Skip to main content


Showing posts with the label malware

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose. The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen w

Reporters never open infected Wikileaks attachments

Since I've published my findings on malware in the GI Files Wikileaks file dumps and my subsequent attempts to encourage Wikileaks to label such malicious content , I've repeatedly been told by a variety of "Security Experts®" that no one will open infected attachments from email file dumps. I plan on writing a post on how assumptions about user behavior are frequently inaccurate, and how assumptions based on the behavior of Wikileaks researchers analyzing email dumps based on the typical behavior of normal email users is particularly prone to failure, but for now I'll just leave this here: Has anybody's InfoSec experts advised abt wisdom of opening WikiLeaks sound files? Are we all just downloading Russian malware like morons? — David Fahrenthold (@Fahrenthold) July 28, 2016

Fox News asked for my take on the DNC email dump

I was interviewed yesterday by Fox News science correspondent James Rogers. I was asked for my input on the distribution by Wikileaks of emails leaked from a Democratic National Committee email server earlier this month. The entire article, which includes quotes from a variety of infosec professionals, is now available here . If anyone is interested I might post my complete conversation with Rogers, where I talk in more detail about how the unlabeled distribution of email attachments from compromised email servers poses unique dangers to journalists, activists and researchers whose job involves reviewing each of those attachments. This article represents the most attention paid by US media to the significant dangers posed to Wikileaks users by the insecure review methodology in place prior to distribution of these files. Although major newspapers in Europe and the UK published my findings on malware within the GI Files, no major news outlets in the United States published those fin

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which did not. The SSL issue was particularly troubling as all of the torrents available for download on were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well. As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software , I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks

Afternoon Links 8/4/2015

I am a victim of my nostalgia. Yesterday, I revived a years-old post in which I provided bloggees with some of the latest Windows activation keys to update the data for Windows 10. I figured I might as well dredge up another bit I had let fall by the wayside; Weekly links ! Exciting, I know.    - Yahoo's ad network and Microsoft Azure's web hosting service were abused to circulate an enormous flood of malicious software . Malwarebytes is being credited with the discovery - which is a little amusing because Malwarebytes has for had their own issues with security   for many years. h/t Washington Post     - Planned Parenthood and a variety of other related organizations were brought offline by a sustained series of DDoS attacks .  In what may or may not have been the work of the same group of individuals, someone has claimed they have hacked Planned Parenthood and retrieved an employee list database of some kind or another .      AFAIK, this sort of thing is new to the abor

Cryptome publishes my Wikileaks findings

Those unfamiliar with my Wikileaks findings should read my (so far) four post series on my discover of malware within files available for download on the Wikileaks website that can, among other things, identify and track those reading infected files: 1st post  |  2nd post  |  3rd post  |  4th post   Note that my posts are lengthy and contain some technical information. If you aren't really into reading technical things you would probably prefer the summaries of my findings available in The Register or  Neue Zürcher Zeitung (for German speakers).  Because Wikileaks has refused to inform its users that the infected files are, in fact malicious, I went public with my findings. Cryptome has just published a letter with a brief explanation of the issues with the Wikileaks malware .  Cryptome is a long time advocate of government transparency, and had already been publishing leaked documents on their website for close to a decade when Wikileaks was first created. Here is

Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected

Several months ago I identified malicious software contained within a torrent available for download from Wikileaks . The torrent was the most recent and most complete copy of what Wikileaks titled the "Global Intelligence Files" - a large trove of emails and attachments from defense contractor Stratfor. The story as it is widely understood is that former Lulzsec member and hacktivist Jeremy Hammond was involved in the acquisition of these files from Stratfor and provided them to Wikileaks. Among the many files included in the leak I have identified 18 that have malicious software; most of those are embedded within PDF and DOC files. Some of the attacks I discovered are old, others are less old. Only two of the 18 files are blocked from downloading using Google Chrome's malware protection service, for example. In a second post, I decompile one of these two (older) files using PE Explorer and Hex-Rays IDA to demonstrate how the file corrupts the Microsoft Connection Manage

Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files

Some time ago I wrote two blog posts about my discovery about a series of malware-infected files within a torrent being circulated by global whistleblower organization Wikileaks. The torrent file was one of the latest versions of what Wikileaks has named the "Global Intelligence Files" - a large cache of documents obtained from the email spool of a government contractor known as Stratfor. Since my discovery I have made several attempts to contact Wikileaks: @wikileaks sorry to contact here but no other means Ive identified sec issues with most recent torrent here: — Josh Wieder (@JoshWieder) May 3, 2015 @wikileaks I have some very basic info here and here: can provide more as needed — Josh Wieder (@JoshWieder) May 3, 2015 In addition to Twitter I have attempted to email just about every address I could find on their site (none of them work), as well as attempting to use the chat functi

Wikileaks Malware Analysis Continued

Yesterday I released a blog post in which I explained that at least one Wikileaks property,, is distributing a series of malicious program s as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others. I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance. One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\ . As with the files reviewed yesterday, this was retrieved from the  gifiles-2014.tar.gz.torrent file downloaded fr

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega