Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OutlawCountry: CIA Malware Source Wikileaks {SOLVED}
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
kkinkouu
Tux's lil' helper
Tux's lil' helper


Joined: 17 Aug 2015
Posts: 89
Location: United Kingdom

PostPosted: Wed Jul 05, 2017 2:44 pm    Post subject: OutlawCountry: CIA Malware Source Wikileaks {SOLVED} Reply with quote

Hi guys,

I came across this article while reading through wikileak's. I tend to read as much as i can on a number of subjects from multiple sources. https://wikileaks.org/vault7/#OutlawCountry

8O

Quote:

OutlawCountry 29 June, 2017

Today, June 29th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.

The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.


It only seems to effect 64-bit CentOS/RHEL 6.x

My question is, can this in anyway effect the Gentoo kernel? My educated guess would be "no" & i know it's a self evident answer :D , but i thought i'd better ask, just to be 100% sure 8)

Kkinkouu


Last edited by kkinkouu on Wed Jul 05, 2017 5:24 pm; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7070
Location: almost Mile High in the USA

PostPosted: Wed Jul 05, 2017 3:46 pm    Post subject: Reply with quote

Sounds like an instrumentation hack - means they need to acquire root first, then they can monitor. But all bets are off if they get root first anyway.

Doesn't sound like anything that critical unless one wants detection of the malware - so that needs to be done by some other method. However it's not like the principle can't be applied to other Linux like Gentoo -- but once again, if they get root first, all bets are off.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
kkinkouu
Tux's lil' helper
Tux's lil' helper


Joined: 17 Aug 2015
Posts: 89
Location: United Kingdom

PostPosted: Wed Jul 05, 2017 5:21 pm    Post subject: Reply with quote

eccerr0r wrote:
Sounds like an instrumentation hack - means they need to acquire root first, then they can monitor. But all bets are off if they get root first anyway.

Doesn't sound like anything that critical unless one wants detection of the malware - so that needs to be done by some other method. However it's not like the principle can't be applied to other Linux like Gentoo -- but once again, if they get root first, all bets are off.


Thanks, just wanted some else's opinion on it. Was inclined to think it may be very difficult to apply such a hack as you've elaborated on. And the way in which the US government and it's affiliates are doing things these days (their at it again ie wannacry which is windows, but you never know), just raised concerns when i read the article and data sheets.

Thanks again :)
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7070
Location: almost Mile High in the USA

PostPosted: Wed Jul 05, 2017 5:28 pm    Post subject: Reply with quote

Difficult... no. I don't think the idea is hard to "port" to Gentoo though because each Gentoo install tends to be slightly different, a general solution may be a bit more difficult (though it's still Linux!)

But again all bets are off if they get root. Stuff like stack clash are the enablers.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13607

PostPosted: Thu Jul 06, 2017 1:06 am    Post subject: Reply with quote

I concur with eccerr0r. The attack is likely not directly portable to Gentoo systems in its built form, but the principles are easy enough to apply to any Linux. Worry about denying the attacker root access, and you will block this (and many many other bad things) as a natural consequence. Worrying about this specific attack is treating the symptom (privileged intruders can do bad things) rather than the disease (intruders might gain privilege and use it against you).
Back to top
View user's profile Send private message
kkinkouu
Tux's lil' helper
Tux's lil' helper


Joined: 17 Aug 2015
Posts: 89
Location: United Kingdom

PostPosted: Thu Jul 06, 2017 8:22 am    Post subject: Reply with quote

@Hu & eccerr0r

Thanks for the insight guys much appreciated. I'll keep these thoughts in mind
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum