On June 29th 2017, WikiLeaks published documents about the CIA OutlawCountry project that targets computers running the Linux operating systems. Such releases have been code-named “Vault 7” by WikiLeaks. This is a post about a simple method with which you can verify for your self if your system has been a target of this malicious Linux kernel module.
What is OutlawCountry?
The user manual v1.0 mentions that – OutlawCountry consists of a kernel module that creates a hidden netfilter table on a Linux target. With knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules. According to me this may not be a remote exploit since doing this requires elevated privileges on the targeted machine. This may very well be a “shadowed” binary blob. Most definitely this is also not a vulnerability but a payload for DanderSpritz like tool which provides shell access and root privileges post exploitation.
The user manual also mentions the existence of the following file:
nf_table_6_64.ko; size: 9672; MD5 hash: 2CB8954A3E683477AA5A084964D4665D
Again, the user manual mentions this vital piece of information: When the module is loaded, the hidden table is named “dpxvke8h18”. We now have enough information to possibly detect the presence of OutlawCountry on a system. However, let’s go through a few more details about this malicious Linux module.
Limitations of OutlawCountry:
The document itself mentions these limitations of this malicious Linux kernel module:
- OutlawCountry v1.0 contains one kernel module for compatible 64-bit CentOS/RHEL 6.x. (Kernel version 2.6.32)
- This module will only work with default kernels.
- This malicious Linux module only supports adding covert DNAT (Destination Network Address Translation) rules to the PREROUTING chain.
- “The Operator” must have shell access to the target. For operational use, root privileges are required
- The target must have a “NAT” netfilter table.
The user manual again gives good enough information – “When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed.” Now to the juicy part:
Detect OutlawCountry on YOUR system:
With administrator privileges, you can run the following command to check if the accompanying file is loaded:
lsmod | grep nf_table
This might not work always as the user manual mentions this – “At this point, the module file on disk can safely be removed for operational
security: rm nf_table.ko.” If you see that it is loaded and has the same properties mentioned above, delete it.
Finally, run the following to be sure that you have not been compromised:
iptables -t dpxvke8h18 -L -nv
If you see a message like this – “iptables vx: can’t initialize iptables table `dpxvke8h18′: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.” you are safe. However you have an OutlawCountry infection if you get something like this:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Now, if you re-read what I underlined and italicized above, you can see that it is mentioned that the hidden table name is dpxvke8h18 and that a new netfilter table name created on each install. Frankly, I do not know what will it be as I did not find a system with OutlawCountry installed.
Let me know in the comments if you have additional ways of detecting OutlawCountry or have any other information to share.