Pandemic: CIA tool for hidden file spoofing

WikiLeaks continues to draw cords from the CIA, gradually publishing portions of documents about hacking tools used by Americans for espionage. The scouts are forced one by one to withdraw these tools from circulation, because now they are declassified.



On June 1, 2017, WikiLeaks released the Pandemic documentation , a Windows file system mini filter that distributes malicious files. Pandemic replaces the contents of the files when they are copied via SMB. Instead of the original content, an arbitrary file with the same name comes to the recipient (this may be a triple version of the original program - a list of programs for which the CIA released triple versions, VLC Player Portable, IrfanView, Chrome Portable, Opera Portable, Firefox Portable, Kaspersky TDSS Killer Portable, Notepad ++, Skype, 7-Zip Portable, Portable Linux CMD Prompt, 2048 and many others). Thus, the rapid spread of the virus code on the local network.



To disguise their actions, the original file on the server remains unchanged, but the recipient, when copying this file, already receives a version with a trojan. Very effective and simple weapon. It is particularly suitable for installation on file servers, from where bulk copying of files is carried out. Imagine that all files on the server are clean, checked by antivirus and do not contain anything suspicious. But when you copy them, you get a version with a trojan.



Pandemic supports code replacement in 20 files simultaneously with a maximum file size of 800 MB. The system can perform the substitution on the specified list of remote users (goals).



As the name implies, the only infected computer in the local network is considered as a kind of “patient zero”, from which a mass infection begins - a pandemic. It is not clear from the documents whether the new infected machines also become carriers of the infection, like the “patient zero”. Probably, this is possible if the agent chooses an arbitrary payload of up to 800 MB, which he wants to include in the replaceable files. The documentation for Pandemic 1.1 dated January 16, 2015 indicates that it takes just 15 seconds to install the Pandemic tab on the server, although (again) the documentation is silent on how to install the tool.



After installation, 2 subkeys and 3 values ​​are created in the registry, so the program can continue to work after the server is rebooted.



Among the keys of the configuration utility, there is a key that sets the server lifetime in minutes, the delay time before starting work, the name of the device for uninstalling on demand in remote mode, the SID list for infection (maximum 64 identifiers), a separate SID list, which cannot be infected, path to save the log and other parameters.



The tool comes with the Pandemic_Builder.exe



and Control.dll



files, and after compiling with the required parameters, the file pandemic_AMD64.bin



is created (or pandemic_x86.bin



for the 32-bit version).



The manual states that the tool does not check the contents of the file when replacing it (except for the fact of the existence of the file), so agents should be careful: “If you accidentally specify the .txt file to replace the .exe file, problems may arise,” warns the documentation. “Double check the file you are using for replacement.”



Pandemic is another CIA spy tool that was previously unknown to the public.



On March 7, 2017, the WikiLeaks website began publishing a collection of classified documents by the Central Intelligence Agency of the United States on March 7, 2017 as part of the Vault 7 project. The first and largest part of the Year Zero collection contains 8761 files, including a list of various malware, viruses, trojans, dozens of 0day -exploit and payload for them, remote control systems and relevant documentation. All in all parts of the collection - hundreds of millions of lines of code. According to Wikileaks activists, after such a leak, the CIA loses control over most of its hacker arsenal.



Files obtained from a network with a high degree of protection at the CIA Cyber ​​Intelligence Center, located in Langley, pc. Virginia. It is still unknown what the informant (traitor) leaked the documents to WikiLeaks, or they were stolen as a result of hacking.



Now instead of folders with files there are pdf with a list of files. Julian Assange promised to post the files themselves after checking, but WikiLeaks is not in a hurry with this. But even in its current form, the first part of Vault 7 (Year Zero) already exceeds the volume of all NSA documents received from Edward Snowden and published over three years in terms of the volume of published documents.



After March, WikiLeaks drop by drop the next portion of documents - these are small dot collections with descriptions of specific CIA tools. For example, a selection of 12 documents about hacking the iPhone and Mac in 2008-2013. or the Marble framework for obfuscating code and comments to mislead the adversary regarding the program’s country of origin. Usually documents are published once a week.



Julian Assange said that the first portion of Year Zero represents less than 1% of the total collection of documents of the CIA Vault 7. But if he continues to publish files at such a rate, it can last forever.