CIA's Pandemic Toolkit
WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called "Pandemic":
The Pandemic leak does not explain what the CIA's initial infection vector is, but does describe it as a persistent implant.
"As the name suggests, a single computer on a local network with shared drives that is infected with the 'Pandemic' implant will act like a 'Patient Zero' in the spread of a disease," WikiLeaks said in its summary description. "'Pandemic' targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine."
The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.
Version 1.1 of Pandemic, according to the CIA's documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.
"It will infect remote computers if the user executes programs stored on the pandemic file server," WikiLeaks said. "Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets."
The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.
EDITED TO ADD: In this case, Wikileaks has withheld the tool itself and just released the documentation.
Posted on June 5, 2017 at 6:16 AM • 34 Comments