Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN Gyrfalcon 2.0
4.2 (U) Uninstall off Target Platform
(S//NF) Uninstalling Gyrfalcon off a target platform is simpler than installing onto the target platform.
Follow these steps to uninstall Gyrfalcon. It is best to perform an uninstall when the OpenSSH client is
not being used (i.e., there are no active OpenSSH connections).
1. (U) Determine the PID of the running Gyrfalcon application on the target platform.
1.1 ps -aux | grep client
1.2 (U) Where client is the name of the application on the target platform.
2. (S//NF) Flush the last of the key strokes through the Gyrfalcon application pipeline into the
compressed, encrypted collection file.
2.1 kill -s USR1 PID
2.2 (U) Where PID is the PID discovered in step 1.
2.3 (S//NF) It may take data arriving on the SYSV message queue for the application to
properly handle the USR1 signal. Monitor the collection file – if the collection file is closed
then the USR1 signal was handled correctly and it is safe to proceed.
2.4 (U) Kill the running Gyrfalcon application and confirm the process stopped running.
2.5 kill PID
2.6 ps -aux | grep client
2.7 (S//NF) Confirm the encrypted configuration file is written back to the file system in the
same directory as the application.
3. (S//NF) Download the compressed, encrypted collection file to the local operator computer.
3.1 (S//NF) Gyrfalcon does not provide any communication services between the local
operator computer and target platform. The operator must use a third-party application to
download the collection file from the target platform.
4. (S//NF) Remove the Gyrfalcon library from the target platform's file system.
4.1 (S//NF) Remove the LD_PRELOAD settings created in section 4.1 step 8.
4.2 (as root)
dd if=/dev/zero of=/lib64/libgssapi.so.2.0.1 bs=64
4.3 (as root) rm -f /lib64/libgssapi.so.2.0.1
4.4 (as root) rm -f /lib64/libgssapi.so.2
4.5 (as root) ldconfig -v
4.6 ldconfig -p | grep libgssapi
5. (S//NF) Remove the Gyrfalcon application, configuration file, and collection file from the target
platform's file system.
5.1 (S//NF) Preferably all three files are kept in the JQC/KitV hidden directory.
5.2 dd if=/dev/zero of=./client bs=64
5.3 dd if=/dev/zero of=./config_file bs=64
5.4 dd if=/dev/zero of=./collect_file bs=64
5.5 rm -f client config_file collect_file
10 SECRET//NOFORN//20381126 November 2013