Malware alert: Dump on WikiLeaks contained over 3,000 malicious files

Malware expert Vesselin Bontchev discovered 323 malware instances in his beginning scan of WikiLeaks' e-mail dump from Turkey'southward ruling political party; he listed 3,277 in his second report. WikiLeaks quietly 'neutered' some of the malware.

Dr. Vesselin Bontchev, an assistant professor at the National Laboratory of Computer Virology, which is role of the Bulgarian University of Sciences, constitute 3,277 malicious files on WikiLeaks after he scanned the email dump from Turkey's ruling political political party (AKP).

Although Bontchev called it "run-of-the-mill" spam, scams and phishing, he noted that in the futurity "lots of journos will get pwned" if a actually interesting document is released with malware embedded in it.

On GitHub, the malware pro said the listing of malware hosted by WikiLeaks is "by no means exhaustive." Only if he listed it, then information technology is definitely malware indexed by VirusTotal. Incidentally, he is still not done scanning.

When attempting to verify the 300+ malware instances reported by The Annals, it was a shocker to count thousands of links to malware – more than iii,000 – in Bontchev's study. So I asked him if he was done scanning and to confirm the total.

Bontchev explained to me that when he first discovered the malware in the AKP dump posted on WikiLeaks, he did not check for malicious attachments in indistinguishable or spam emails. Additionally, if the same malicious file was attached to multiple emails, he only counted information technology once for his first report. What he found was 323 malicious files.

He previously told WikiLeaks to "run a virus scanner on those leaked emails! Distributing malware is not 'journalism' by any definition of the term!"

Indeed, WikiLeaks quietly "neutered" the malware which was listed in Bontchev's first report. He calls it "neutered" instead of "deleted" because the malware is even so at that place; it'southward just more difficult to download and become infected by mistake.

After again searching the AKP dump, including spam and duplicates, Bontchev's second report has 3,277 entries. And then it those plus the 323 malware instances which he listed in his offset report.

In his written report, he used 3 columns for each piece of malware he establish; the kickoff links to the e-mail on WikiLeaks which contains malware. "The electronic mail itself is safety to view (although the text is commonly spam/scam/phish/whatever)," he wrote.

The 2nd column has the link to the actual malicious electronic mail attachment; since information technology is a directly link and clicking on it would download the malware, Bontchev replaced "https" with "hxxxx" and added brackets equally well to the URL.

It's unknown why WikiLeaks didn't give him at least a hat tip of recognition, nevertheless a thank you, before neutering those links to malicious attachments. The malware is notwithstanding in that location, only at present it is base64-encoded. It would require decoding it manually earlier the malware could be executed, he explained.

bontchev would like wikileaks to remove malware in email dumps @VessOnSecurity aka Vesselin Bontchev

The 3rd cavalcade links to VirusTotal where the malware has been given various names by different antivirus vendors. That page likewise lists how many antivirus solutions tin detect the malware. Bontchev has been a malware researcher for 28 years, so he said he didn't need VirusTotal to tell him if something was malware. In fact, some of the files weren't known to VirusTotal until he uploaded them; at that point, various scanners would detect the malware inside.

This is non the first time that WikiLeaks has been accused of hosting malware or endangering individuals by not redacting sensitive personal data included in the leaks. Fifty-fifty Edward Snowden chosen WikiLeaks' reluctance to even a modest curation to exist a "mistake."

Flim-flam News previously reported that Google had been alert users about unsafe downloads from WikiLeaks right subsequently WikiLeaks posted the Democratic National Committee email leak. For a time, Facebook had fifty-fifty blocked WikiLeaks. Notwithstanding, Bontchev said he did not observe any malware in the DNC dump.

In March 2015, security researcher Josh Wieder warned that the "Global Intelligence Files" published by WikiLeaks were "loaded with malicious software." Wieder warned there could also be malware included in other leaks. He told Hacked that WikiLeaks could exist used every bit a "deliberate distribution mechanism." He suggested, "Someone who wants to identify not merely members of WikiLeaks, but their readers, this would absolutely be the manner to exercise it."

That brings us to another possibility. What if some of the emails were just office of a long-range plan and avant-garde persistent threat (APT)? It wouldn't be unheard of for a zero-twenty-four hour period exploit to be aimed at an especially juicy target, meaning not all browsers or antivirus solutions will block all threats. They tin't block it if the vulnerability is not yet publicly known.

Bontchev told Computerworld:

We kinda got lucky this time. But the next time a government targeting journalists might "leak" some interesting-looking documents that are booby-trapped to install spyware or RATs (remote administration tools) on the computers of the journalists who download and open them. That'southward why journalists must be always very suspicious of such sources and open the documents but in "prophylactic" environments (east.g., a Chromebook not connected to the Internet, which is wiped make clean after the text of the documents has been inspected).

You might want to keep that ane in heed and use caution when browsing dumps on WikiLeaks, which for example, said it already has the annal of NSA-linked cyber weapons that are being auctioned past Shadow Brokers; WikiLeaks intends to release a "pristine copy in due form."

Although Bontchev doesn't have anything against WikiLeaks, he said:

It seems that Wikileaks' concept of "journalism" is finding an interesting-looking certificate in a garbage container and dumping the contents of the entire container at your front door.

Please understand me correctly – I have great respect for the idea WikiLeaks is based on. The world needs an independent journalist organization that reveals the shady dealings of governments and corporations. However, dumping everything without any kind of curation is simply irresponsible! There is no reason to distribute malware or personal information. A responsible investigative journalist researches the subject, verifies the claims made by his sources, synthesizes the information and presents it to the reader. A responsible journalist doesn't dump raw garbage on their readers. I understand that WikiLeaks has very express resources – but at the very least they could run a virus scanner on those e-mails!

WikiLeaks, come on, please run a virus browse earlier releasing a dump. I personally don't want infected and I don't know anyone who does. That as well doesn't imply we won't read and maybe report on the leaks. As Bontchev said of running a scan before dumping the clay, "At least this volition filter out the run-of-the-mill known malware. It'due south simply something they owe to their readers."

Darlene Storm (not her existent name) is a freelance writer with a background in information technology and information security.

Copyright © 2016 IDG Communications, Inc.