Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

  1. Get $5 off your first Lyft ride while helping us pay for hosting Linux.org! --> $5 Lyft
    Dismiss Notice

CIA programs to steal your SSH credentials (BothanSpy and Gyrfalcon)

Discussion in 'Linux News' started by Rob, Jul 7, 2017.

  1. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    176
    Likes Received:
    488
    WikiLeaks yesterday released documentation on two very specific scripts meant to steal OpenSSH login credentials from the client side. One script is for Windows clients, the other for Linux clients.

    On the Windows side of things, they have released documentation on a script called BothanSpy. This program targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Their program works regardless of if you're using simple user/password, user/key, or user and key w/ password. It then sends the credentials / key file to a CIA-controlled server.

    Similarly, on the Linux side, there is a program called Gyrfalcon. The documentation on this program was written in January, 2013 for v.1 and November 2013 for v.2. Scanning through the user guide for version 2.0 shows very detailed information on how to prepare and plant the software on the target computer, starting with how to cover your tracks:
    The document goes on in detail of what the package contains, for instance, Gyrfalcon clients and libraries in both 32bit and 64bit flavors for:
    • CentOS 5.6 - 6.4
    • RHEL 4.0 - 6.4
    • Debian 6.0.8
    • Ubuntu 11.10
    • SuSU 10.1
    That being said, you have to remember the documentation was dated 2013, so you'd have to assume they have an updated version now to work with current Linux versions.

    It continues on in detail on how to install it on the target system. Installing on the target system also requires that they install the JQC/KitV root kit, also developed by the CIA.



    You can see they had a meeting about JQC as a rootkit in their NERDStech talk series meetings: https://fdik.org/wikileaks/year0/vault7/cms/page_2621796.html

    So, secure your systems people. Attackers potentially trying to use these tools still need to somehow get a shell on your system in order to install this stuff.

    Detecting on your system
    As far as detecting on your system, that's going to be tough since:
    • The instructions note to name the script something before uploading/running it
    • We don't have a copy of any of the scripts they're talking about
    But - we do know a couple things..
    • It runs in the background. A simple 'ps' will show you the processes and you should be able to spot something unfamiliar running, and kill it
    • history file gone would indicate that 'something' happened.. not necessarily this though.
    • if you find evidence of the 'CIA' JQC/KitV root kit on your system which may be tough..

    More Information
    WikiLeaks announcement:
    https://wikileaks.org/vault7/#BothanSpy

    Gyrfalcon 2.0 User Manual:
    https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf

    Gyrfalcon 1.0 User Manual:
    https://wikileaks.org/vault7/document/Gyrfalcon-1_0-User_Manual/Gyrfalcon-1_0-User_Manual.pdf
     

    Attached Files:

    #1 Rob, Jul 7, 2017
    Last edited: Jul 7, 2017
    wizardfromoz, VP9KS and atanere like this.

Share This Page