Skip to main content

Posts

Showing posts with the label global intelligence files

Reporters never open infected Wikileaks attachments

Since I've published my findings on malware in the GI Files Wikileaks file dumps and my subsequent attempts to encourage Wikileaks to label such malicious content , I've repeatedly been told by a variety of "Security Experts®" that no one will open infected attachments from email file dumps. I plan on writing a post on how assumptions about user behavior are frequently inaccurate, and how assumptions based on the behavior of Wikileaks researchers analyzing email dumps based on the typical behavior of normal email users is particularly prone to failure, but for now I'll just leave this here: Has anybody's InfoSec experts advised abt wisdom of opening WikiLeaks sound files? Are we all just downloading Russian malware like morons? — David Fahrenthold (@Fahrenthold) July 28, 2016

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While wlstorage.net has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by https://file.wikileaks.org - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which wlstorage.net did not. The SSL issue was particularly troubling as all of the torrents available for download on wlstorage.net were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and wlstorage.net, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well. As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software , I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks

Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected

Several months ago I identified malicious software contained within a torrent available for download from Wikileaks . The torrent was the most recent and most complete copy of what Wikileaks titled the "Global Intelligence Files" - a large trove of emails and attachments from defense contractor Stratfor. The story as it is widely understood is that former Lulzsec member and hacktivist Jeremy Hammond was involved in the acquisition of these files from Stratfor and provided them to Wikileaks. Among the many files included in the leak I have identified 18 that have malicious software; most of those are embedded within PDF and DOC files. Some of the attacks I discovered are old, others are less old. Only two of the 18 files are blocked from downloading using Google Chrome's malware protection service, for example. In a second post, I decompile one of these two (older) files using PE Explorer and Hex-Rays IDA to demonstrate how the file corrupts the Microsoft Connection Manage

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega