
Wikileaks Global Intelligence File Dump Contained Malicious Software - joshwieder
http://www.joshwieder.net/2015/03/wikileaks-global-intelligence-file-dump.html
======
bmir-alum-007
It seems like a scraper which could manage submitting to and checking
virustotal would be a good idea.

Also, perhaps wikileaks / virustotal could come to sort of agreement to scan
things and flag them while still making assets available to researchers whom
still need raw docs, but with large virus warnings which intercept downloads
to a warning landing page confirmation if there's no referrer (direct, deep
linking).

Finally, the other issue is that not all malware (past, current or future) _is
known_. We ran Windows Servers (NT, 2003) boxes directly on the internet
(before I forced them to offer departmental firewalls) and these boxes had
already attracted all sorts of multi-vendor unseen malware, rootkits and
backdoors long before I got there. After deploying WOLF to a number of boxes,
Mark Russinovich was like "yea, you should probably take [the IT sec depts
advice]" by just get firewalls and then format all these boxes back to clean
image, fully-patched and strong, production-usable, security policy state.
Most IT folks don't conduct forensics research... they see strange behavior,
try to find a scanner/remover (maybe 80% success), or partially remove it and
continue despite unprovable to fully remove all traces... Or they wipe the
boxes, start over and guess/pray that the same 'sploit doesn't exist twice.
There's just too many _unknown variants_ of _existing sploits_ _and_ too many
_new sploits_ to have much faith in antivirus (it's reactive, last line-of-
defense security). Antivirus is an opposite Bloom filter... it'll tell you if
you're pwned or may not pwned. It's a good to have, just not a complete
holistic security posture.

~~~
eli
A script that automatically submits to virustotal is like reinventing a very
slow virus scanner.

~~~
Istof
Would you rather have a slow virus scanner or a computer that is constantly
slowed down by a virus scanner that is not always needed?

~~~
eli
Pretty much every virus scanner since the dawn of viruses can be set to only
scan on-demand.

------
kstenerud
Okay... so the computer they grabbed the data from was infected with various
old malware. So why the link bait title?

~~~
joshwieder
I do not understand what about the title is linkbait. If you are circulating
any sort of file you should announce the presence of malware or remove it.

~~~
mikeash
The way it's worded heavily implies that this was done on purpose to hurt
anyone who tries to view this stuff, and that you will get infected if you try
to download it.

~~~
ethanbond
I'm not sure how you could word it differently. It implies nothing, and the
article itself explicitly denies any finger-pointing.

> I ought to be clear from the outset: I have no information linking
> Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with
> these malicious files. That very well may change quickly as research
> progresses, but at no point should this post be considered finger pointing.
> The purpose of this post is not to assign responsibility but to ensure that
> the journalists and activists downloading these files or who have already
> downloaded these files understand the consequences and take proper
> precautions. If I can encourage security researchers to take a look at these
> files it would be a bonus.

Also answers your question of "why the [arguably] click-bait title?" To get
attention, which it deserves.

~~~
mikeash
I think the headline would be much better like, "Wikileaks Global Intelligence
File Dump Contains a Great Deal of Malicious Software."

The problem is "loaded" which has two rather different meanings in this
context. "X is loaded with Y" can just mean that X contains a lot of Y, but it
can also mean that someone loaded a lot of Y into X. If you go for the second
meaning, which is an entirely natural reading of the original headline, then
the headline is saying " _Someone_ (such as the NSA or their friends) put a
lot of malware into this stuff."

As to the "why" question (which for the record was not mine) I don't think
it's justifiable to use a misleading headline just because the information is
important. Although I imagine the misleading nature of this headline was
entirely unintentional.

~~~
balls187
It depends on how you parse loaded.

I parsed it as "Loaded" as in the way I like my Baked Potatoes "Loaded" with
Sour Cream and Bacon.

I can see how you parsed it the other way.

Reading the authors other posts--would it be worth giving him the benefit of
the doubt that the author wasn't trying link bait?

~~~
mikeash
You leave me wondering if you read my comment, since "it depends on how you
parse loaded" is most of what I said, and I explicitly gave the author the
benefit of the doubt by saying it was probably unintentional.

~~~
balls187
I stopped reading as soon as I decided to get a baked potato from TGI Fridays.

~~~
mikeash
You made me hungry, so I see your point.

------
jugad
The author should really add this in the beginning of the article...

"Any set of emails this large containing attachments is bound to contain
malware, viruses, trojans and other malicious software - just like anybody's
inbox which receives more than 5 mails a day. This is a reminder to everyone
downloading this data to handle it with caution. Do no execute code, and view
things only inside constrained network isolated virtual machines".

The way its worded right now seems to point fingers at wikileaks.

~~~
joshwieder
Did you read the article past the first paragraph? I explicitly state I am not
pointing fingers at anyone in the article in paragraph 6: "I have no
information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone
else directly with these malicious files. That very well may change quickly as
research progresses, but at no point should this post be considered finger
pointing. The purpose of this post is not to assign responsibility but to
ensure that the journalists and activists downloading these files or who have
already downloaded these files understand the consequences and take proper
precautions."

------
joshwieder
Hector Monsegur has commented on the files & their relevance:
[http://www.joshwieder.net/2015/07/hector-monsegur-
formerly-s...](http://www.joshwieder.net/2015/07/hector-monsegur-formerly-
sabu-of.html)

~~~
themeek
It's an interesting problem:

* If Wikileaks edits the content it can be criticized for tampering.

* If Wikileaks leaves malware in it can be criticized for circulating malware.

It may also give an excuse to search engines and other partners of the
government to block the site on account of it hosting files that are infected.

A pretty nasty no-win situation.

Also think about what this means for the sources of the documents. It means
that the surveillance and intelligence information from these firms was likely
compromised. Yikes.

~~~
mikeash
What's wrong with providing one dump without malware, and a second dump of
just the infected files, which when put together gives you the whole thing?
That way you have full disclosure, the people who want the infected files can
easily get it, and the people who don't want it can easily avoid it.

~~~
fineman
Practice safe computing instead of expecting others to do it for you.

What malware 'is" can even be a difficult question. Is a RAT malware, or a way
to log people snooping on your computer? Also, new malware is discovered. So
it'd have to be a curated collection.

~~~
themeek
Unfortunately it is more difficult than this.

Even if you practice safe computing it's likely that your information will be
compromised - especially in the long term and especially if you are an
organization.

That's not to say this practice isn't important. It's just that it's not
enough. We need both of these things (and more).

The state of computer security is fundamentally asymmetric.

~~~
fineman
In the case the pre-screener is honest, having them pre-check the work only
saves you downloading a few virus executables at the cost of some work.

If the case the pre-screener isn't honest, it's saved you nothing at all and
cost you a lot because you're likely to be less cautious.

Do you remember the tagline (roughly) "Outgoing email scanned and verified by
AVG"? That was 100% worthless and actually very counterproductive. Expecting
someone to check leaks like that is just as bad.

Scan everything. You've got the same technology they do.

~~~
mikeash
You're correct but this is not an argument against screening on the
distribution end. Not everybody will do this and if you can protect them from
problems due to their own lack of screening then you should.

Just because you can avoid problems on one end if you do everything right
doesn't mean you shouldn't also try to avoid problems on the other end.

~~~
fineman
This very specifically is an argument against scanning on the distribution
end.

A false sense of security hurts more than deleting STONED.EXE (and likewise,
all other malware caught by signature) helps.

Point to a modern virus scanner and also list what you've found in the
archive. That gives a good baseline for people to check against without
promising to have made _anything_ safe to touch without scanning.

------
themeek
So it looks like there's not much of a worry someone has from looking through
those files themselves.

Personally I have looked through these files and have not run into any malware
issues pointed out by the article.

I found it very informative and interesting to look through the intelligence
files. One of my favorite finds are the docs on CANVAS and some of the US
destabilization operations in Venezuela and color revolutions.

~~~
joshwieder
It is the latest torrent file. The file is still there, and still is the
malware.

~~~
gorgak
this seems like a non-issue to me as well. you would expect malicious stuff to
be there surely.

