CIA Malware Can Switch Clean Files With Malware When You Download Them Via SMB

An anonymous reader quotes a report from Bleeping Computer: "After taking last week off, WikiLeaks came back today and released documentation on another CIA cyber weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users download files via SMB. The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain. According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer. Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders. The role of this cyber weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

That's all well and good.

[Anonymous Coward]

...But can it get into Madagascar after they've closed their port?!

Re: That's all well and good.

[mspohr]

More importantly, does it run on Linux?

Fallout!

[tepples]

I thought this was about a vulnerability in Super Monkey Ball.

Original maybe, ingenious really?

[Dr. Evil]

Not every permutation and combination of malware not seen before is "ingenious".

File system filter driver dynamically installs malware. Got it. Isn't this the kind of thing a file system filter driver is supposed to do? "filter can mean log, observe, modify...." https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/what-is-a-file-system-filter-driver- [microsoft.com]

Handy tool, but unless I'm missing something, "ingenious" is way overstated. 25 years ago, this might have been novel.

Re:

[110010001000]

I'm still trying to figure out how it only supports 20 files max. I am suspecting variable names like "filename1", "filename2", etc.

Re:Original maybe, ingenious really?

[PolygamousRanchKid]

. . . maybe the CIA writes files=20 in their config.sys . . . ?

Re:Original maybe, ingenious really?

[K. S. Kyosuke]

"Had God wanted us to infect more files, he would have given us more fingers and toes."

Re:Original maybe, ingenious really?

[MMC Monster]

And then pull up your shirt and get to 23.

Re:

[hattable]

24 you insensitive clod!

Re:Original maybe, ingenious really?

[Dr. Evil]

I bet you're right. The Vault7 leaks all seem like leaks from a competent but certainly not-miracle working security team. They've got access to some remarkable vulnerabilities, and they seem well-funded, otherwise just a bunch of normal guys. The poor soul who wrote this one probably never meant it to be more than a hack for a specific project.

Some of the Vault7 stuff is funny:

https://wikileaks.org/ciav7p1/cms/page_14588098.html [wikileaks.org]

DART: WinXP Pro SP3 English w/ Adobe VM – why you hate my unit tests?
....

2015-01-29 18:29 [User #71473]:

Ah, but lowly users can't create projects, and I find it silly to go begging an admin when I want to make a silly tasklist in Jira.

#freejira

#getoffmylawn

2015-01-29 07:55 [User #1179925]:

Some would say there is an Atlassian product to help you track this stuff....

Re:

[PPH]

Perhaps there's some file caching scheme to speed up the file replacement. So your target doesn't get suspicious about a delay. The flip side is that this requires memory. Use too much of that and someone will notice the resource use.

Re:

[110010001000]

That probably explains it, and also the 800MB file limit they mentioned.

Re:

[AHuxley]

CIA teams are not like the NSA who have the time and unlimited freedom to use and alter networks. Often they have to gain access to a site with a good cover story and use an on site method to get deep into a very secure network.
Staff and workers might be watching the use of a USB stick and if an allowed task takes too long the "20 files max" and set sizes would be a good limit.
The working cover story of why some person connected to the CIA is on site is protected by not having a computer/network slow dow

Re:

[AHuxley]

AC the CIA understands humans and computers. That is what makes the CIA so great. Seeing a GUI try and pump a computer or network full of unexpected files from a slow device like early generations of USB might make staff and workers wonder what is been done.
Questions like who are you and why is this the first large patch done in this way.
Getting access to push a few files might be accepted. A slow GUI and a strange conversation about work while a totally unexpected task is been conducted might make som

Download with SMB????

[goombah99]

Who "downloads" with SMB. SMB is a distributed file system like NFS isn't it. transferring files on an intranet is not what we conventionally mean by "download". The latter usually implies the importation of file from the internet not a local net. It's misleading to conflate these as one usually has quite different procedures in the security onion for treating these two cases.

Re:

[Anonymous Coward]

First, it's entirely possible never to transfer an executable to the local hard disk, but simply to read and execute it by SMB.
So does your browser also warn you if the intranet computer is a known dangersous computer when you do that SMB "download". No because it's a different security envelope. Does your operaing system warn you and refuse to execute files newly loaded by SMB.

Dumbass in deed, indeed.

Re:

[F.Ultra]

If so then you download the executable via SMB to your RAM.

Re:

[PPH]

To be more precise, both SMB and NFS are protocols that support networked file systems. When you open a file on a remote system, you don't necessarily move a copy of the whole thing to your local system an once. Likewise, when you complete your task and close the file, the only remaining copy is on the remote (server) system.

If your task consists of opening a remote share and explicitly copying the file to a location on your system, then yes, you 'downloaded' the file.

Re:

[dissy]

Who "downloads" with SMB.

Well, they do clearly state this malware is not intended to catch criminals in any way, it's primarily for enterprise networks to be targeted.

And downloading via SMB is one of many parts of an Active Directory based Windows network used in everything from small business up to full enterprises.

When a client PC joined to a domain is booted and windows starts, windows will download all of the Group Policy files from your domain controller(s) before applying the "computer" based settings.
Upon login by a user it

Re:

[AHuxley]

People who have talked their way into a secure part of a remote office or site with some device to connect direct into a very secure regional or national network.
A usb stick is connected, the secure remote network then uploads a file to the main office or building a city away on trust.
Physical security was more trusted than any firewall.

Re:

[PPH]

I suspect that I may have seen this behavior elsewhere.

A friend of mine has a SOHO LAN. One day, she was complaining that she couldn't reach any shared folders on one of her employees PCs (who was off on vacation). So, I looked at it for her. Logged onto the suspect system and it couldn't see the office network either. Poked around for a few seconds and then said to myself, "Try the universal Windows repair procedure. Reboot." Still nothing. The "Network" browser was empty. Next, test the actual networking

Re:

[PPH]

doesn't actually connect to wifi until a program needs network access

Hard-wired Ethernet.

And how would a PC on the LAN know when it needed to fire up networking (WiFi) if it was the SMB server? Hence the hard-wire connection, which has worked for many years and many versions of Windows. Until Chrome came along.

Re:

[gweihir]

It is neither. The idea is plain obvious. Anybody competent (no, that does not include the average "programmer") can implement this in a few weeks.

Re:

[yes-but-no]

I like a file-system (or even the disk-driver) which will provide a modified source file (like a .c file) only to the compiler but not to other applications [like editors, version controlled system etc]. This way you can create an executable which has your exploit/backdoor but a human scanning the source-code can't see it. eg say you insert a special login/password to the login.c file which allows you a back-door. [it's similar to the legend that original C compiler writer had infact put in such a backdoor]

Re:A Disservice

[110010001000]

It is Windows only for now, but we are working on a Linux version. Don't tell anyone though.

Re:

[guruevi]

It's assumed that exploits like these are facilitated by Microsoft. SMB is the protocol, Samba is the daemon. It's talking about SMB on Windows.

(S//NF) Pandemic registers a minifilter driver using Windows' Flt* functions.

Re:

[0ld_d0g]

As long as you don't login as root and manually install random drivers, you'll be fine. On all operating systems..

Surprise, surprise!

[Freischutz]

SMB sucks ass? and now it's revealed to be seriously insecure as well?... now there's a couple of newsflashes that will shock the entire tech industry to it's core

Re:Surprise, surprise!

[110010001000]

If you can install software on a computer it makes that computer instantly insecure. It really has nothing to do with SMB being secure. You could do this with any protocol, but API support for this in SMB makes it easier.

NFS

[Cmdln Daco]

They are sure making NFS look like a more attractive file sharing protocol than SMB these days.

(though I have seen some pretty shocking NFS exploits)

Re:

[Anonymous Coward]

and they haven't leaked the tools for non smb yet...

Re:

[Anonymous Coward]

You could write something like this for NFS easily. This is the file in the linux kernel you would have to edit: http://elixir.free-electrons.com/linux/latest/source/fs/nfsd/vfs.c

Since these functions are not exported it is not very clean to patch them with another module (this patch module would be kernel dependent, or would need some logic for finding the entry points). I would recommend just compiling a custom nfsd module and loading that.

Alternatively, you can use the VFS api to install something betwee

Re:

[phantomfive]

This requires admin access on the computer, to install drivers. A more normal (and easier) way to accomplish the same thing would be to infect all the files on the share.

Infantile description

[fnj]

What the hell is a "32 bit file"? What the hell is a "64 bit file"? A file is a sequence of goddam bytes.

Re:

[Anonymous Coward]

A 32-bit file is obviously a file four bytes in length. 64-bit files take eight bytes.

Anyway, I believe they meant s/file/executable/