Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

! ! SeaPea v 4.0
Developed by: IOC/EDG/AED
DESCRIPTION
SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities
Hides files/directories, socket connections, processes
Requirements: Mac OS X 10.6 (Snow Leopard) Operating System (32 bit or 64 bit Kernel Compatible); Mac OS X 10.7 (Lion)
Operating System
Associated Files
BuildInstaller.py (CLASSIFIED: SECRET): This python script builds the target installer
installer (UNCLASSIFIED): Generated by BuildInstaller.py. This shell script is used to install SeaPea on a target
computer. *** NOTE: This file can be renamed for in operational use ***
BUILDING THE INSTALLER
SeaPea’s installer shell script installer is generated by calling the BuildInstaller.py script. Refer to the build options below:
-t {Rootkit Startup Contents Directory or StartupDirectory}
Default: None
A directory containing a script to run during rootkit startup
The StartupDirectory specified must include a bash script named iTunesWorkerSystem. Other support/auxiliary files can
also be included if desired. All files/directories inside StartupDirectory will be copied verbatim to on-target directory
{base install directory}/.ptm.log/.term32/; hence, be mindful of file names and strings.
iTunesWorkerSystem will execute on each OS X boot as super-elite (refer to process categories below)
IMPORTANT: iTunesWorkerSystem is intended to give the operator flexibility in launching commands and tools on OS
X boot. All commands and tools launched will inherit eliteness from iTunesWorkerSystem.
-d {ImplantDirectory}
Default: /etc
An alternate top-level installation directory can be specified using this option. The SeaPea directory itself will always be
named .ptm.log but will be located in the ImplantDirectory. For example, if the -d switch is specified with /var as the
argument, the implant will be installed in /var/.ptm.log. The default location is thus /etc/.ptm.log.
-h
Shows builder options
INSTALLATION
A successful installation will print “:::” to STDOUT. Any other output represents an error. (Reference the “Installation Failure Codes”
below to see a list of possibilities.) Installation requires root access. SeaPea will remain on the system unless one of the following
conditions are met: (1) The hard drive is reformatted; (2) An upgrade to the next major version (e.g., 10.8); (3) The rootkit detects
that it is not functioning correctly.
Implant File System Locations
Notice, that both the implant files and persistence file are hidden by default since “.ptm.log” is a default stealth-filter-string (ref
below).
Implant Home........... /ImplantDirectory/.ptm.log
Persistence File........./System/Library/LaunchDaemons/com.apple.ptm.log.plist
Startup-Script............/ImplantDirectory/.ptm.log/.term32/iTunesWorkerSystem
Loader....................... /ImplantDirectory/.ptm.log/.pq/FirewallActiveAgent64
Self-linker.................../ImplantDirectory/.ptm.log/.pq/SecurityStartupAgent
Options
-x
Savina Install: The installer script will generate the file “/var/log/secure.ptm.log.bz2.” This file is generated as a “stop
file” for Savina in the case that SeaPea does a self-uninstall. This is EXTREMELY important because we don’t want
Savina to reinstall if SeaPea uninstalled itself due to an unrecoverable error such as kernel panicking. Of course, if the
SECRET//NOFORN
Rev 07/08/2011 1

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh