etc.

    2. Re:Original maybe, ingenious really? by PolygamousRanchKid+ · · Score: 5, Funny

      . . . maybe the CIA writes files=20 in their config.sys . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      I guess because the format the configuration tool uses to configure the actual malicious binary is simple. Could be just an array with 20 elements of a struct with configuration data.

    4. Re:Original maybe, ingenious really? by K.+S.+Kyosuke · · Score: 4, Insightful

      "Had God wanted us to infect more files, he would have given us more fingers and toes."

      --
      Ezekiel 23:20
    5. Re:Original maybe, ingenious really? by Dr.+Evil · · Score: 3, Informative

      I bet you're right. The Vault7 leaks all seem like leaks from a competent but certainly not-miracle working security team. They've got access to some remarkable vulnerabilities, and they seem well-funded, otherwise just a bunch of normal guys. The poor soul who wrote this one probably never meant it to be more than a hack for a specific project.

      Some of the Vault7 stuff is funny:

      https://wikileaks.org/ciav7p1/cms/page_14588098.html

      DART: WinXP Pro SP3 English w/ Adobe VM – why you hate my unit tests?
      ....

      2015-01-29 18:29 [User #71473]:

      Ah, but lowly users can't create projects, and I find it silly to go begging an admin when I want to make a silly tasklist in Jira.

      #freejira

      #getoffmylawn

      2015-01-29 07:55 [User #1179925]:

      Some would say there is an Atlassian product to help you track this stuff....

    6. Re:Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      Pull down your pants and count to 21.

    7. Re:Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      The ability to dynamically replace files based on access control decisions was implemented in the Safety program (for VMS) which functions as a file system filter. It was published circa 1995; you can grab the code and docs from www.gce.com if you like. The design there was to allow intruders to see different files from legitimate users, but really it's just a decision, can be set up either way. Normal use was if you have too many privileges (or come from the wrong place or are looking at the wrong time or with the wrong program) you might get fake-payroll.doc instead of real-payroll.doc. There is no limit to how many files can be so marked in Safety. I find it bizarre to have a limit of some small number of files too. Perhaps the linking mechanism is not very robust. Safety in principle needs one extra disk access (to pull in the other file) which is pretty fast, and that disk access can often be cached from memory.

      I would of course think that installing something like Safety as malware could be extremely dangerous due to the many capabilities that it changes. But VMS is not so widespread, and its users tend to be careful about what gets installed.

    8. Re:Original maybe, ingenious really? by PPH · · Score: 1

      Perhaps there's some file caching scheme to speed up the file replacement. So your target doesn't get suspicious about a delay. The flip side is that this requires memory. Use too much of that and someone will notice the resource use.

      --
      Have gnu, will travel.
    9. Re:Original maybe, ingenious really? by MMC+Monster · · Score: 3, Funny

      And then pull up your shirt and get to 23.

      --
      Help! I'm a slashdot refugee.
    10. Re:Original maybe, ingenious really? by PPH · · Score: 1

      I suspect that I may have seen this behavior elsewhere.

      A friend of mine has a SOHO LAN. One day, she was complaining that she couldn't reach any shared folders on one of her employees PCs (who was off on vacation). So, I looked at it for her. Logged onto the suspect system and it couldn't see the office network either. Poked around for a few seconds and then said to myself, "Try the universal Windows repair procedure. Reboot." Still nothing. The "Network" browser was empty. Next, test the actual networking. Open a URL out in the world somewhere to see if this system could actually connect to anything. "What browser do you use?" "Chrome", she replied. So I fired that up to enter a URL and within a second or so the network window populated with the local systems and shares.

      I tried it again. Reboot the system, local network is gone. Fire up Chrome and it appears. So Chrome appears to be inserting something between the networking drivers and user space that, when it hasn't been started up yet, interferes with SMB. IMO, if it is spyware, it is pretty crappy. Good spyware shouldn't reveal itself by interfering with normal operations when it isn't running. Just like alligator clips on my phone line shouldn't make popping noises when I make a call.

      --
      Have gnu, will travel.
    11. Re:Original maybe, ingenious really? by 110010001000 · · Score: 1

      That probably explains it, and also the 800MB file limit they mentioned.

    12. Re:Original maybe, ingenious really? by gweihir · · Score: 1

      It is neither. The idea is plain obvious. Anybody competent (no, that does not include the average "programmer") can implement this in a few weeks.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      hi, grandpa. i see you got your dial-up working again.

    14. Re: Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      More likely, the computer doesn't actually connect to wifi until a program needs network access, and SMB network browsing isn't recognized as a program. Try other programs like a mail client: they may open up networking too.

    15. Re:Original maybe, ingenious really? by hattable · · Score: 1

      24 you insensitive clod!

      --
      OMG facts!
    16. Re: Original maybe, ingenious really? by PPH · · Score: 1

      doesn't actually connect to wifi until a program needs network access

      Hard-wired Ethernet.

      And how would a PC on the LAN know when it needed to fire up networking (WiFi) if it was the SMB server? Hence the hard-wire connection, which has worked for many years and many versions of Windows. Until Chrome came along.

      --
      Have gnu, will travel.
    17. Re:Original maybe, ingenious really? by AHuxley · · Score: 1

      CIA teams are not like the NSA who have the time and unlimited freedom to use and alter networks. Often they have to gain access to a site with a good cover story and use an on site method to get deep into a very secure network.
      Staff and workers might be watching the use of a USB stick and if an allowed task takes too long the "20 files max" and set sizes would be a good limit.
      The working cover story of why some person connected to the CIA is on site is protected by not having a computer/network slow down as a huge amount of unexpected files are pushed onto a network.
      The CIA might want more files to collect on all possible network conditions but using fewer files can ensure a mission works without workers and staff thinking why a simple on site computer task took so long.
      The CIA can then collect results later in person and no firewall or network log noticed any external changes.

      --
      Domestic spying is now "Benign Information Gathering"
    18. Re:Original maybe, ingenious really? by AHuxley · · Score: 1

      AC the CIA understands humans and computers. That is what makes the CIA so great. Seeing a GUI try and pump a computer or network full of unexpected files from a slow device like early generations of USB might make staff and workers wonder what is been done.
      Questions like who are you and why is this the first large patch done in this way.
      Getting access to push a few files might be accepted. A slow GUI and a strange conversation about work while a totally unexpected task is been conducted might make some people who would have been ok with the event, report the unexpected time needed.
      The CIA might use US staff in another nation or US connected contractors, language difference might help or slow a task down. Finally getting access for a short time might be just be ok. Waiting around for a longer time in a secure area with a slow device will just allow more questions and unexpected conversations to start.

      --
      Domestic spying is now "Benign Information Gathering"
    19. Re:Original maybe, ingenious really? by Anonymous Coward · · Score: 0

      I like a file-system (or even the disk-driver) which will provide a modified source file (like a .c file) only to the compiler but not to other applications [like editors, version controlled system etc]. This way you can create an executable which has your exploit/backdoor but a human scanning the source-code can't see it. eg say you insert a special login/password to the login.c file which allows you a back-door. [it's similar to the legend that original C compiler writer had infact put in such a backdoor]

    20. Re:Original maybe, ingenious really? by yes-but-no · · Score: 1

      I like a file-system (or even the disk-driver) which will provide a modified source file (like a .c file) only to the compiler but not to other applications [like editors, version controlled system etc]. This way you can create an executable which has your exploit/backdoor but a human scanning the source-code can't see it. eg say you insert a special login/password to the login.c file which allows you a back-door. [it's similar to the legend that original C compiler writer had infact put in such a backdoor] [ps got posted as ac]

  4. A Disservice by Anonymous Coward · · Score: 0, Insightful

    It is a disservice to Slashdot readers when the post fails to mention the operating systems affected by the exploit. Is this Windows only? Samba runs on Mac and Linux. Does the malware affect them, or does the executable bit get in the way?

    1. Re:A Disservice by 110010001000 · · Score: 3, Funny

      It is Windows only for now, but we are working on a Linux version. Don't tell anyone though.

    2. Re:A Disservice by guruevi · · Score: 1

      It's assumed that exploits like these are facilitated by Microsoft. SMB is the protocol, Samba is the daemon. It's talking about SMB on Windows.

      (S//NF) Pandemic registers a minifilter driver using Windows' Flt* functions.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:A Disservice by 0ld_d0g · · Score: 1

      As long as you don't login as root and manually install random drivers, you'll be fine. On all operating systems..

    4. Re:A Disservice by Anonymous Coward · · Score: 0

      It's included in the article. It's Windows only.

  5. Fallout! by tepples · · Score: 1

    I thought this was about a vulnerability in Super Monkey Ball.

  6. Surprise, surprise! by Freischutz · · Score: 2

    SMB sucks ass? and now it's revealed to be seriously insecure as well?... now there's a couple of newsflashes that will shock the entire tech industry to it's core

    1. Re:Surprise, surprise! by 110010001000 · · Score: 5, Insightful

      If you can install software on a computer it makes that computer instantly insecure. It really has nothing to do with SMB being secure. You could do this with any protocol, but API support for this in SMB makes it easier.

  7. Download with SMB???? by goombah99 · · Score: 1, Insightful

    Who "downloads" with SMB. SMB is a distributed file system like NFS isn't it. transferring files on an intranet is not what we conventionally mean by "download". The latter usually implies the importation of file from the internet not a local net. It's misleading to conflate these as one usually has quite different procedures in the security onion for treating these two cases.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Download with SMB???? by Anonymous Coward · · Score: 0

      If we are going to be pedantic, neither NFS or SMB are distributed file systems.

    2. Re:Download with SMB???? by Anonymous Coward · · Score: 1

      First, it's entirely possible never to transfer an executable to the local hard disk, but simply to read and execute it by SMB.
      So does your browser also warn you if the intranet computer is a known dangersous computer when you do that SMB "download". No because it's a different security envelope. Does your operaing system warn you and refuse to execute files newly loaded by SMB.

      Dumbass in deed, indeed.

    3. Re:Download with SMB???? by Anonymous Coward · · Score: 0

      They are protocols, but they definitely can be part of a distributed file system. And you have a very narrow definition of what distributed means.

    4. Re:Download with SMB???? by PPH · · Score: 1

      To be more precise, both SMB and NFS are protocols that support networked file systems. When you open a file on a remote system, you don't necessarily move a copy of the whole thing to your local system an once. Likewise, when you complete your task and close the file, the only remaining copy is on the remote (server) system.

      If your task consists of opening a remote share and explicitly copying the file to a location on your system, then yes, you 'downloaded' the file.

      --
      Have gnu, will travel.
    5. Re:Download with SMB???? by dissy · · Score: 2

      Who "downloads" with SMB.

      Well, they do clearly state this malware is not intended to catch criminals in any way, it's primarily for enterprise networks to be targeted.

      And downloading via SMB is one of many parts of an Active Directory based Windows network used in everything from small business up to full enterprises.

      When a client PC joined to a domain is booted and windows starts, windows will download all of the Group Policy files from your domain controller(s) before applying the "computer" based settings.
      Upon login by a user it will also check for modifications to the group policy files on the domain controller(s) share and possibly downloading those files again before applying the "user" based settings.

      In both of those cases, one typically will have a group policy that specifies a batch file that is also on an SMB or DFS share.
      That batch file can be as simple as just an "exit" command, or full of a listing of other programs to run which will also be hosted on SMB/DFS shares.

      Any executable run via that method is downloaded from the file server(s) to the local PC before being executed.

      SMB is a distributed file system like NFS isn't it.

      Technically no, but only due to how the different components work together.
      SMB is purely how to share files and socket pipes over the network.
      DFS (distributed file share) is the protocols that make SMB be distributed.

      Domain controllers on a windows network will always use DFS for the domain related shares.
      Additional namespaces can be created on top of your SMB share if you wish, but is completely optional. Though it is a very wise idea to do so even if not to use in a distributed fashion, mainly how windows machines stupidly handle hostnames.

      DFS lets you create namespaces under the domain share, which you can then point to SMB shares on one or more file servers.
      Obviously if you have 2 or more SMB shares specified, it becomes distributed.
      But even with only 1 SMB share specified, this lets you add a second SMB share in the future, migrate files from one server to another, then remove the original SMB share.
      Windows gets really really unhappy if you ever reuse a hostname on your servers, so this method lets you migrate from an old/small file server to a newer/larger server, without having to modify SMB paths everywhere around your network.

      transferring files on an intranet is not what we conventionally mean by "download". The latter usually implies the importation of file from the internet not a local net. It's misleading to conflate these as one usually has quite different procedures in the security onion for treating these two cases.

      It's only misleading when you don't understand what "download" and "upload" actually mean.

      Transferring a file from a machine that isn't your local one, onto your local machine, is a download.
      Transferring a file from your local machine to another one that isn't your local machine is an upload.

      There is no requirement for the Internet to be involved, and in fact those terms predate both the Internet and the Arpanet by a decade or more.

      Even a traditional "network" isn't required to be involved, as two machines connected by a serial cable can upload and download between each other, although typically they will still use networking protocols on top of that serial connection to do so.

    6. Re:Download with SMB???? by F.Ultra · · Score: 1

      If so then you download the executable via SMB to your RAM.

    7. Re:Download with SMB???? by Anonymous Coward · · Score: 0

      And stardust is part of a computer, and a computer uses protocols. So stars are part of protocols. Derp.

    8. Re:Download with SMB???? by AHuxley · · Score: 1

      People who have talked their way into a secure part of a remote office or site with some device to connect direct into a very secure regional or national network.
      A usb stick is connected, the secure remote network then uploads a file to the main office or building a city away on trust.
      Physical security was more trusted than any firewall.

      --
      Domestic spying is now "Benign Information Gathering"
  8. NFS by Cmdln+Daco · · Score: 2

    They are sure making NFS look like a more attractive file sharing protocol than SMB these days.

    (though I have seen some pretty shocking NFS exploits)

    1. Re:NFS by Anonymous Coward · · Score: 1

      and they haven't leaked the tools for non smb yet...

    2. Re:NFS by Anonymous Coward · · Score: 1

      You could write something like this for NFS easily. This is the file in the linux kernel you would have to edit: http://elixir.free-electrons.com/linux/latest/source/fs/nfsd/vfs.c

      Since these functions are not exported it is not very clean to patch them with another module (this patch module would be kernel dependent, or would need some logic for finding the entry points). I would recommend just compiling a custom nfsd module and loading that.

      Alternatively, you can use the VFS api to install something between the nfsd and the filesystem modules, but here you will have less access to metadata about the NFS connection, so some fancy target selection may not be possible (eg, username is available, source ip is not).

    3. Re:NFS by Anonymous Coward · · Score: 0

      and they haven't leaked the tools for non smb yet...

      There have been few occasions already past decade where a popular download site has been compromised and infected with a piece of code to divert download via proxy software which patches install files with spyware and malware.

      A proof of concept of this kind of proxy software written in python and php was also posted many years ago reddit/r/netsec demostrated which actually stripped of signature of windows binaries and patched msi and exe files on fly while downloading via proxy. The code was then hosted at Github, but I can't recall it's name.

    4. Re:NFS by phantomfive · · Score: 1

      This requires admin access on the computer, to install drivers. A more normal (and easier) way to accomplish the same thing would be to infect all the files on the share.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:NFS by Anonymous Coward · · Score: 0

      One could probably hack up a universal MITM file replacing scheme with ettercap and bash.

    6. Re:NFS by Anonymous Coward · · Score: 0

      This way there is no weird executables stored on the file server where they would be rather quickly noticed by ops staff.

  9. I'm safe! by Anonymous Coward · · Score: 0

    Support is included for replacing both 32-bit and 64-bit files

    Whew! All the files on my disk are 8-bit files.

    I know, because I look at them with od -t x1. As long as I stay away from od -t x4 or x8, I should be safe.

  10. Why basic security is missing... by Anonymous Coward · · Score: 0

    Want to know why the simplest security methods are missing from Windows, Linux, etc? Look to Truecrypt for an explanation...

    Truecrypt ***is*** the de facto method to ensure your files are properly encrypted, and this posed the greatest problen to the NSA/GCHQ/CIA/Google. The 'maths' of Truecrypt couldn't be disputed so social engineering was used instead. Key members of the team were paid millions by the US government to FUD their own project to 'death' in the eyes of the more naive. The main tech sites, and neo-liberal outlets like this one, pushed the FUD, til the dumb-dumbs lost confidence in the software. Then of course, the Truecrypt team refused to move the project to Win10.

    File operating systems could have proper checksum/file signature methods where the integraty of a file across the chain of file movement was an inate part of the system. But the very opposite is true. Only recently, using a very old wireless dongle on a new Win10 build, fauly dongle drivers meant SMD file transfers to the new machine were silently corrupting the copied files. The data integrity tests in one of the many transport layers involved were silently failing. Imagine the scope for corporate disaster if such a fault was happening to back-ups.

    But why doesn't Win10 (the nth version of NT) do something as basic as properly checksum files/file chunks as the data moves? Because the NSA needs backdoors and flaws in every major computer system, and robust data integrity and robust data encryption is death to NSA spying methods.

    Microsoft is broken by design- and actually gets more broken year by year. A metric ton of Linux devs are on the payroll of the NSA and GCHQ. And so the simplest request for the simplest improvemnts to closed and open-source software in bug forums gets mocked and ignored by 'devs'.

    Of course third party tools (like Truecrypt even today) can get the job done, but their poor integration with the OS makes their use less than ideal, and certainly less than convenient. And we have to suffer possible file corruption across the chain of movement on our devices just so there are 'chinks' into which the NSA can insert their dirty hands when they wish- and this is just plain evil.

    1. Re:Why basic security is missing... by Anonymous Coward · · Score: 0

      You made quite a few accusations in your paranoid screed. Can you prove any of them?

      "Key members of the team were paid millions by the US government "
      Proof?

      "Truecrypt ***is*** the de facto method to ensure your files are properly encrypted, and this posed the greatest problen to the NSA/GCHQ/CIA/Google"
      This sounds more like an ad than a proven fact.

      "A metric ton of Linux devs are on the payroll of the NSA and GCHQ"
      I'm sure the do have Linux devs on staff or contract. They sit a few cubicles over from the Windows, Unix, Apple devs. Or do you think the only OS running in the world is Linux?

      "Of course third party tools (like Truecrypt even today)"
      Another ad?

      "poor integration with the OS "
      If you have the skills to describe the integration as poor you must know how fix the problems. At last Open Source to the rescue! You have access to all the OS code for Linux so surely you could correct any of the integration problems you have uncovered?

      "this is just plain evil"
      Only the political blowhards and tech wannabes would this topic of discussion in this manner. Especially when the said blowhard acts like he knows what he is talking about.

  11. I wish the U.S. had a healthy government. by Anonymous Coward · · Score: 0

    Dr. Evil,

    I'm guessing you are a saint compared to the evil of the CIA.

    I wish the U.S. had a healthy government.

    1. Re:I wish the U.S. had a healthy government. by Anonymous Coward · · Score: 0

      I wish the U.S. had a healthy government.

      If you're a US citizen, then push for an Article V convention of States, or STFU with your whining because you'll willingly tolerate it.

    2. Re: I wish the U.S. had a healthy government. by Anonymous Coward · · Score: 0

      "Convention of the States" is code for "rewrite the Constitution in favor of big business." So... yeah, either learn what the fuck you're advocating and shut up, or shill harder.

  12. Finally a reality! by Anonymous Coward · · Score: 0

    This was conceived of during the WfW3.11 era. Never got around to actually developing but it's so nice somebody actually did so.

    Good job!

    I can tick this off my todo list now.

  13. Infantile description by fnj · · Score: 1

    What the hell is a "32 bit file"? What the hell is a "64 bit file"? A file is a sequence of goddam bytes.

    1. Re:Infantile description by Anonymous Coward · · Score: 1

      A 32-bit file is obviously a file four bytes in length. 64-bit files take eight bytes.

      Anyway, I believe they meant s/file/executable/

  14. Pfah - piece of cake (for single system users) by Anonymous Coward · · Score: 0

    See subject: Plus, save CPU/RAM/Other I-O by cutting off Server + Workstation services, remove NetBIOS over TCP/IP & Client for Microsoft Networks (& other CRAP there you don't need running when ALL YOU NEED is TCP/IP to be online) if all you have is a single machine @ home w/ no LAN? You're ALL SET vs. this puny BULLSHIT weak 'attack'...

    APK

    P.S.=> I've put this out in a security guide I wrote for single system users that even surprisingly got me paid circa 1997-2006 ala https://www.google.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Search&hl=en&gbv=1/ which uses guidance from the highly esteemed CIS Tool (which took fixes to their ware from "yours truly" too, no less)... apk