Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
5.2.3.5 (U) Target Detection
(S) Flytraps support detection of the following Target types:
• Email addresses
• Chat usernames, including Yahoo! Messenger, America Online Instant
Messaging (AIM) and AIM Express, and Microsoft Messenger. As of October
2010, maktoob has been purchased by Yahoo!, and maktoob chat is no longer
available.
• MAC addresses
• VoIP phone numbers (for devices with VoIP support – see 5.2.3.6).
(S) The Flytrap implant searches the network traffic of Flytrap clients (both wireless and
wired) to detect Targets that were configured in the Mission. Section 7 discusses Target
handling in more detail.
5.2.3.5.1 (U) Disabling of GZIP Encoding
(S) To improve Target detection (and harvest) capabilities, the Flytrap implant can also
be Mission-configured to support the disabling of gzip encoding in a browser request. For
example, Yahoo!’s webmail (as of December 2010) will by default use gzip encoding if
the requesting browser supports it. The gzip encoding effectively scrambles the data so
that a plain text search for email addresses (as in Section 15.4.1) does not work. The
Flytrap implant can blank out the “Accept-Encoding:” HTTP parameter in an HTTP
request, which will effectively disable gzip encoding, improving Target email detection.
The entire search process for email and chat users is discussed in more detail in Section
15.4.
5.2.3.5.2 (U) URL Decoding
(S) To improve Target detection (and harvest) capabilities, the Flytrap implant URL-
decodes each packet (into a temporary buffer) before searching for email addresses.
Many webmail services will URL encode special characters (for example, the @ sign
may be URL encoded as %40). The entire search process for email and chat users is
discussed in more detail in Section 15.4.
5.2.3.6 (S) VoIP Target Detection (Roundhouse Devices Only)
(S) Roundhouse version 2 devices (svn > 7500) support VoIP Target Detection. The
Flytrap implant was expanded (by the partner Roundhouse contractor) to include hooks
with SIP/VoIP filters that can detect VoIP phone numbers.
5.2.3.7 (U) Target Alerting
(S) When a Target is detected, the Flytrap sends an Alert to the CT. An Alert generated
from a Target detection will contain the MAC address of the client that generated the
Target detection, and the time the detection occurred.
(S) NOTE: when a Target email/chat/VoIP Alert occurs, the Alert only indicates that the
Target email/chat/VoIP user was found in the traffic of the client with the indicated MAC
14
SECRET//20350112