Security expert Vesselin Bontchev has scanned the WikiLeaks data-dump from Turkey’s ruling political party (AKP) and found at least 80 different malware strains contained within the emails.
At Bontchev’s Github page, he published a neutered list of emails (the links are disabled and made so that they cannot be linked easily by bots indexing his page) – and the list is impressive.
Anyone searching the Wikileaks database could easily download malware attachments by clicking on the wrong link. Dr. Bontchev disclosed the links safely in his report, and said that his findings were “by no means exhaustive.” He said most of the malware discovered were “run-of-the mill” spam, scams and phishing attacks enticing the recipient to click on the enclosed attachment, which is fairly bad news for any journalist or anti-censorship advocates investigating the leak by searching Wikileaks.
Here is a sample of the data provided by Dr. Bontchev:
| Wikileaks e-mail | Wikileaks URL to the malicious attachment | VirusTotal analysis |
|---|---|---|
| 36138 | hxxxx://wikileaks[.]org/akp-emails/fileid/36138/20098 | F36CB35F410AB65958A6CCA846737A9C |
| 87325 | hxxxx://wikileaks[.]org/akp-emails/fileid/87325/29248 | 96BA545BBB538B7E11ADDE2FA8A61EE7 |
| 24918 | hxxxx://wikileaks[.]org/akp-emails/fileid/24918/12972 | 66488B5C93993328BD2F71D83D413F35 |
| 80311 | hxxxx://wikileaks[.]org/akp-emails/fileid/80311/28282 | 4FA2390A493464BC3C8AC3923E1EF0D4 |
| 12 | hxxxx://wikileaks[.]org/akp-emails/fileid/12/3 | FB7283CFB685CF7BCE7FF2E216EC499B |
| 25087 | hxxxx://wikileaks[.]org/akp-emails/fileid/25087/13153 | E36FF18F794FF51C15C08BAC37D4C431 |
| 44668 | hxxxx://wikileaks[.]org/akp-emails/fileid/44668/22734 | FD61711E05E5253C2C6D94A9750DFC30 |
| 25925 | hxxxx://wikileaks[.]org/akp-emails/fileid/25925/13577 | 64DD5201EF63169BBC62EA26C26AF8ED |
| 25925 | hxxxx://wikileaks[.]org/akp-emails/fileid/25925/13578 | 82CA501DF43984122C1E6494AD300140 |
| 26194 | hxxxx://wikileaks[.]org/akp-emails/fileid/26194/14068 | 11244A7B4A058F0D8D1CEACA000A0745 |
| 126415 | hxxxx://wikileaks[.]org/akp-emails/fileid/126415/34930 | 7A5D837478862830F98586AAC2346132 |
| 39664 | hxxxx://wikileaks[.]org/akp-emails/fileid/39664/21803 | 096AEBF87F193A837794A19FA653A0A3 |
| 16749 | hxxxx://wikileaks[.]org/akp-emails/fileid/16749/9084 | BA81BFE79FC31F4C2EF55ADE47D0B1BE |
| 13474 | hxxxx://wikileaks[.]org/akp-emails/fileid/13474/8657 | 5F8AAFA70D9E4622F896CDA4A8F42856 |
| 24132 | hxxxx://wikileaks[.]org/akp-emails/fileid/24132/12466 | 6C5EE6D233AFD2F1F879CF8341D8B7F0 |
| 26494 | hxxxx://wikileaks[.]org/akp-emails/fileid/26494/14665 | 34318DBF1370711A81D4A0B05BAEE532 |
| 26897 | hxxxx://wikileaks[.]org/akp-emails/fileid/26897/15476 | 27524906F0626DA2E99EBA09F9F3E4E0 |
| 26194 | hxxxx://wikileaks[.]org/akp-emails/fileid/26194/14069 | 85B92C924584F00B256CD589A8608AF5 |
| 26482 | hxxxx://wikileaks[.]org/akp-emails/fileid/26482/14643 | BD90168562D841E1D15F51548A4965C5 |
| 26134 | hxxxx://wikileaks[.]org/akp-emails/fileid/26134/13984 | 6D2FD213F0198E8879B0917CC5A4A866 |
| 25925 | hxxxx://wikileaks[.]org/akp-emails/fileid/25925/13579 | FE94DB7C7E6C3929F76969316424C06A |
| 3389 | hxxxx://wikileaks[.]org/akp-emails/fileid/3389/2586 | 299EE2919BF5F352B332F98289FCDA57 |
| 9655 | hxxxx://wikileaks[.]org/akp-emails/fileid/9655/7666 | C94DF84DD14F9DCF1E0D9FF4A64CAA1C |
| 9742 | hxxxx://wikileaks[.]org/akp-emails/fileid/9742/7695 | C9D7E127869B0536D348EA6178A4B8F6 |
| 26372 | hxxxx://wikileaks[.]org/akp-emails/fileid/26372/14372 | 775F8F06E7D94B3532E86CC060A2D316 |
| 26924 | hxxxx://wikileaks[.]org/akp-emails/fileid/26924/15536 | B1C142463B540F0FEA437AEC5A546B3A |
| 26930 | hxxxx://wikileaks[.]org/akp-emails/fileid/26930/15548 | 818B8933F20803FF4537D12013EB921D |
| 113 | hxxxx://wikileaks[.]org/akp-emails/fileid/113/64 | E6DCEECD2BB42E3C5DB631B018B29ACC |
| 125 | hxxxx://wikileaks[.]org/akp-emails/fileid/125/75 | 8D886030BD668207D4D7E731A28CEB1D |
| 962 | hxxxx://wikileaks[.]org/akp-emails/fileid/962/419 | D535049E50A6E2594C398BC8DAD82E25 |
| 1273 | hxxxx://wikileaks[.]org/akp-emails/fileid/1273/698 | CD7C77B85BC13F32D51C0FDB1BC046F9 |
As a caveat to anyone searching data-dumps, this type of accidental infection a hazard that you need to be aware of – links in emails can easily lead you to a malicious payload. We liken it to dumpster diving at a hospital – you hope that all the hypodermic needles were place in a sharps disposal bin, but there is always a risk that some went into regular trash.