There is one specific torrent at issue here. It is the latest torrent, gifiles-2014.tar.bz2.torrent. I identified 20 malicious files in my post:
gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc
gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc
gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc
gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf
gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls
gifiles-2014\gifiles\attach\117\117687_Lithium.doc
gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc
gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc
gifiles-2014\gifiles\attach\47\47247_US Congress re.doc
gifiles-2014\gifiles\attach\47\47329_US Congress re.doc
gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf
gifiles-2014\gifiles\attach\151\151784_Command.com
gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip)
gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe
gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc
gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip)
gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe
gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip)
gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe
gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf
If it is your position that these files do not contain malicious files in the torrent I stated, please back up your conclusion with the level of research that I provided in my post(s) on the topic. For all files provide the hashes, for .DOC files provide the output of an application showing no macros or embedded OLE's exist, explain the presence of executables of .COM files in the torrent, provide a hex-dump of the PDFs.
As for the next comment's claim that the presence of malware in this sort of file distribution is irrelevant, such a position is nothing short of madness. These files are viewed by journalists and activists. Malicious software like this, regardless of its source, can compromise the identities of those journalists and activists. The only way I could understand such a contention would be if you were to also claim that journalists and activists should be "outed" for working on such documents. To that claim, I strenuously disagree. I think that those working on these documents should be able to remain private and protected. This is not a torrent containing a pirated movie. This is a torrent containing leaked documents from a defense contractor, provided on a website that (rightly I believe) claims to be a news organization.
Would you think that Fox News embedding malware in their website's flash player would be no big deal? For those of us working toward a safe and secure internet, malware should be removed and/or users notified wherever it exists. Mine is not an extremist position.
No, what my post was claiming is that the presence of malware didn't hurt my system and wasn't an issue when I browsed the files (on a practical basis).
I understand the potential.
I think it's valuable for you to do this.
You should continue to look for malicious files in a variety of places online.
Did you read the article past the first paragraph? I explicitly state I am not pointing fingers at anyone in the article in paragraph 6: "I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions."
IRC is notorious for this type of garbage. Its pretty neat that the one you found disabled nmap (zenmap?). Did you ever find out what is was, or do you have a hash of the irc bot?
* If Wikileaks edits the content it can be criticized for tampering.
* If Wikileaks leaves malware in it can be criticized for circulating malware.
It may also give an excuse to search engines and other partners of the government to block the site on account of it hosting files that are infected.
A pretty nasty no-win situation.
Also think about what this means for the sources of the documents. It means that the surveillance and intelligence information from these firms was likely compromised. Yikes.
What's wrong with providing one dump without malware, and a second dump of just the infected files, which when put together gives you the whole thing? That way you have full disclosure, the people who want the infected files can easily get it, and the people who don't want it can easily avoid it.
Critics might be able to say that Wikileaks BOTH hosts malware AND tampers with evidence - but if Wikileaks has a voice to respond it has a pretty good reply.
Filters and services sometimes block entire domains because one page hosts malware. So it might be that the excuse could still be used to block Wikileaks if they did host both - but again agreed that hosting both is pretty good.
It does increase the work staff at Wikileaks must do and the amount of data they have to host/manage.
But yeah overall if this becomes a problem for them doing both seems like a pretty good solution.
Practice safe computing instead of expecting others to do it for you.
What malware 'is" can even be a difficult question. Is a RAT malware, or a way to log people snooping on your computer? Also, new malware is discovered. So it'd have to be a curated collection.
Even if you practice safe computing it's likely that your information will be compromised - especially in the long term and especially if you are an organization.
That's not to say this practice isn't important. It's just that it's not enough. We need both of these things (and more).
The state of computer security is fundamentally asymmetric.
In the case the pre-screener is honest, having them pre-check the work only saves you downloading a few virus executables at the cost of some work.
If the case the pre-screener isn't honest, it's saved you nothing at all and cost you a lot because you're likely to be less cautious.
Do you remember the tagline (roughly) "Outgoing email scanned and verified by AVG"? That was 100% worthless and actually very counterproductive. Expecting someone to check leaks like that is just as bad.
Scan everything. You've got the same technology they do.
You're correct but this is not an argument against screening on the distribution end. Not everybody will do this and if you can protect them from problems due to their own lack of screening then you should.
Just because you can avoid problems on one end if you do everything right doesn't mean you shouldn't also try to avoid problems on the other end.
This very specifically is an argument against scanning on the distribution end.
A false sense of security hurts more than deleting STONED.EXE (and likewise, all other malware caught by signature) helps.
Point to a modern virus scanner and also list what you've found in the archive. That gives a good baseline for people to check against without promising to have made anything safe to touch without scanning.
It's a pretty easy win-win situation–offer both, inform users appropriately. And then provide a third set: a list of the sanitized files not present in the virus-free dump. I think a quick spot check through those would show whether any editorializing was going on.
I have serious concerns about their publishing the private emails of employees of a private company that, from all I can gather, turned out to be pretty non-evil. But the virus issues, while not Stratfor's or Wikileaks's direct fault, could have been mitigated by Wikileaks pretty easily.
(Disclosure: I've subscribed to them for many years, but have no interest beyond that.)
The emails from SONY had some controversial stuff in them.
For example here is an interaction between the CEO and the State Department about setting up a group of media executives to develop US propaganda for the Middle East and Russia: https://wikileaks.org/sony/emails/emailid/117082
Of course it was also revealed that The Interview was a propaganda product aimed at destabilizing North Korea (in anticipation of the upcoming planned unification).
These sorts of things can only be found when there's wide access given to journalists. It's also true that the emails were available via torrent and hosted other places online.
To play the other side, 99% of the SONY leaks were innocuous. While it is a company with management that works, like most US international corporations, with the US government on 'shady things', it is also in large part also a private company with the usual mundane concerns of a corporation.
> Of course it was also revealed that The Interview was a propaganda product aimed at destabilizing North Korea (in anticipation of the upcoming planned unification).
I missed all that–can you point me in the right direction?
> These sorts of things can only be found when there's wide access given to journalists.
Sure, but there's an argument to be made that the only way to end domestic violence is to place cameras inside all homes. Obviously that tradeoff is one most people aren't willing to make, and I don't think that leaking the private emails of employees of a private company is ultimately morally defensible.
Whistleblowing is one (very important) thing–bulk dumps of 99% of innocuous stuff became there's 1% of stuff in there that isn't great (but probably isn't all that bad, in the grand scheme of things) is both tactically questionable–leaking something with a 1:99 S/N ratio is a terrible way to get your message across–it's also morally suspect.
If Wikileaks & Co. truly wanted to change the world (and it wasn't about garnering attention and giving indiscriminate anger an outlet), they'd be approaching things differently.
> I missed all that–can you point me in the right direction?
Sure!
The CEO of SONY, high level state department officials, RAND specialist on nuclear deproliferation, regime change and North Korea, and Special Envoy to Korea discussed what direction the ending of the movie should go for it to most optimally destabilize the Kim regime. Special Envoy talked about plans (and RAND specialist Bennett) mention plans to seed the film into NK:
The decision to name the leader of NK in the film came down from executives - in the original script it had entirely fictional names (http://www.scpr.org/programs/the-frame/2014/12/15/40758/how-...). This is also confirmed by the SONY leaks, which have the executives trade emails concerned about the appearance of their having brought up the idea.
This all came out pretty early during the hacks but unfortunately the skepticism over it having been NK behind the hacks overwhelmed the media at the time. (It did turn out to be pretty definitively North Korea, or at least sympathizers, after all).
> 99% v. 1%
I happen to agree with you wholeheartedly. I do like the way that Wikileaks operates, though. They don't want to be the people in charge of curating and censoring information because they feel that this process can become politicized. So they publish everything.
The cost of their publications is extremely high. The returns are also high and IMO the ROI is good so in general I'm for them. But yeah if the ROI wasn't very good I would question it a lot more.
Definitely Wikileaks operates in pretty challenging legal waters.
I do not understand what about the title is linkbait. If you are circulating any sort of file you should announce the presence of malware or remove it.
The way it's worded heavily implies that this was done on purpose to hurt anyone who tries to view this stuff, and that you will get infected if you try to download it.
I'm not sure how you could word it differently. It implies nothing, and the article itself explicitly denies any finger-pointing.
> I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.
Also answers your question of "why the [arguably] click-bait title?" To get attention, which it deserves.
I think the headline would be much better like, "Wikileaks Global Intelligence File Dump Contains a Great Deal of Malicious Software."
The problem is "loaded" which has two rather different meanings in this context. "X is loaded with Y" can just mean that X contains a lot of Y, but it can also mean that someone loaded a lot of Y into X. If you go for the second meaning, which is an entirely natural reading of the original headline, then the headline is saying "Someone (such as the NSA or their friends) put a lot of malware into this stuff."
As to the "why" question (which for the record was not mine) I don't think it's justifiable to use a misleading headline just because the information is important. Although I imagine the misleading nature of this headline was entirely unintentional.
You leave me wondering if you read my comment, since "it depends on how you parse loaded" is most of what I said, and I explicitly gave the author the benefit of the doubt by saying it was probably unintentional.
gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls gifiles-2014\gifiles\attach\117\117687_Lithium.doc gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc gifiles-2014\gifiles\attach\47\47247_US Congress re.doc gifiles-2014\gifiles\attach\47\47329_US Congress re.doc gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf gifiles-2014\gifiles\attach\151\151784_Command.com gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip) gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip) gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip) gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf
If it is your position that these files do not contain malicious files in the torrent I stated, please back up your conclusion with the level of research that I provided in my post(s) on the topic. For all files provide the hashes, for .DOC files provide the output of an application showing no macros or embedded OLE's exist, explain the presence of executables of .COM files in the torrent, provide a hex-dump of the PDFs.
As for the next comment's claim that the presence of malware in this sort of file distribution is irrelevant, such a position is nothing short of madness. These files are viewed by journalists and activists. Malicious software like this, regardless of its source, can compromise the identities of those journalists and activists. The only way I could understand such a contention would be if you were to also claim that journalists and activists should be "outed" for working on such documents. To that claim, I strenuously disagree. I think that those working on these documents should be able to remain private and protected. This is not a torrent containing a pirated movie. This is a torrent containing leaked documents from a defense contractor, provided on a website that (rightly I believe) claims to be a news organization.
Would you think that Fox News embedding malware in their website's flash player would be no big deal? For those of us working toward a safe and secure internet, malware should be removed and/or users notified wherever it exists. Mine is not an extremist position.