Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(S) Pandemic 1.1
1 (U) Tool Summary
(S//NF) Pandemic is a tool which is run as kernel shellcode to install a file system filter
driver. The filter will 'replace' a target file with the given payload file when a remote
user accesses the file via SMB (read-only, not write). Pandemic will not 'replace' the
target file when the target file is opened on the machine Pandemic is running on. The
goal of Pandemic is to be installed on a machine where remote users use SMB to
download/execute PE files.
(S//NF) Pandemic does NOT//NOT make any physical changes to the targeted file on
disk. The targeted file on the system Pandemic is installed on remains unchanged. Users
that are targeted by Pandemic, and use SMB to download the targeted file, will receive
the 'replacement' file.
(S//NF) Pandemic can operate against 32 and 64 bit targets, but 1.0 was only developer
tested against 64-bit targets due to the CONOPs that was in mind at the time.
(S//NF) Pandemic 1.1 added the ability to target and replace multiple files, up to a
maximum of 20. Also, The 1.1 builder will dynamically re-size the output bin file to the
appropriate size needed to contain all the payload data, so there is no longer an absolute
cap on total output bin size. There is, however, a hard-coded cap on the maximum size a
single replacement file can be (800MB). Pandemic 1.1 also made some changes to
improve the robustness of the swapping mechanism.
2 (U) Release Notes
(S) Version 1.1 allows for multiple string entries to the -t and -r commands. Version 1.1
does not cap total output size of the bin file and re-sizes it appropriately.
3 (U) User's Guide
3.1 (U) Change Log
Table 1: (S) Change log (contents SECRET)
Revision Date Author Notes
1.0 17 April,
2014
AED/RDB Initial version.
1.1 16 January,
2014
AED/RDB Updates for Pandemic 1.1
3.2 (U) File Information
Table 2: (S) File information (contents SECRET//NOFORN)
Pandemic_Builder.exe
Control.dll
SECRET//NOFORN
3