CIA Pandemic Malware: Cute little bug that switches out your files on SMB

[WMGroomAK]

Wikileaks has just released some documentation on another one of the CIA tools which appears to have a neat trick and name.  The Pandemic Tool infects a target computer that has shared folders and will begin to distribute malware instead of the requested file when someone downloads it via SMB.  

 

https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean-files-with-malware-when-you-download-them-via-smb/

Quote

According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer.

 

Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead. According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is include for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders.

 

The role of this cyberweapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

According to the article, this little gem of malicious code can be difficult to detect as when a local user accesses one of the shared files, it will execute the clean version.  The only two methods so far to detect this tool appear to be for a sysadmins to download and scan the files from another computer via SMB or via:

Quote

Section 3 of the tool's leaked manual provides a different method of detecting Pandemic malware.

Quote

Pandemic registers a minifilter driver using Windows' Flt* functions. As a result, FltMgr requires that all drivers registering as minifilters contain certain registry keys. Pandemic uses the 'Null' service key (on all Windows systems) as its own driver service key.  Pandemic will create 2 sub keys and 3 values under the 'Null' service key in the registry. These values and sub keys are deleted when Pandemic is uninstalled at the end of its configured run timer, or when it is uninstalled via a special F&F (v2) DLL. These keys will NOT//NOT be deleted if the system is rebooted before the aforementioned scenarios occur.

 

I have to admit that this is an interesting little bug that the CIA either cooked up or paid to have cooked up, especially considering how much work it would appear that you have to go through to find it...  

[waterjug]

well that cute bug sounds like a whole ton of fun.

[flibberdipper]

Why the hell would the CIA want something like this? Just to give the finger to countries we don't like? seemssmartbatman.vbs

[Energycore]

1 minute ago, tmcclelland455 said:

Why the hell would the CIA want something like this? Just to give the finger to countries we don't like? seemssmartbatman.vbs

It's a driver that can give out malware to every single computer from a corporation building at the same time and without being detected. I feel like it's a pretty powerful tool if the CIA decided they don't want people using iPhones anymore.

[Foxxer]

Man, it's all about intelligence war now.

[SCHISCHKA]

30 minutes ago, WMGroomAK said:

Support is include for replacing both 32-bit and 64-bit files.

So is there a CIA phone number one rings for support of their malware. Like those ones that charge by the minute

[ARikozuM]

11 minutes ago, Foxxer said:

Man, it's all about intelligence war now.

It's been like this since the before WW1 and intensified with the Cold War.

[ARikozuM]

1 minute ago, SCHISCHKA said:

So is there a CIA phone number one rings for support of their malware. Like those ones that charge by the minute

You just have to walk to their offices in Guantanamo. Cuba.

[N3v3r3nding_N3wb]

1 hour ago, tmcclelland455 said:

Why the hell would the CIA want something like this? Just to give the finger to countries we don't like? seemssmartbatman.vbs

If we ever got into a war with Russia or China, we could completely destroy any infrastructure connected to the cloud. That would make it surprisingly easy to handicap an enemy that would be otherwise very difficult to destroy.

[Beskamir]

5 hours ago, Foxxer said:

Man, it's all about intelligence war now.

I doubt the phrase "knowledge is power" came into existence without being heavily influenced by how valuable information about your foes can end up being.

[Master Disaster]

6 hours ago, tmcclelland455 said:

Why the hell would the CIA want something like this? Just to give the finger to countries we don't like? seemssmartbatman.vbs

You gotta think beyond the realm of malware being destructive and into the realm of stealth access. Having Pandemic deliver rootkits to every machine on a corporate network could be very useful to the CIA.

[captain_to_fire]

6 hours ago, WMGroomAK said:

I have to admit that this is an interesting little bug that the CIA either cooked up or paid to have cooked up, especially considering how much work it would appear that you have to go through to find it...  

It only shows that NSA's nefarious activities are now backfiring at them. 

 

6 hours ago, Foxxer said:

Man, it's all about intelligence war now.

Yeah. Who needs battleships and nuclear weapons when you can have an army of black hat hackers? 

[Bleedingyamato]

6 hours ago, Energycore said:

It's a driver that can give out malware to every single computer from a corporation building at the same time and without being detected. I feel like it's a pretty powerful tool if the CIA decided they don't want people using iPhones anymore.

What does a computer malware have to do with iPhones?  ?

[vorticalbox]

14 hours ago, N3v3r3nding_N3wb said:

If we ever got into a war with Russia or China, we could completely destroy any infrastructure connected to the cloud. That would make it surprisingly easy to handicap an enemy that would be otherwise very difficult to destroy.

if you drop a nuke there is no infrastructure left to defend.