Latest news and announcements
Wikileaks site is hosting malware
2016-09-02
A researcher from our Lab reports that the Wikileaks site is hosting malware
On July 29, 2016, Wikileaks announced that they will be making available a large number of e-mail messages of the Turkish governing party, AKP. In their announcement they implied that those are e-mails of top Turkish leaders and might contain sensitive information about president Erdogan.
Soon afterwards the Turkish journalist Zeynep Tufeci wrote an indignant article accusing Wikileaks in making publicly available the contents of a simple e-mail server, containing mostly personal e-mails of regular people. These e-mails often contained personal data like name and addresses, which could endanger the wellbeing, the health and even the life of those people.
After reading this analysis, our researcher Vesselin Bontchev had the following idea. If this was a run-of-the-mill e-mail server then its users were undoubtedly the recipients of huge amounts of spam, scams, malware and so on. Since Wikileaks had made the complete contents of this e-mail server freely available (and even easily searchable), there was a serious threat that malware programs have been made directly available from the Wikileaks site.
Downloading a few file attachments with suspicious attachments (e.g., “EXE”) confirmed this conjecture – indeed, malware had been made publicly available via direct links from the Wikileaks site. This consisted a serious threat to the visitors of the site. A single mouse click on such a link could result in the malware being downloaded to the visitor’s computer and another mouse click – to its execution and the infection of this computer.
In order to facilitate the analysis of this malware, Mr. Bontchev wrote a Python script. This script allowed the automated download of files with suspicious extensions, as well as sending information about them to VirusTotal, where they could be scanned by 54 different known-malware scanners, so that it could be observed how the different anti-virus products detect (or don’t) the corresponding malicious program.
The initial version of the script ignored the e-mails marked as spam, the duplicated e-mails, and also the multiple copies of the same malicious file. This resulted in 323 links to programs confirmed to be malicious and available via direct links from the Wikileaks site.
Mr. Bontchev announced the results of his research on Tweeter. Several journalists became interested in it and wrote articles on the subject. A short list with links to such articles can be found at the end of this message. Wikileaks did not react publicly – they did not acknowledge their mistake, did not contact Mr. Bontchev, did not acknowledge his contribution, and did not request his help in removing the malware.
However, they silently “neutered” these 323 links from Mr. Bontchev’s report. Now, when attempting to download one of those 323 malicious files, the download results in a 101-byte text file containing the following message:
This file originally was part of akp-emails release, but had to be disabled because it was a virus.
First of all, this message is technically incorrect. Practically none of these malicious programs is a virus. (By definition, a computer virus is a program that replicates itself. If a program doesn’t replicate itself, it is not a virus, no matter what other malicious activities it might perform.) But let’s leave this aside; after all Wikileaks are not experts in this area, so errors of terminology are understandable.
Second, we have a proof that Wikileaks blindly used the information from Mr. Bontchev’s report (despite not crediting him) without any independent verification. As it turned out, Mr. Bontchev had involuntarily made a minor mistake and had included one link to a file which was not malicious but contained a simple PowerPoint presentation. Regardless, the link to it on the Wikileaks site was “neutered”.
Third, despite the fact that the direct links to these 323 malicious programs were disabled, the programs themselves are still freely available on the Wikileaks site. The site allows the user to view the text of the message to which the malware was attached (this, by itself, is harmless), the attachment itself (now replaced with the 101-byte text file mentioned above), but also to download the raw, MIME-encoded e-mail message.
This message contains everything – the e-mail text, the headers, and the malicious attached file. Thankfully, the file is base64-encoded and cannot be executed without decoding it first, so the danger of accidental infection is significantly reduced.
Mr, Bontchev continued his research. He created a new version of his script, one which allowed the search within the spam and duplicated e-mails and which did not ignore the multiple duplicates of the same file attached to different e-mail messages. The purpose of this was to find all possible links to malware on the Wikileaks site. The latest version of this script is available from GitHub:
https://github.com/bontchev/wlscrape
As a result of this research, Mr. Bontchev discovered 3,277 additional direct links to malware on the Wikileaks site. His results were published in the following report:
https://github.com/bontchev/wlscrape/blob/master/malware.md
The vast majority of the malware is downloaders, ransomware, bots and so on.
By the time of this publication, these 3,277 malicious programs are still freely available from the Wikileaks site. This poses a significant threat to the visitors of the site and to the reputation of Wikileaks. As information security experts, we think that the behavior of Wikileaks is irresponsible and appeal to them to remove immediately the access to the malware, listed in Mr. Bontchev’s report.
https://backchannel.com/wikileaks-has-morphed-from-journalism-hotshot-to-malware-hub-1bdd68cc560
http://gizmodo.com/wikileaks-published-dozens-of-malware-links-in-email-du-1785293372
https://www.engadget.com/2016/08/15/wikileaks-released-a-cache-of-malware-in-its-latest-email-dump/
http://www.itnews.com.au/news/wikileaks-email-dump-riddled-with-malware-434790
https://thestack.com/security/2016/08/16/wikileaks-akp-dump-contains-80-types-of-malware/
https://www.grahamcluley.com/2016/08/wikileaks-distributing-malware/