Slashdot Mirror
CIA Malware Can Switch Clean Files With Malware When You Download Them Via SMB (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: "After taking last week off, WikiLeaks came back today and released documentation on another CIA cyber weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users download files via SMB. The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain. According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer. Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders. The role of this cyber weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.
...But can it get into Madagascar after they've closed their port?!
Not every permutation and combination of malware not seen before is "ingenious".
File system filter driver dynamically installs malware. Got it. Isn't this the kind of thing a file system filter driver is supposed to do? "filter can mean log, observe, modify...." https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/what-is-a-file-system-filter-driver-
Handy tool, but unless I'm missing something, "ingenious" is way overstated. 25 years ago, this might have been novel.
It is Windows only for now, but we are working on a Linux version. Don't tell anyone though.
SMB sucks ass? and now it's revealed to be seriously insecure as well?... now there's a couple of newsflashes that will shock the entire tech industry to it's core
They are sure making NFS look like a more attractive file sharing protocol than SMB these days.
(though I have seen some pretty shocking NFS exploits)
Who "downloads" with SMB.
Well, they do clearly state this malware is not intended to catch criminals in any way, it's primarily for enterprise networks to be targeted.
And downloading via SMB is one of many parts of an Active Directory based Windows network used in everything from small business up to full enterprises.
When a client PC joined to a domain is booted and windows starts, windows will download all of the Group Policy files from your domain controller(s) before applying the "computer" based settings.
Upon login by a user it will also check for modifications to the group policy files on the domain controller(s) share and possibly downloading those files again before applying the "user" based settings.
In both of those cases, one typically will have a group policy that specifies a batch file that is also on an SMB or DFS share.
That batch file can be as simple as just an "exit" command, or full of a listing of other programs to run which will also be hosted on SMB/DFS shares.
Any executable run via that method is downloaded from the file server(s) to the local PC before being executed.
SMB is a distributed file system like NFS isn't it.
Technically no, but only due to how the different components work together.
SMB is purely how to share files and socket pipes over the network.
DFS (distributed file share) is the protocols that make SMB be distributed.
Domain controllers on a windows network will always use DFS for the domain related shares.
Additional namespaces can be created on top of your SMB share if you wish, but is completely optional. Though it is a very wise idea to do so even if not to use in a distributed fashion, mainly how windows machines stupidly handle hostnames.
DFS lets you create namespaces under the domain share, which you can then point to SMB shares on one or more file servers.
Obviously if you have 2 or more SMB shares specified, it becomes distributed.
But even with only 1 SMB share specified, this lets you add a second SMB share in the future, migrate files from one server to another, then remove the original SMB share.
Windows gets really really unhappy if you ever reuse a hostname on your servers, so this method lets you migrate from an old/small file server to a newer/larger server, without having to modify SMB paths everywhere around your network.
transferring files on an intranet is not what we conventionally mean by "download". The latter usually implies the importation of file from the internet not a local net. It's misleading to conflate these as one usually has quite different procedures in the security onion for treating these two cases.
It's only misleading when you don't understand what "download" and "upload" actually mean.
Transferring a file from a machine that isn't your local one, onto your local machine, is a download.
Transferring a file from your local machine to another one that isn't your local machine is an upload.
There is no requirement for the Internet to be involved, and in fact those terms predate both the Internet and the Arpanet by a decade or more.
Even a traditional "network" isn't required to be involved, as two machines connected by a serial cable can upload and download between each other, although typically they will still use networking protocols on top of that serial connection to do so.