CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB

itman · Jun 1, 2017

After taking last week off, WikiLeaks came back today and released documentation on another CIA cyberweapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users download files via SMB.

The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain.

Pandemic was developed for computers with shared folders

According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer.

Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is include for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders.

The role of this cyberweapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

Detecting "patient zero" is hard, but not impossible

Once Pandemic has infiltrated a network, it's very hard to detect the source of the original infection and clean the "patient zero" host.

This is because Pandemic's file system driver will know when a local user is manually accessing one of the shared files and will execute the clean version of the file, and not the malware-laced version it delivers via SMB. In order to detect Pandemic-infected PCs, sysadmins must download and scan files from other computers via SMB (shared folders).

Section 3 of the tool's leaked manual provides a different method of detecting Pandemic malware.

Pandemic registers a minifilter driver using Windows' Flt* functions. As a result, FltMgr requires that all drivers registering as minifilters contain certain registry keys. Pandemic uses the 'Null' service key (on all Windows systems) as its own driver service key. Pandemic will create 2 sub keys and 3 values under the 'Null' service key in the registry. These values and sub keys are deleted when Pandemic is uninstalled at the end of its configured run timer, or when it is uninstalled via a special F&F (v2) DLL. These keys will NOT//NOT be deleted if the system is rebooted before the aforementioned scenarios occur.

Incident response teams who fear or suspect they might be prone to CIA surveillance can search Windows registry keys for the above minifilter drivers using Windows Flt* functions, as a sign of infection.
Click to expand...

https://www.bleepingcomputer.com/ne...-with-malware-when-you-download-them-via-smb/

guest · Jun 2, 2017

ROFL ! this one is nasty...

if i go on paranoid & Conspiracy mode: "this is why MS doesn't tell why we shouldn't disable SMB2.0/3.0 !!!! i knew it !!! "

itman · Jun 2, 2017

SysInternal's WinObj would be of assistance since it will show all file filter managers installed as noted in the below screen shot:

itman · Jun 3, 2017

Doubt this exploit will make it into widespread use due to this:

Documentation that accompanied Thursday's release said that Pandemic is installed as a minifilter device driver. Jake Williams, a malware expert at Rendition InfoSec, told Ars that this means Pandemic would have to be signed by a valid digital certificate that was either bought or stolen by the operative, or it means the implant would have to be installed using an exploit that circumvented code-signing requirements. The driver-signing restriction and other technical details, he said, give the impression the tool isn't in widespread use.
Click to expand...

https://arstechnica.com/security/20...-implant-turns-servers-into-malware-carriers/

Log in or Sign up

CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB

itman Registered Member

guest Guest

itman Registered Member

itman Registered Member

Log in or Sign up

CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB

itman Registered Member

guest Guest

itman Registered Member

itman Registered Member

Useful Searches