Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Forensic Signature Gyrfalcon v1.0 User Manual
5 Forensic Signature
5.1 Filesystem Artifacts
Gyrfalcon saves its collected data to a file in its working directory throughout its operation. It does not
make any attempt on its own to hide this file.
The Gyrfalcon executable can safely be removed from disk once it is up and running.
Gyrfalcon deletes its configuration file from disk as soon as it is parsed but re-writes it to disk upon
normal shutdown (e.g., via SIGTERM).
5.2 In-memory Artifacts
The Gyrfalcon executable remains running as a standard multi-threaded daemon root process. It opens a
UNIX domain socket to the Kernel to receive notifications of launched processes. And it creates a
POSIX semaphore to ensure no additional gyrfalcon instances can run at the same time.
Gyrfalcon traces through launched SSH processes using the ptrace API. It is possible to detect that a
process is being debugged in several ways. One way involves checking /proc/pid/status. For example:
$ cat /proc/14164/status
Name: gnome-terminal
State: T (tracing stop)
SleepAVG: 98%
Tgid: 14164
Pid: 14164
PPid: 1
TracerPid: 25716
Uid: 500 500 500 500
Gid: 500 500 500 500
FDSize: 64
The TracerPid field indicates the process id of the tracer process (in this case, Gyrfalcon). On some
systems, it may be just a 1 or 0 to indicate that the process is being traced or not. The state field may also
indicate whether the process is being traced.
Finally, the execute feature causes each targeted SSH session to create a named pipe on /tmp/ssh-
XXXX. That is used as a control socket that gyrfalcon writes commands to, that will be executed on the
remote host. The named pipe is removed when the legitimate SSH session ends.
5.3 Network Artifacts
Gyrfalcon's session log feature does not create any network traffic. It's a passive collect.
The execute feature does not create a new SSH connection, but does increase the amount of traffic
exchanged within the legitimate SSH session. That is, the executable is uploaded and the results of
12 SECRET//NOFORN January 2013

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh