Skip to main content

Wikileaks

In March of 2015 I identified a number of files available for download through the Wikileaks.Org website that contain malicious scripts. All of the infected files were part of the email spool from the defense contractor Stratfor that hacktivist group Lulzsec provided to Wikileaks in late 2012. Nearly all of the malware was embedded within documents - PDF's, Word DOC's and Excel spreadsheets. All of the malware allowed readers of infected documents to be identified and tracked - for example one malicious script recovered Windows software registration information such as name and location and sent it to a remote server.

Many visitors to this website are interested in the posts I created to describe the behavior of the malware, my attempts to contact Wikileaks and my conversation about the Stratfor files with the former leader of Lulzsec Hector Monsegur (aka 'sabu'). To help those visitors I have created this page, which contains links to all of my posts concerning Wikileaks, as well as links to other websites that have followed up on the malware investigation.

 1st post - Wikileaks Global Intelligence file dump is loaded with malicious software : In this first post I outline the discovery of several malicious files within the Global Intelligence Files torrent at the Wikileaks-linked website wlstorage.net. Three files are identified as containing the Marker.T macro; source code of the malware is provided. Two other infected files are examined that create an executable 'a.exe', and whose text was copied and pasted from the group Students for a Free Tibet; the exploits used by these two files have previously been used in what appear to be Chinese spear phishing attacks on American naval personnel.

 2nd post - Wikileaks malware analysis continued : This post outlines a brief examination of one of the few infected files using IDA and PE Explorer - 'command.com', which presents as an executable rather than as part of a document. The file is a Magistr worm variant and is one of the oldest malware packages identified within Wikileaks.

 3rd post - Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files : Hector Monsegur was one of the first people to contact me after I publicized my findings. In this post, I go over my conversation with Monsegur, who confirms the validity of my findings while disputing the characterization of how the files were obtained in the 1st post. As a result of this conversation, I added a note to that characterization to make it clear that Monsegur had disputed its validity.

 4th post - Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents: curated content on the Wikileaks website also infected : My initial findings were based on the review of several very large torrent files made available through the Wikileaks-operated domain wlstorage.net. The 4th post reveals that Wikileaks has made infected files available for download through a series of curated pages containing individual file downloads that summarize each email and its attachment. These infected files remain online at the main Wikileaks.Org domain. I review an infected Excel spreadsheet, demonstrating that the torrent version and the curated website version are identical and using the OfficeMalScanner to identify an embedded OLE and PE file as well as a number of encryption strategies designed to hide the file's true purpose.

Additional Resources

Pastebin containing a non-comprehensive list of URLs leading to malware available for download on the Wikileaks site : As an additional resource for post #4, I uploaded a list of URLs that currently host malware on *.wikileaks.org domains. The list is non-comprehensive, as wikileaks.org uses a directory structure in which several different domains all point to the same file. For example, wikileaks.org/directory/file.ext is often identical to search.wikileaks.org/directory/another-directory/file.ext. This post only lists URLs based on the search.* subdomain, however the same files are available through the wikileaks.org domain and several other subdomains. For those interested in making a comprehensive list, a google site search should pull up most links to identical files, using a simple search such as this one - site:*.wikileaks.org nameofinfectedfile



My letter to Cryptome : Published on 7/30/2015

Coverage of Wikileaks malware findings on Fox News : Written by Science Correspondent James Rogers, published on 7/29/2016

I will update this page as the issue develops; at least two additional publications will be publishing features this month (August). If you have reviewed these files on your own, please let me know and I will be happy to link to your findings here - even if, or especially if, your findings are different than my own. 

Comments

Popular posts from this blog

Fixing Event ID 10154 - The WinRM service failed to create the following SPN

The Problem The configuration of the system when this error was encountered is as follows: A. Windows Server 2008 R2 Redundant Domain Controllers - we will call these DC1.joshwieder.com and DC2.joshwieder.com B. Windows Server 2003 Web Server with Windows Remote Management enabled / part of the Active directory deployment - we will call this WEB.joshwieder.com C. For the sake of our example, let's say I have configured an OU named "Web Servers" on those domain controllers Whenever the Windows 2003 Web server reboots, or WinRM.exe service on the Windows 2003 Web server restarts, the following error was logged into the Event Viewer: Event ID: 10154 Source: Microsoft-Windows-WinRM Version: 6.1 Symbolic Name: LOG_WSMAN_SPN_CREATION Message: The WinRM service failed to create the following SPN: %1. Additional Data The error received was 8344: Insufficient access rights to perform the operation. User Action The SPN can be created by an administrator using sets

Email server using amavisd-new fails with (!)DENIED ACCESS from IP 1.2.3.4, policy bank ''

I have used ClamAV and Spamassassin for many years. I've had a less experience with Amavis (now amavisd-new), but I've decided to give it a try with a new mail server deployment I've been working on. As a reference for my install, I relied on the documentation provided by Amavis for integration with Postfix  as well as a somewhat-outdated but still-relevant walkthrough published by CentOS . Prior to integration with amavisd, Postfix worked fine. Similarly, I had no issues with Spamassassin on its own. But once I finished my install of amavisd-new, things quickly went wrong. Attempting to send messages to accounts hosted on my email server resulted in the following chaing of errors in my maillog: Jan 13 18:17:34 hostname amavis[31578]: Net::Server: 2016/01/13-18:17:34 CONNECT TCP Peer: "[192.168.1.1]:40209" Local: "[127.0.0.1]:10024" Jan 13 18:17:34 hostname amavis[31578]: loaded base policy bank Jan 13 18:17:34 hostname amavis[31578]: lookup_ip_

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega