After two weeks of silence WikiLeaks portal published another hacker tool from the CIA arsenal. Malicious software Pandemic is designed to hack computers with shared folders, where users download files using the SMB protocol. The Pandemic is distinguished by an unusual, original work principle and is unlike any other harmful.

According to the instructions published by WikiLeaks, the program is installed on the attacked system as a "file system filter driver". Its task is to listen for SMB traffic and determine the attempts of users to download shared files from the infected computer. Pandemic intercepts requests for download and responds on behalf of the infected system, but instead of legitimate files sends infected users.

If you believe the instructions, in one run the program is able to replace up to 20 files (both 32-bit and 64-bit) with a maximum file size of 800 MB. Installing Pandemic takes only 15 seconds. The tool was specifically designed to replace executable files, especially those stored in public folders on corporate networks.

The purpose of Pandemic is to infect corporate file-sharing servers and install malware on employee computers.

When a malware enters the network, it is very difficult to determine the source of infection and the first infected system. This is because the Pandemic file system driver determines when a local user manually accesses one of the shared files and runs a clean version of the file, rather than the malicious one that passes over the SMB. Thus, to detect infected devices, system administrators must download and scan files from other computers via SMB.