In the most recent installment of WikiLeak’s CIA Vault 7 series, the whistleblowing group has published details on a server virus codenamed “Pandemic.”
In the latest leak, published on Thursday, WikiLeaks outlines the use of the CIA’s “Pandemic” project. This leak is a virus that targets Windows computers, sharing files with remote users in a local network. WikiLeaks described the program on their website writing,
“Today, June 1st 2017, WikiLeaks publishes documents from the ‘Pandemic’ project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. ‘Pandemic’ targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).”
“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a ‘Patient Zero’ in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”
Documentation published by WikiLeaks states that the virus is installed via a minifilter device driver. Jake Williams, a malware expert at Rendition InfoSec, spoke to Ars Technica about the virus stating, “This code looks like it was developed with a very specific use in mind. Many larger organizations don’t use Windows file servers to serve files. They use special built storage devices (network attached storage). My guess here would be that this was designed to target a relatively small organization.”
Williams worked at the National Security Agency’s elite Tailored Access Operation until 2013 and believes that WikiLeaks may be withholding some documentation relating to Pandemic. “If you handed me this tool, I don’t have enough information to make it go,” he said. “There’s more documentation than this. It’s anyone’s guess as to why it wasn’t released.”