Wikileaks' most recent Vault 7 release, Pandemic, details Windows implants designed to be spread via file sharing. Essentially the suite of tools known as Pandemic is able to remotely implant itself onto a target Windows system and share trojaned files and programs with other devices on the target's local network. Up to 20 programs with a limit of 800MB can be made into Pandemic trojans without making itself known to the target device or those it infects.

This article will summarize the extremely dangerous functionalities of Pandemic and the disturbingly prolific implications of such software.

The complete set of documentation of Pandemic is available on WikiLeaks.

For reference here are my summaries of the Vault 7 releases thus far:

• Part I: The CIA and NyanCat: The hackers and tools of Vault 7's "Year Zero"
• Part II: "Dark Matter" - All your Macintosh are belong to CIA
• Part III: Marble Framework - The CIA's cloaking device for hackers
• Part IV: Grasshopper and more research challenges!
• Part V: HIVE, Longhorn and the CIA's reign of cyberterror
• Part VI: Weeping Angel is listening...
• Part VII: Watch out for Scribbles!
• Part VIII: Archimedes/Fulcrum
• Part IX: AfterMidnight
• Part X: Athena

Technical overview

Pandemic is unique compared to other Windows implants described in Vault 7 because it does not actually replace or change any files on the target's disk. In fact, the point is not really to exploit the target machine itself but to proliferate exploits throughout the network to other machines.

In order to keep the initial target machine unaware of what's going on, Pandemic doesn't traditionally install itself to the filesystem but rather registers a minifilter driver. The minifilter driver is then used to switch out a designated file on the target machine for a desired payload as it is received (and then executed) by another device on the network. This way technically only the devices outside the Pandemic host ever receive the payload file.

This tools is dangerously flexible in terms of how it could be installed and what kinds of payloads can be used to infect target networks. It would be possible, especially along with other CIA tools, to remotely install such a program into a target network without being anywhere near the target physically.

Implications

While some may fear what this could do exploit corporate, private and internal networks, what's perhaps most alarming is its ability to completely disrupt filesharing and possibly the Internet as we know it. Say for instance that all of images hosted by imgur.com were stored on a Windows server. Pandemic could then be used to infect the imgur.com image server and stealthily distribute payloaded versions of images to unsuspecting visitors.

Technically you could use Pandemic to infect every single visitor to a given Windows-based web server. For example, Pandemic could be used to replace HTML, Javascript, PHP or even ASPX files on a target web server thus infecting every single visitor to certain pages (up to 20!).

I know it's been a while since I was able to keep up on Vault 7, but that's because it's pretty dark stuff. This kind of thing isn't easy to hear and most won't be able to absorb the full breadth of what it really means, but essentially it is safe to assume that nothing is sacred for the CIA in the world of cybersecurity.