WikiLeaks Released Details of Alleged CIA Malware for Infecting File Sharing Servers

On June 1, WikiLeaks released additional alleged CIA documents detailing a tool dubbed “Pandemic,” used to infect corporate file sharing servers and deliver malicious executables to users on the network. According to the documents, Pandemic listens to SMB traffic, intercepts requests from users to download shared files from the infected computer, then answers on behalf of the infected computer and sends a malware-laden file to the requester. The tool can replace up to 20 legitimate files with a maximum of 800MB per file in 15 seconds and supports both 32 and 64-bit files. The malware is difficult to detect, as it will execute the clean version of a file when a user attempts to access one of the malware-infected shared files. To determine if a computer is infected, system administrators need to download and scan files via SMB or search Windows registry keys for minifilter drivers using Windows Flt* functions. The NJCCIC recommends all users and administrators close all unnecessary ports, specifically TCP port 445, and consider disabling SMB if it is not necessary.