Vault 7: WikiLeaks exposes Pandemic, CIA infection tool for Windows machines

Luana PASCU

June 02, 2017

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Vault 7: WikiLeaks exposes Pandemic, CIA infection tool for Windows machines

After having disclosed information about CIA”s spyware tool Athena only last week, WikiLeaks has published new information from Pandemic, another alleged CIA project that “targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.”

Part of the Vault 7 series of documents that were either leaked following an inside job or stolen from the CIA by hackers, Pandemic basically turns Windows machines from a targeted network into Patient Zero. It then covertly infects other computers linked to the system by delivering infected versions of the requested files. Because it is very persistent, the original source of infection is difficult to detect.

Pandemic only takes 10 to 15 minutes to install and replaces up to 20 programs, according to a user manual, which doesn”t thoroughly describe how it is actually installed on a targeted file server. The project allegedly dates from April 2014 to January 2015.

Since March, other CIA tools leaked in the Vault 7 series are AfterMidnight and Assassin, Archimedes, Scribbles, Grasshoper, Marble, Dark Matter, Weeping Angel and Year Zero.

Pandemic

1 June, 2017

Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. “Pandemic” targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).

As the name suggests, a single computer on a local network with shared drives that is infected with the “Pandemic” implant will act like a “Patient Zero” in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.

tags


Author


Luana PASCU

After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats.

View all posts

You might also like

Bookmarks


loader