CIA Malware Can Switch Clean Files With Malware When You Download Them Via SMB

An anonymous reader quotes a report from Bleeping Computer: "After taking last week off, WikiLeaks came back today and released documentation on another CIA cyber weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users download files via SMB. The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain. According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer. Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders. The role of this cyber weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

Original maybe, ingenious really?

[Dr.+Evil]

Not every permutation and combination of malware not seen before is "ingenious".

File system filter driver dynamically installs malware. Got it. Isn't this the kind of thing a file system filter driver is supposed to do? "filter can mean log, observe, modify...." https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/what-is-a-file-system-filter-driver-

Handy tool, but unless I'm missing something, "ingenious" is way overstated. 25 years ago, this might have been novel.

Re:Original maybe, ingenious really?

[PolygamousRanchKid+]

. . . maybe the CIA writes files=20 in their config.sys . . . ?

Re:Original maybe, ingenious really?

[K.+S.+Kyosuke]

"Had God wanted us to infect more files, he would have given us more fingers and toes."

Re:Original maybe, ingenious really?

[Dr.+Evil]

I bet you're right. The Vault7 leaks all seem like leaks from a competent but certainly not-miracle working security team. They've got access to some remarkable vulnerabilities, and they seem well-funded, otherwise just a bunch of normal guys. The poor soul who wrote this one probably never meant it to be more than a hack for a specific project.

Some of the Vault7 stuff is funny:

https://wikileaks.org/ciav7p1/cms/page_14588098.html

DART: WinXP Pro SP3 English w/ Adobe VM – why you hate my unit tests?
....

2015-01-29 18:29 [User #71473]:

Ah, but lowly users can't create projects, and I find it silly to go begging an admin when I want to make a silly tasklist in Jira.

#freejira

#getoffmylawn

2015-01-29 07:55 [User #1179925]:

Some would say there is an Atlassian product to help you track this stuff....

Re:Original maybe, ingenious really?

[MMC+Monster]

And then pull up your shirt and get to 23.

Re:A Disservice

[110010001000]

It is Windows only for now, but we are working on a Linux version. Don't tell anyone though.

Re:Surprise, surprise!

[110010001000]

If you can install software on a computer it makes that computer instantly insecure. It really has nothing to do with SMB being secure. You could do this with any protocol, but API support for this in SMB makes it easier.