(S//NF) The operator must obtain a thorough understanding of the Linux/UNIX command line interface and shells such as bash, csh, and sh. Gyrfalcon assumes that the operator knows the standard operating procedures for masking their activity within certain shells. For instance, if the operator is using the bash shell on the Linux platform, then Gyrfalcon assumes they executed the following commands at the shell's prompt before uploading, installing, and executing Gyrfalcon.

1. unset HISTFILE

2. export HISTFILE

3. HISTSIZE=0

4. export HISTSIZE

5. TERM=vt100

6. export TERM

7. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin …

8. export PATH Click to expand...

CentOS 5.6 - 6.4

RHEL 4.0 - 6.4

Debian 6.0.8

Ubuntu 11.10

SuSU 10.1

The instructions note to name the script something before uploading/running it

We don't have a copy of any of the scripts they're talking about

It runs in the background. A simple 'ps' will show you the processes and you should be able to spot something unfamiliar running, and kill it

history file gone would indicate that 'something' happened.. not necessarily this though.

if you find evidence of the 'CIA' JQC/KitV root kit on your system which may be tough..

WikiLeaks yesterday released documentation on two very specific scripts meant to steal OpenSSH login credentials from the client side. One script is for Windows clients, the other for Linux clients.On the Windows side of things, they have released documentation on a script called BothanSpy. This program targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Their program works regardless of if you're using simple user/password, user/key, or user and key w/ password. It then sends the credentials / key file to a CIA-controlled server.Similarly, on the Linux side, there is a program called Gyrfalcon. The documentation on this program was written in January, 2013 for v.1 and November 2013 for v.2. Scanning through the user guide for version 2.0 shows very detailed information on how to prepare and plant the software on the target computer, starting with how to cover your tracks:The document goes on in detail of what the package contains, for instance, Gyrfalcon clients and libraries in both 32bit and 64bit flavors for:That being said, you have to remember the documentation was dated 2013, so you'd have to assume they have an updated version now to work with current Linux versions.It continues on in detail on how to install it on the target system. Installing on the target system also requires that they install the JQC/KitV root kit, also developed by the CIA.You can see they had a meeting about JQC as a rootkit in their NERDStech talk series meetings: https://fdik.org/wikileaks/year0/vault7/cms/page_2621796.html So, secure your systems people. Attackers potentially trying to use these tools still need to somehow get a shell on your system in order to install this stuff.As far as detecting on your system, that's going to be tough since:But - we do know a couple things..WikiLeaks announcement:Gyrfalcon 2.0 User Manual:Gyrfalcon 1.0 User Manual: