OutlawCountry CIA Linux Hack

Chat about Linux in general
Post Reply
mike acker
Level 6
Level 6
Posts: 1475
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

OutlawCountry CIA Linux Hack

Post by mike acker »

¡Viva la Resistencia!

Citizen229
Level 5
Level 5
Posts: 836
Joined: Fri Nov 04, 2016 12:09 pm
Location: NW Ohio

Re: OutlawCountry CIA Linux Hack

Post by Citizen229 »

Great Article. however I didnt understand it. :P You did not provide a translation. :D
Folding@home Project
Team Linux Mint-76140
PM for info on how you can help. Or visit viewtopic.php?f=58&t=243792
Seeking GPU's, i5/7/9's , Ryzens.

Hoser Rob
Level 16
Level 16
Posts: 6079
Joined: Sat Dec 15, 2012 8:57 am

Re: OutlawCountry CIA Linux Hack

Post by Hoser Rob »

Citizen229 wrote:Great Article. however I didnt understand it. :P You did not provide a translation. :D
It's in English.

I'm certainly not against wikileaks in general. But now they're teaching hackers how to hack you better, and I'm against that.

And is ANYONE surprised that these guys have Linux expoits? They have hacks for every OS there is.

Citizen229
Level 5
Level 5
Posts: 836
Joined: Fri Nov 04, 2016 12:09 pm
Location: NW Ohio

Re: OutlawCountry CIA Linux Hack

Post by Citizen229 »

It wasnt the english, it was the technospeak :D
Folding@home Project
Team Linux Mint-76140
PM for info on how you can help. Or visit viewtopic.php?f=58&t=243792
Seeking GPU's, i5/7/9's , Ryzens.

altair4
Level 19
Level 19
Posts: 9997
Joined: Tue Feb 03, 2009 10:27 am

Re: OutlawCountry CIA Linux Hack

Post by altair4 »

Citizen229 wrote:It wasnt the english, it was the technospeak :D
The only relevant English part is this:
This new malware strain’s details have been leaked in the form of a user manual, which describes that OutlawCountry tool consists of a kernel module for Linux 2.6, using which CIA can modify the network traffic and redirect it for ex- and infiltration purposes.

The OutlawCountry’s prerequisites for operation are a compatible 64-bit CentOS/RHEL 6.x operating system, shell access and root access to the target, the target must have a “nat” netfilter table.
If you are running Red Hat Enterprise Linux 6 in your home I strongly suggest you update. :)
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.

mike acker
Level 6
Level 6
Posts: 1475
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: OutlawCountry CIA Linux Hack

Post by mike acker »

Thoughts,--

1. I didn't try to parse the article. I'd just note that *this exploit* targets systems with (see article) certain characteristics.

2. WikiLeaks: Thoughts: It's better that we know about the exploit than to have a select few hackers making advantage of it on the Q.T.
¡Viva la Resistencia!

User avatar
wallyUSA
Level 5
Level 5
Posts: 725
Joined: Thu Jun 08, 2017 2:31 pm
Location: Top of Georgia

Re: OutlawCountry CIA Linux Hack

Post by wallyUSA »

Will this effect me? If so, what should do? Using generic Mint Cinnamon (see signature below).
Tricia 19.3 Cinnamon 4.4.8 Kernel 5.3.0-53 (64 bit). {Dell XPS 13}
Please, if your query has been resolved, edit your first post and add [SOLVED] to the beginning of the subject line. This may help others find solutions.

altair4
Level 19
Level 19
Posts: 9997
Joined: Tue Feb 03, 2009 10:27 am

Re: OutlawCountry CIA Linux Hack

Post by altair4 »

Your question has been answered
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.

User avatar
Spearmint2
Level 16
Level 16
Posts: 6891
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: OutlawCountry CIA Linux Hack

Post by Spearmint2 »

I was just coming here to post that. Here's some links a friend sent me. I would think so long as nobody uses an outside PPA, and only repository files, they should be safe from this. One could also run a search on all mods in their kernel and see if it's there.

Code: Select all

lsmod
or maybe check the ip tables?

Code: Select all

modinfo ip_tables x_tables ip6_tables
A lot more networking mods below, and even those aren't all of them.

https://www.bleepingcomputer.com/news/s ... x-systems/

http://www.ibtimes.co.uk/can-cia-hack-l ... re-1628400
"OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator," WikiLeaks said in its blog, explaining the malware's capabilities.

According to WikiLeaks, not much is known about the malware's "installation and persistence methods". The whistleblowing site said that the spy agency's operators would instead need to depend on other CIA exploits and backdoors to infect systems with the malware.
One can check all mods, and also the specific IP mods in the kernel.

Code: Select all

lsmod; modinfo ip_tables x_tables ip6_tables iptable_filter ip6table_filter nf_defrag_ipv4 nf_conntrack_ipv4 nf_conntrack_ipv6 ip6t_rt ip6t_REJECT 
Some others with conntrack in their name would need checking too.
Last edited by Spearmint2 on Sat Jul 01, 2017 12:43 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6891
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: OutlawCountry CIA Linux Hack

Post by Spearmint2 »

altair4 wrote: The only relevant English part is this:
This new malware strain’s details have been leaked in the form of a user manual, which describes that OutlawCountry tool consists of a kernel module for Linux 2.6, using which CIA can modify the network traffic and redirect it for ex- and infiltration purposes.
The OutlawCountry’s prerequisites for operation are a compatible 64-bit CentOS/RHEL 6.x operating system, shell access and root access to the target, the target must have a “nat” netfilter table.
If you are running Red Hat Enterprise Linux 6 in your home I strongly suggest you update. :)
Seems targeted mostly at enterprise servers instead of desktop users. Although it seems routers may be targeted too, if this statement is correct
the target must have a “nat” netfilter table.
If interested, one can read the info on iptables in terminal.

Code: Select all

info iptables
Here's all you need to know about the exploit from the CIA's manual on it.
SECRET//NOFORN
3. (U) System Description
3.1
(U) Technical References
Table 2 - (S//NF) Included Files
File Name Size MD5
nf_table_6_64.ko 9672 2CB8954A3E683477AA5A084964D4665D
(S//NF) When the module is loaded, the hidden table is named “dpxvke8h18”.
IPv6 is not supported.
Last edited by Spearmint2 on Sat Jul 01, 2017 1:06 pm, edited 4 times in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6891
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: OutlawCountry CIA Linux Hack

Post by Spearmint2 »

wallyUSA wrote:Will this effect me? If so, what should do? Using generic Mint Cinnamon (see signature below).
So long as you don't use outside PPA's to install programs, it's highly unlikely your kernel would be infected.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

altair4
Level 19
Level 19
Posts: 9997
Joined: Tue Feb 03, 2009 10:27 am

Re: OutlawCountry CIA Linux Hack

Post by altair4 »

Where the hell did the PPA stipulation come from? You can run a PPA on a Red Hat Enterprise Server?

And you have Red Hat running on your router? Damn, how much did you pay for that thing?

Look folks you are just going to have faith that the folks who wear the big boy pants over at Ubuntu will fix whatever credible security issue that comes up that is relevant to it's operating system. Same with Debian.

Either that or stop using Mint immediately and move into the abandoned cabin that Ted Kaczynski left behind.

Mint will notify you by phone with the all-clear. If you have no phone they will contact you by courier.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.

User avatar
Spearmint2
Level 16
Level 16
Posts: 6891
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: OutlawCountry CIA Linux Hack

Post by Spearmint2 »

Where the hell did the PPA stipulation come from?
Just general advice to avoid most exploits, not just this latest attempt.
You can run a PPA on a Red Hat Enterprise Server?
Why not? It's Linux.
And you have Red Hat running on your router? Damn, how much did you pay for that thing?
Nope, WRT, but routers do have NAT on them.
Look folks you are just going to have faith that the folks who wear the big boy pants over at Ubuntu will fix whatever credible security issue that comes up that is relevant to it's operating system. Same with Debian.
That's the sandy buckethead approach. Fill bucket with sand, stick your head in it, trust all will be OK.
Either that or stop using Mint immediately and move into the abandoned cabin that Ted Kaczynski left behind.
That was a very efficient cabin he built, but unfortunately for those who might want it,the Newseum already does.

It's uncanny how much it looked like my own shed. No, it's not for sale. ;)
shed.jpg
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

Post Reply

Return to “Chat about Linux”