What The CIA’s OutlawCountry Malware Can Do To Your Computer
A CIA spy can make use of the hidden netfilter table created by OutlawCountry and adjust system configurations and disregard existing firewall rules.
Understanding The CIA OutlawCountry Exploit
In order for the CIA to create an iptables rule on the Linux box, they have to already possess root privileges. For instance, the CIA can gain access to root through direct physical access to the computer or other methods like social engineering in which they convince you to run the exploit as root. If the CIA can access the computer directly without physical security limitations hindering their objectives, then it’s an obvious cakewalk for them.
What’s concerning to the Linux user is that the OutLawCountry exploit does not require physical access to the device. Rather, they require an ‘initial’ exploit to successfully ‘get in the door.’ Hence, the CIA does not put in the effort to physically send in an undercover spy. They could, but whatever.
Remember this tool is designed specifically for Linux users and seeks to take advantage of people using iptables.
How To Know If The OutlawCountry Kernel Module Has Been Loaded On Your Linux System
SUNNY’S RECOMMENDED DIAGNOSTIC STEPS
Find out below to see if you suspect or been affected by the CIA’s malware:
Proceed by opening a Terminal and input the following command:
lsmod | grep nf_table
When the OutlawCountry kernel module has been loaded, a concealed table called ‘dpxvke8h18‘ can be located inside the iptable rules.
This problem is currently being investigated by the Linux community. For now, look for the following file:
The malware documentation mentioned a cleanup process that erases these traces from the computer after the exploit has been successfully carried out.
Don’t waste time inputting the following command suggested by many people:
sudo iptables -t dpxvke8h18 --list
The above command will show an error message “table does not exist.” Now the problem is that the iptables table names are labeled randomly. Therefore, checking for this specific name is futile. You must know the name of the obscurely-named table. Stick with the lsmod command and probe for a ‘nf_table‘ module.
Depending on who you are, the CIA may or may not have tampered with your computer. If you are a high-risk important target who attracts the most advanced adversaries like the NSA, then you should probably be worried and dispose of that precious system of yours.
Recall that a threat actor must already possess shell access to a box to successfully utilize this backdoor to its fullest potential.
The threat actor needs root privileges on the Linux box to load the OutlawCountry kernel module since it has not been installed on the system yet. This applies to any kernel module that has not already been installed on the system.
This backdoor has been delineated to only be effective with a 64-bit default version of CentOS/RHEL 6.x product family, 2.6.32 kernel version. But don’t make assumptions that this is exclusive to those versions. If you assume so, you’d be foolish given that NSA is equipped with massive advantages.
Given the numerous financial resources and capabilities that the NSA has, it can’t be perceived that they are not capable of developing advanced backdoors or purchase the most expensive 0-day exploits. As one of the top spy agencies, the NSA evidently has tremendous abilities over many people and other rival adversary organizations.
Note that Wikileaks hasn’t elaborated whether the injected kernel module is updated to newer kernels by dkms.
SUNNY’S RECOMMENDED PREVENTIVE MEASURES
You have to make sure that you apply all applicable Linux kernel patches as they are made available.
If companies have discovered that their Linux systems show signs of compromise, they must adhere to their enterprise’s list of procedures to respond sensibly to the incident. Failure to do so is detrimental to the enterprise’s goals and illustrates a lack of security hygiene and the presence of recklessness.
OPTIONAL AND LAUGHABLE SOLUTION
Okay, this may seem like a joke but have a look at the following two sentences: Don’t use iptables. Use something like Sneakernet.
I know, right?
Be sure to check out another article I’ve written regarding Vault 7 and the CIA here.