Yesterday I released
a blog post in which I explained that at least one Wikileaks property, wlstorage.net, is distributing a series of malicious programs as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others.
I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance.
One such executable retrieved from the Stratfor files is
gifiles-2014\gifiles\attach\151\151784_Command.com. As with the files reviewed yesterday, this was retrieved from the
gifiles-2014.tar.gz.torrent file downloaded from
wlstorage.net, which resides on the same servers as
wikileaks.org. I have disassembled this executable using
Heaven Tools' PE Explorer and
Hex-Rays IDA. Accordingly I have determined that the file contains a variant of
the Magistr worm. However, this version seems to have a number of unique features that I have not seen in the literature concerning Magistr (NOTE there are numerous versions of this worm, and this one has likely been seen before by someone).
The program makes use of the following DLL's to call its various functions:
KERNEL32.dll
USER32.dll
COMCTL32.dll
WININET.dll
cmpbk32.dll
cmutil.dll
The program adds an entry for itself in the
Microsoft Connection Manager Phone Books and uses that entry to establish both FTP and HTTP connections. I am still working on where the connections head to.
 |
| The program loads the MSCM Phone Book |
 |
| Connection Manager is used to establish an FTP connection and transfer files |
 |
| HTTP connections are established as well |
The malicious program appears to pass itself of as a program called
iPassConnect by creating references to the following:
PBUPDATE.PBD
PBUPDATE.EXE
PBUPDATE.INF
PBUPDATE.VER
Here is one such reference:
 |
| PBUPDATE.EXE is associated with iPassConnect |
I will continue the testing of this application and update this post when I nail down where these connections are going to.
I am more than happy to share more comprehensive information concerning my research, so feel free to email me if you would like to help out.
I have also contacted Wikileaks (to the best of my ability) to warn them of the dangerous files being distributed on wlstorage.net. For a number of reasons they are not the easiest people to get ahold of, particularly in relation to technical issues, and I do not know anyone directly affiliated with the group. If someone reading this post does have a more direct means of communication with Wikileaks, please provide them with this information ASAP!