Pandemic: WikiLeaks' latest dump exposes CIA tool that turns Windows file servers into 'Patient Zero'

WikiLeaks has published a new trove of CIA documents detailing the agency's alleged 'Pandemic' operation that turns Windows file servers into infectious 'Patient Zero' machines to compromise a targeted network. According to the documents published on Thursday (1 June), the tool — code-named "Pandemic" — can infect targeted computers by "replacing" a file with a trojaned version if a remote user attempts to access it via the Server Message Block (SMB) file sharing protocol.

While the targeted file remains unchanged on the compromised machine Pandemic is running on, users that attempt to download and execute the targeted file using SMB will receive the malicious 'replacement' file.

Pandemic allegedly takes just 15 seconds to be installed as a file system filter driver, according to a user manual. It can target and replace up to 20 files with a maximum size of 800MB and can operate against both 32 and 64-bit targets. However, the documents did not describe how Pandemic could get installed on a targeted file server.

"As the name suggests, a single computer on a local network with shared devices that is infected with the "Pandemic" implant will act like a "Patient Zero" in the spread of a disease," WikiLeaks said in a release. "It will infect remote computers if the user executes programs stored on the pandemic file server.

"Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets."

Former NSA employee and malware expert at Rendition InfoSec Jake Williams questioned whether the entire set of documents related to Pandemic had been published by WikiLeaks.

"When you examine the #pandemic @wikileaks dump, ask yourself: Where are the rest of the docs?" In a series of tweets. "Compared this dump to any of the others you'll see that there is far less data than we got with GRASSHOPPER, etc. Do they not have the other files? Seems unlikely.

"Another idea is that those files contain data that doesn't fit the narrative and they were held back for that reason."

Williams also questioned the timing of the release given that WikiLeaks, which usually releases a new set of documents in its Vault 7 series every Friday, did not publish any last week.

"Why it's missing is anyone's guess," Williams said. "But you don't see the operator manual, etc. Everything else, with the exception of MARBLE (which is a library) has a user guide. This does not. Why not?"

"I think it's worth asking that as you look at the data," Williams wrote. "The capability is interesting - perhaps but the timing and omissions more so."

The latest leak comes as the tenth in a series of "Vault 7" leaks exposing some of the CIA's wide-ranging cyberspying and hacking tools and capabilities. Dubbed the "largest ever publication" of confidential CIA documents, WikiLeaks said the material allegedly came from an "isolated, high-security network" located inside the CIA's Center for Cyber Intelligence in Langley, Virginia.

The new CIA Vault 7 release also comes shortly after Swedish prosecutors announced they are dropping their rape investigation against the whistle-blowing outfit's founder Julian Assange. However, UK police said Assange, who has been residing at the Ecuadorian embassy in London since 2012, would be arrested if he does leave the embassy on other charges.

Ecuadorian President Lenin Moreno recently called Assange a "hacker" but said he could still stay at the country's embassy.