WikiLeaks yesterday released documentation on two very specific scripts meant to steal OpenSSH login credentials from the client side. One script is for Windows clients, the other for Linux clients.
On the Windows side of things, they have released documentation on a script called BothanSpy. This program targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Their program works regardless of if you're using simple user/password, user/key, or user and key w/ password. It then sends the credentials / key file to a CIA-controlled server.
Similarly, on the Linux side, there is a program called Gyrfalcon. The documentation on this program was written in January, 2013 for v.1 and November 2013 for v.2. Scanning through the user guide for version 2.0 shows very detailed information on how to prepare and plant the software on the target computer, starting with how to cover your tracks:
The document goes on in detail of what the package contains, for instance, Gyrfalcon clients and libraries in both 32bit and 64bit flavors for:
That being said, you have to remember the documentation was dated 2013, so you'd have to assume they have an updated version now to work with current Linux versions.
- CentOS 5.6 - 6.4
- RHEL 4.0 - 6.4
- Debian 6.0.8
- Ubuntu 11.10
- SuSU 10.1
It continues on in detail on how to install it on the target system. Installing on the target system also requires that they install the JQC/KitV root kit, also developed by the CIA.
You can see they had a meeting about JQC as a rootkit in their NERDStech talk series meetings: https://fdik.org/wikileaks/year0/vault7/cms/page_2621796.html
So, secure your systems people. Attackers potentially trying to use these tools still need to somehow get a shell on your system in order to install this stuff.
Detecting on your system
As far as detecting on your system, that's going to be tough since:
But - we do know a couple things..
- The instructions note to name the script something before uploading/running it
- We don't have a copy of any of the scripts they're talking about
- It runs in the background. A simple 'ps' will show you the processes and you should be able to spot something unfamiliar running, and kill it
- history file gone would indicate that 'something' happened.. not necessarily this though.
- if you find evidence of the 'CIA' JQC/KitV root kit on your system which may be tough..
Gyrfalcon 2.0 User Manual:
Gyrfalcon 1.0 User Manual:
- File size:
- 44.1 KB