漏洞类别:Backdoors and trojan horses
漏洞等级: 
漏洞信息
Pandemic is a tool which is run as kernel shellcode to install a file system filter driver, which will 'replace' a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write). If Pandemic is found running on the system then the targeted file is not 'replaced'. The original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server via SMB before being executed on the computer of the remote user.
The goal of Pandemic is to be installed on a machine where remote users use SMB to download/execute PE files.
QID Detection Logic:
This authenticated QID works by querying for the existence of "HKLM\SYSTEM\CurrentControlSet\Services\Null\Instance" registry key which is an indicator of successful installation of the Pandemic Windows implant by CIA. This key is deleted when Pandemic is uninstalled from a system. This information was made public in a WikiLeaks post here.
漏洞危害
A system infected with this persistent implant acts as a file server for other systems in the network. This file server could further serve malicious files to targeted users.
解决方案
N/A
Workaround:
N/A
0daybank
文章评论