Skip to main content

Wikileaks

In March of 2015 I identified a number of files available for download through the Wikileaks.Org website that contain malicious scripts. All of the infected files were part of the email spool from the defense contractor Stratfor that hacktivist group Lulzsec provided to Wikileaks in late 2012. Nearly all of the malware was embedded within documents - PDF's, Word DOC's and Excel spreadsheets. All of the malware allowed readers of infected documents to be identified and tracked - for example one malicious script recovered Windows software registration information such as name and location and sent it to a remote server.

Many visitors to this website are interested in the posts I created to describe the behavior of the malware, my attempts to contact Wikileaks and my conversation about the Stratfor files with the former leader of Lulzsec Hector Monsegur (aka 'sabu'). To help those visitors I have created this page, which contains links to all of my posts concerning Wikileaks, as well as links to other websites that have followed up on the malware investigation.

 1st post - Wikileaks Global Intelligence file dump is loaded with malicious software : In this first post I outline the discovery of several malicious files within the Global Intelligence Files torrent at the Wikileaks-linked website wlstorage.net. Three files are identified as containing the Marker.T macro; source code of the malware is provided. Two other infected files are examined that create an executable 'a.exe', and whose text was copied and pasted from the group Students for a Free Tibet; the exploits used by these two files have previously been used in what appear to be Chinese spear phishing attacks on American naval personnel.

 2nd post - Wikileaks malware analysis continued : This post outlines a brief examination of one of the few infected files using IDA and PE Explorer - 'command.com', which presents as an executable rather than as part of a document. The file is a Magistr worm variant and is one of the oldest malware packages identified within Wikileaks.

 3rd post - Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files : Hector Monsegur was one of the first people to contact me after I publicized my findings. In this post, I go over my conversation with Monsegur, who confirms the validity of my findings while disputing the characterization of how the files were obtained in the 1st post. As a result of this conversation, I added a note to that characterization to make it clear that Monsegur had disputed its validity.

 4th post - Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents: curated content on the Wikileaks website also infected : My initial findings were based on the review of several very large torrent files made available through the Wikileaks-operated domain wlstorage.net. The 4th post reveals that Wikileaks has made infected files available for download through a series of curated pages containing individual file downloads that summarize each email and its attachment. These infected files remain online at the main Wikileaks.Org domain. I review an infected Excel spreadsheet, demonstrating that the torrent version and the curated website version are identical and using the OfficeMalScanner to identify an embedded OLE and PE file as well as a number of encryption strategies designed to hide the file's true purpose.

Additional Resources

Pastebin containing a non-comprehensive list of URLs leading to malware available for download on the Wikileaks site : As an additional resource for post #4, I uploaded a list of URLs that currently host malware on *.wikileaks.org domains. The list is non-comprehensive, as wikileaks.org uses a directory structure in which several different domains all point to the same file. For example, wikileaks.org/directory/file.ext is often identical to search.wikileaks.org/directory/another-directory/file.ext. This post only lists URLs based on the search.* subdomain, however the same files are available through the wikileaks.org domain and several other subdomains. For those interested in making a comprehensive list, a google site search should pull up most links to identical files, using a simple search such as this one - site:*.wikileaks.org nameofinfectedfile



My letter to Cryptome : Published on 7/30/2015

Coverage of Wikileaks malware findings on Fox News : Written by Science Correspondent James Rogers, published on 7/29/2016

I will update this page as the issue develops; at least two additional publications will be publishing features this month (August). If you have reviewed these files on your own, please let me know and I will be happy to link to your findings here - even if, or especially if, your findings are different than my own.