Tuesday, September 15, 2015

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While wlstorage.net has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by https://file.wikileaks.org - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which wlstorage.net did not. The SSL issue was particularly troubling as all of the torrents available for download on wlstorage.net were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and wlstorage.net, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well.

As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software, I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks subsite "wlstorage.net". A number of factors at the time lead me to believe that "wlstorage.net" was not a mirror of Wikileaks hosted by a third party, but was in fact run by the Wikileaks organization directly: notably, that both wlstorage.net and wikileaks.org resolved to the same set of IP addresses, both sites shared the same SSL certificate, and wlstorage.net was linked to throughout wikileaks.org.

 Today it was brought to my attention that wlstorage.net has been taken offline, and I verified that the DNS entry for wlstorage.net has been kiboshed. wlstorage.net uses the Wikileaks nameservers (ns1.wikileaks.org & ns2.wikileaks.org), so this change would have been performed by a trusted member of the Wikileaks technical team. I am not aware of any announcements from Wikileaks stating the reason for the removal of wlstorage.net from DNS. Whatever the reason for the change, this update has not removed the infected files from distribution.

As of this writing (9/15/2015), all of the infected files remain available for direct, individual download through a series of dozens of curated links directly from the wikileaks.org website. I have also received reports that those attempting to download the infected torrent file using a Bittorrent client are unable to find a complete peer to seed the torrent. If anyone wishes to review these files for research purposes you are welcome to contact me and I can seed temporarily. For obvious reasons I am not interested in seeding the torrent on anything like an ongoing basis, and I encourage researchers and journalists to review the infected files directly on the wikileaks.org as a first step. I have compiled a list of URLs containing infected files and posted it to PasteBin; I also have a post explaining that infected files are not restricted to the torrent file.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...