"Today, June 29th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.
The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain."
https://www.wikileaks.org/vault7/#OutlawCountry
-- Leaked Documents :
= OutlawCountry v1.0 User Manual
https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/
(PDF) https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/OutlawCountry_v1_0_User_Manual.pdf
= OutlawCountry v1.0 Test Plan
https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_Test_Plan/
(PDF) https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_Test_Plan/OutlawCountry_v1_0_Test_Plan.pdf
(Score: 4, Interesting) by jmorris on Saturday July 01 2017, @12:35AM (3 children)
You don't run RHEL/CentOS. Stock is the name of the game, often to be able to insert closed source modules. And you certainly want to retain support, especially for RHEL.
No, what I have found most interesting about the Vault 7 leaks so far is how incompetent the CIA is. Yea I realize this was all from a skunksworks deal where they were trying to develop their own tools to use in cases where the good stuff at NSA couldn't be used because of too much oversight and requirement to actually obey laws and crap, but damn! Read the PDF, this thing can't even reliably hide itself. If iptables gets reloaded it pops up in the output of lsmod. And haven't these super geniuses heard of dkms? Run it, harvest the module and then remove the package to delete the trace, or just gimp the rpm command to hide it if you are so super government spy level Either way you get a module that installs anywhere the dkms toolchain exists. Or just see what kernel is installed and spin up a VM on your network with it and build the module. Either way, bottom line is they are not impressing with their 3133t 5k1|z.
Scary thought for the day. What if Wikileaks gets the NSA's stuff and we discover it isn't much better? That the script kiddies and ransomware peeps are actually BETTER.
(Score: 3, Informative) by butthurt on Saturday July 01 2017, @01:39AM
> What if Wikileaks gets the NSA's stuff and we discover it isn't much better? That the script kiddies and ransomware peeps are actually BETTER.
Exploits purportedly used by the NSA were leaked, and became the basis of ransomware.
/article.pl?sid=17/05/13/116235 [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Saturday July 01 2017, @02:18AM
... with the Kennedy assassination?
He's dead, ain't he?
(Score: 2) by kaszz on Saturday July 01 2017, @05:01AM
The leak could be engineered to make the case they aren't that good and it's possible the CIA isn't even aware of some black budget program that have the "real skills".