back to article WikiLeaks uploads 300+ pieces of malware among email dumps

WikiLeaks is hosting 324 confirmed instances of malware among its caches of dumped emails, a top Bulgarian anti-malware veteran says. Random checks of reported malware hashes find the trojans are flagged as malware by Virus Total's static analysis checks. Much of the malware appear to be attachments emailed by black hats in a …

  1. Ole Juul

    Should be part of their threat model

    Not warning users is a serious oversight.

    1. Scorchio!!

      Re: Should be part of their threat model

      "Not warning users is a serious oversight."

      Truly, but it is also vital for any user to check files they download, and I would say especially anything to do with Wikileaks, given their attitude to not redacting location information for Afghan informants and Assange's reasoning for this. I check anything I download with 3 packages I've installed. There are also the on line checkers for more paranoid people.

    2. Just Enough Silver badge

      Re: Should be part of their threat model

      When you are downloading someone else's email to have a nosey through it, I don't see how you have any room to complain about what may be in it.

      1. boltar Silver badge

        Re: Should be part of their threat model

        "When you are downloading someone else's email to have a nosey through it, I don't see how you have any room to complain about what may be in it."

        Quite. I think its called Karma.

    3. robidy Bronze badge

      Re: Should be part of their threat model

      ? It's an uncensored dump, surely this clown is not suggesting wikileaks censor stuff...

      1. Mark 85 Silver badge

        Re: Should be part of their threat model

        I don't believe removing the malware would be considered "censoring". Then again, I don't visit Wikileaks.

        1. patrickstar

          Re: Should be part of their threat model

          It could very well be interesting for third parties to study the sort of malware sent to these organisations. So flat out removing it wouldn't be a good idea.

  2. Stuart Elliott
    Headmaster

    Peices

    I before E except after C..

    (well unless it's on this list of course: https://en.wiktionary.org/wiki/Category:English_words_not_following_the_I_before_E_except_after_C_rule )

    1. Inventor of the Marmite Laser Silver badge

      I before E except after C

      unless E has got all his mates with him

    2. Jeffrey Nonken

      Re: Peices

      I before E except after C and except when it sounds like A as in "neighbor" and "weigh". Nobody ever seems to remember the second part. Hell, I've heard people quote "I before E" and stop there.

      There are still exceptions, of course. "Ancient" and "science" come to mind.

      1. phuzz Silver badge
        Headmaster

        Re: Peices

        There's more words in English that are spelt "ei" than "ie", so that 'rule' is worse than useless.

        1. Charles 9 Silver badge

          Re: Peices

          Such as?

          BTW, most of those cited words (like "piece") are i-before-e and therefore aren't demonstrating exceptions.

          PS. If you're going to talk about the i-before-e rule, what about the mouse/house plural controversy? Is it mouses or is it hice?

          1. earl grey Silver badge
            Trollface

            Re: Peices

            It's mices...as in

            I hate mices to pieces.

            1. Mark 85 Silver badge
              Headmaster

              Re: Peices

              Err.. in that case it's 'meeces".... according to Mr. Jinks.

          2. zb

            Re: Peices

            If you talk like Prince Charles hice is singular.

        2. Marshalltown
          Pint

          Re: Peices

          phuzz,

          Nonsense. In fact that rule is the sole example of the "exception proving the rule."

      2. Anonymous Coward
        Anonymous Coward

        I before E except after C and except when it sounds like A as in "neighbor" and "weigh"

        The version I was taught was "I before E except after C, but only when the sound is E".

        But yes, people are taught half a rule and then wonder why it doesn't work.

        1. Charles 9 Silver badge

          Re: I before E except after C and except when it sounds like A as in "neighbor" and "weigh"

          "The version I was taught was "I before E except after C, but only when the sound is E"

          There are a few exceptions:

          - If the combination is pronounced like an A ("weight") or an I ("height").

          - Imported words. Many words of the first type are this type as well (in particular, a lot of the I-types come from Germanic languages where this combination is much more common, like "poltergeist").

          - Diphthongs where the letters sit next to each other but are on different syllables so they're pronounced distinctly (like "agreeing").

          1. Charles 9 Silver badge

            Re: I before E except after C and except when it sounds like A as in "neighbor" and "weigh"

            And BTW, words like "ancient" and "science" that supposedly break the "except after C" exception I believe are also diphthongs, with the I and E belonging to different syllables. In the case of "ancient" and similar words (like "prescient", "omniscience", etc.), we tend to pronounce the CIENT as "shent" though this is probably a corruption of "si" followed by a distinct "ent".

      3. Tikimon
        Devil

        Re: Peices

        ... except for weird exceptions, such as "weird".

        1. Anonymous Coward
          Anonymous Coward

          Re: Peices

          I think weird is justified as a diphthong: the e and i are really pronounced separately: we-ird.

  3. Anonymous Coward
    Facepalm

    Microsoft Windows Malware

    "Wikileaks is hosting 324 confirmed instances of malware" which is only dangerous if you download it under Microsoft Windows.

  4. ChubbyBehemoth
    Holmes

    Ah, that's how the leak started!

    Should be interesting to figure out where and what party was responsible.

    "Okay! Who clicked the boobs bait?"

  5. Anonymous Coward
    Anonymous Coward

    Anybody who opens a DOCX file from the Internet is a fool

    I send mine to Google Docs to open for me :)

    An argument can be made that the documents should be sent, viruses and all, exactly as received by Wikileaks. Warts and all.

    1. Bloakey1

      Re: Anybody who opens a DOCX file from the Internet is a fool

      Snip

      "An argument can be made that the documents should be sent, viruses and all, exactly as received by Wikileaks. Warts and all."

      I totally agree with you. Any attempt to change the data would mean that it is no longer valid.

    2. Anonymous Coward
      Anonymous Coward

      Re: Anybody who opens a DOCX file from the Internet is a fool

      Eh? what is wrong with a docx? It is just an XML file.

      1. Joe Montana

        Re: Anybody who opens a DOCX file from the Internet is a fool

        It's not the file thats the problem so much as the fact that 99% of users can be expected to use the same software to open the file, ie a monoculture... If you have an exploit for a vulnerability in that software you have a very high chance of success.

        That's why monoculture software is almost always the primary target of malware... Think of all the browser exploits which targeted IE when it had over 90% of market share, and how most of these attacks moved to Flash, Java, Acrobat etc once the browser market became more diverse.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anybody who opens a DOCX file from the Internet is a fool

          "It's not the file thats the problem..." [sic]

          The OP seemed to single out docx, rather than just say "anybody who opens a file from the internet", or even "visits any site on the internet..."

        2. Anonymous Coward
          Facepalm

          Re: Anybody who opens a DOCX file from the Internet is a fool

          "In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public."

    3. Anonymous Coward
      IT Angle

      Re: Anybody who opens a DOCX file from the Internet is a fool

      Just set Windows to open in the ms Word Viewer

      1. Ken Moorhouse Silver badge

        Re: Just set Windows to open in the ms Word Viewer

        Word Viewer, being a MS product is just as susceptible to vulnerabilities as any other MS product. My personal preference would be either OpenOffice or LibreOffice.

        1. Charles 9 Silver badge

          Re: Just set Windows to open in the ms Word Viewer

          But they don't render them correctly, meaning they can't be relied for those types of documents, especially where formatting is sensitive and/or important.

          1. Ken Moorhouse Silver badge

            Re: Just set Windows to open in the ms Word Viewer

            OpenOffice/LibreOffice might not render documents faithfully, but then MS Word does not have a good track-record in that respect either (between versions). I'm not sure either whether Word will cope with printer drivers and fonts on the source machine differing with those loaded onto a target machine, which would cause rendering to be affected..

            There shouldn't really be a need, other than collaboration on document assembly, for documents to be sent in docx format anyway. That's what pdf is for. Having said that, Adobe have shot themselves in the foot for enabling the possibility for malware to be embedded in that format.

  6. Mayhem

    Seems less than I'd expect

    So you'd prefer that they explicitly tamper with the files they receive, rather than uploading them as is where is?

    Frankly the fact that there is malware like this present in the files is a better indicator that they are probably genuine.

    Anyone downloading the files should be running them through antivirus etc as a matter of course, but other than flagging the file with a warning, I don't see how this is a wikileaks problem (or that of any other disclosure site)

    1. Ole Juul

      Re: Seems less than I'd expect

      "Anyone downloading the files should be running them through antivirus etc as a matter of course, but other than flagging the file with a warning, I don't see how this is a wikileaks problem (or that of any other disclosure site)"

      Indeed it is ultimately the downloader's responsibility, but many will not be so savvy as we might hope. I think it is a WikiLeaks oversight that they're not giving warnings, or even any suggestions at all, for those who would download files. Taking the high road because "it is not their responsibility" is not consistent with being responsible and doing a good job. Hopefully they will add some general warning, and perhaps a suggestion or two, after this incident.

  7. Joe Montana

    Email dumps

    If they're dumping email boxes, and those email boxes contain spam and malware then in the interest of full disclosure they have to post it all... If they started removing malware then they've modified the content, what's to stop them making other modifications?

    1. Justin Clift

      Re: Email dumps

      Well, it's not so much that they need to remove the malware.

      Wikileaks likely has all kinds of viewers/readers, as they're mentioned in the general (non-IT) press reasonably often.

      Not all of those users will have the depth/understanding needed to realise "hey, some of these files might not be safe...".

      So, as others here have mentioned adding prominent warnings about malware being in some of the downloads sounds like a good idea. It would help clue in the people that don't realise.

  8. 45RPM

    So was Julian Asshole’s big idea just to establish Wikileaks as the worlds largest malware market? Ecuador have got a real prize on their hands.

    Snowden, for all his faults, seems to have his heart in the right place and seems to be working from the best of intentions. Assange, by contrast, is Donald Trump’s nerdy firestarting alter ego.

    1. Anonymous Coward
      Anonymous Coward

      @45RPM

      "So was Julian Asshole’s big idea just to establish Wikileaks as the worlds largest malware market?"

      I think there's a little more to it than that. The main problem is tampering: if they removed all the attachments then they're basically changing the e-mails contents. Which raises an obvious question: if they think it's ok to alter e-mails like that (remove attachments) then what guarantees are left that they didn't change even more?

      So I don't think they have much other alternatives here. But I fully agree that more and better warnings should have be put in place.

  9. Tikimon
    Thumb Up

    What about a specific warning on the actual file?

    Pardon me if someone already proposed this. A general site warning "Files here may contain malware..." is useless. Instead, scan the files for nasties! Then stick an insect icon on each file that comes up positive. This allows the informed and brave to download them if they have sufficient cause, while keeping those of us without an airgapped sandboxed throwaway PC to steer clear.

    Now that I think of it, a Search filter could be offered as well to include or exclude files with bugs.

    1. Ken Moorhouse Silver badge

      Re: stick an insect icon on each file that comes up positive

      Yes, but who is liable if one not marked with an insect icon is later found to be malware-laden?

      There needs to be a blanket "caveat emptor" policy.

      1. Charles 9 Silver badge

        Re: stick an insect icon on each file that comes up positive

        But if it's blanket, no one reads it. Damned if you do, damned if you don't.

  10. Matt Bryant Silver badge
    Facepalm

    Lay down with dogs....

    ....get malware!

    Seriously, given the types that seem to frequent and support Dickileaks, if anyone is at all surprised then I have a great investment opportunity for them in water-side Everglades real estate.

  11. Unbelievable!

    jeez. the word you're looking for is "integrity"

    anything reported that has been altered does not have integrity. wikileaks would be pretty shit if it didn't have integrity. it HAS to be complete. yes. fair warning should be given.. something like:

    "what you are about to receive may not be entirely safe. scan scan scan and then double scan. the contents are sourced from real life situations and that includes secuirty risks and other threats in the wild"

    sorry for lack of grammar.

  12. Anonymous Coward
    Anonymous Coward

    it happens..

    Untouched means greater integrity.

    The same has happened with digital collections of old software. A number of pieces of Amiga, PC and ST software were sold at retail with viruses on the floppies. To ensure integrity and an accurate representation of the product that was sold the copies of these disks made by digital archivists for long-term preservation contain the same viruses, they're 1 to 1 copies of the original media.

    Other groups can cleanse datasets in cases like this, including this one, but having access to the original untouched data is vital, it's evidence, and tampering with evidence is not considered to be a good idea.

  13. NonSSL-Login

    Numbers

    Unless you know when the signature was added to the AV apps database you cannot say that 80% of them would have been caught at the time. The signatures may have been added to the av apps and thus virustotal after they were read originally.

    Do exploits, such as the recent NSA Cisco and others firewall tools, get flagged as malware of something.hacktools and still get included i the stats?

    Too many unknown variables at the moment making this story potentially interesting but at present nothing surprising.

  14. Robert Carnegie Silver badge

    Is this the reason?

    Wikileaks have to get your secret data from you somehow??

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020