The whistle-blower group has been releasing documents from what it claims is the largest such dump of CIA material, beginning on 7 March.
Last week, following the dropping of a rape investigation in Sweden against its publisher, Julian Assange, there was no release.
Pandemic is used on a Windows file server to target remote users by replacing application code on-the-fly with a trojaned version; the original version comes from a machine on the local network.
|
|
In a series of tweets, he asked: "When you examine the #pandemic @wikileaks dump, ask yourself: Where are the rest of the docs? Compared this dump to any of the others you'll see that there is far less data than we got with GRASSHOPPER, etc. Do they not have the other files? Seems unlikely."
A critical nuclear goal is to incapacitate your adversary and remove the possibility of retaliatory strike. The dumps are doing that. 2/n
— Jake Williams (@MalwareJake) June 1, 2017
According to the documents which have been released, Pandemic does not change the files on the local machine. It allows for the replacement of up to 20 programs with a maximum file size of 800 MB which can be targeted at a select list of remote targets.
Documents in the dump say: "Pandemic is a tool which is run as kernel shellcode to install a file system filter driver. The filter will 'replace' a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write).
"Pandemic will not 'replace' the target file when the target file is opened on the machine Pandemic is running on. The goal of Pandemic is to be installed on a machine where remote users use SMB to download/execute PE files."
