Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
! ! SeaPea v 4.0
Developed by: IOC/EDG/AED
DESCRIPTION
•
SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities
•
Hides files/directories, socket connections, processes
•
Requirements: Mac OS X 10.6 (Snow Leopard) Operating System (32 bit or 64 bit Kernel Compatible); Mac OS X 10.7 (Lion)
Operating System
•
Associated Files
‣
BuildInstaller.py (CLASSIFIED: SECRET): This python script builds the target installer
‣
installer (UNCLASSIFIED): Generated by BuildInstaller.py. This shell script is used to install SeaPea on a target
computer. *** NOTE: This file can be renamed for in operational use ***
BUILDING THE INSTALLER
SeaPea’s installer shell script installer is generated by calling the BuildInstaller.py script. Refer to the build options below:
•
-t {Rootkit Startup Contents Directory or StartupDirectory}
‣
Default: None
‣
A directory containing a script to run during rootkit startup
‣
The StartupDirectory specified must include a bash script named iTunesWorkerSystem. Other support/auxiliary files can
also be included if desired. All files/directories inside StartupDirectory will be copied verbatim to on-target directory
{base install directory}/.ptm.log/.term32/; hence, be mindful of file names and strings.
‣
iTunesWorkerSystem will execute on each OS X boot as super-elite (refer to process categories below)
‣
IMPORTANT: iTunesWorkerSystem is intended to give the operator flexibility in launching commands and tools on OS
X boot. All commands and tools launched will inherit eliteness from iTunesWorkerSystem.
•
-d {ImplantDirectory}
‣
Default: /etc
‣
An alternate top-level installation directory can be specified using this option. The SeaPea directory itself will always be
named .ptm.log but will be located in the ImplantDirectory. For example, if the -d switch is specified with /var as the
argument, the implant will be installed in /var/.ptm.log. The default location is thus /etc/.ptm.log.
•
-h
‣
Shows builder options
INSTALLATION
A successful installation will print “:::” to STDOUT. Any other output represents an error. (Reference the “Installation Failure Codes”
below to see a list of possibilities.) Installation requires root access. SeaPea will remain on the system unless one of the following
conditions are met: (1) The hard drive is reformatted; (2) An upgrade to the next major version (e.g., 10.8); (3) The rootkit detects
that it is not functioning correctly.
Implant File System Locations
•
Notice, that both the implant files and persistence file are hidden by default since “.ptm.log” is a default stealth-filter-string (ref
below).
•
Implant Home........... /ImplantDirectory/.ptm.log
•
Persistence File........./System/Library/LaunchDaemons/com.apple.ptm.log.plist
•
Startup-Script............/ImplantDirectory/.ptm.log/.term32/iTunesWorkerSystem
•
Loader....................... /ImplantDirectory/.ptm.log/.pq/FirewallActiveAgent64
•
Self-linker.................../ImplantDirectory/.ptm.log/.pq/SecurityStartupAgent
Options
•
-x
‣
Savina Install: The installer script will generate the file “/var/log/secure.ptm.log.bz2.” This file is generated as a “stop
file” for Savina in the case that SeaPea does a self-uninstall. This is EXTREMELY important because we don’t want
Savina to reinstall if SeaPea uninstalled itself due to an unrecoverable error such as kernel panicking. Of course, if the
SECRET//NOFORN
Rev 07/08/2011 1