07.04.2017 / by maximios / Биотехнологии / No Comments

DarkSeaSkies_1_0_User_Manual

SECRET//NOFORN

 

Engineering Development Group

DarkSeaSkies 1.0

User Manual

Rev. New 26 January 2009

 

darkmatter+darkmatter+docs+DarkSeaSkies 1.0 User Manual_Rev New_2009-01-26.doc

CL BY: 2348366 CL REASON: 1.4(c) DECL ON: 20331105 DRV FROM: COL S-06

SECRET//NOFORN

 

Table of Contents

…………………………………………………………………………………………………………….1

ESCRIPTION……………………………………………………………1

ONSTRAINTS…………………………………………………………………..1

PPLICABLE)………………………………………………………………….1

…………………………….1

SYSTEM DESCRIPTION………………………………………………………………………………..1

EFERENCES……………………………………………………………………………….1

APABILITIES…………………………………………………………….3

REREQUISITES……………………………………………………………………………………………..3

……………………………………………………………………….3

OPERATION…………………………………………………………………………………………………..3

ETUP……………………………………………………………………………..4

ORK…………………………………………………………………4

………………4

EPORTING…………………………………………………………..5

ADDITIONAL OPERATIONAL PROCEDURES (NOT APPLICABLE)………….5

SYSTEM BACKUP AND RESTORE (NOT APPLICABLE)…………………………….5

TROUBLESHOOTING……………………………………………………………………………………5

ERROR MESSAGES……………………………………………………………………………………….5

…………………………………………………………………………………………6

BBREVIATIONS………………………………………………………………………….6

EFINITIONS…………………………………………………………………………………………………6

List of Tables

TABLE 9.1-1 ACRONYMS/ABBREVIATIONS…………………………………………………..6

………………………………………….6

 

1.   Scope

This document establishes the User Manual for DarkSeaSkies 1.0.

1.1   System Overview and Description

DarkSeaSkies is an implant that persists in the EFI firmware of an Apple MacBook Air computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space implant.

DarkSeaSkies consists of three different tools:

DarkMatter: An EFI driver that persists in firmware and installs the other two tools.

Pea: A Mac OSX kernel-space implant that executes, and provides stealth and privilege to user-space implants.

mmand and control.

This document describes the technical details DarkMatter, and that of SeaPea and

for further information on NightSkies.

1.2   Assumptions and Constraints

It is assumed that the target system is a MacBook Air version 1,1 running Mac OSX 10.5.2-10.5.x with firmware version MBA11.0088.B03.

It is assumed that an operator or asset has one-time physical access to the target system and can boot the target system to an external flash drive.

A constraint is that the DarkSeaSkies will not persist in the event of a firmware update.

Not Applicable)

2.   Applicable Documents

The following documents, of the exact issue shown, form a part of this document to the extent specified herein. In the event of a conflict between the documents referenced herein and the contents of this document, the contents of this document will be considered binding. The following documents may be found at S:\DO\IOC\EDG ALL\EDG AE\Projects\:

• SeaPea User Manual, Rev. 2.0, November 2008

• NightSkies User Guide, Rev. 1.2, November 2008

3.   System Description

3.1   Technical References

The following items are either configured or randomly generated for each deployment. Therefore the values are delivered as files rather than updated in this document for each deployment.

installer.guid.

• DarkSeaSkies Implant:

xxtea.key.

• NVRAM Variables:

• The NVRAM variables are obfuscated by using existing variable names and generating new random GUIDs for each delivery.

Status) in this documentation; however, their true names and GUIDs on the target are documented below.

indicates the status of the payload from the previous boot.

• The name of this variable is “SystemAudioVolume”.

status.guid.

has the following values.

• ‘\0’ indicates an unknown status, for example the first boot after install

• ‘0’ indicates that the user-space payload has been dropped

• ‘1’ is reserved for future use

• ‘2’ indicates that NightSkies has failed to execute properly.

• ‘3’ indicates that the user-space payload executed successfully

• ‘4’ indicates that the user-space payload encountered an error condition

• ‘5’ indicates that DarkSeaSkies should uninstall itself and its payload

• Any other value is equivalent to ‘5’.

does not exist then it is assumed to be zero.

warning_count.name.

does not exist then a pre-configured value will be used.

warning_threshold.name.

warning_threshold.guid.

warning_threshold.value.

is the NVRAM variable that NightSkies uses to store its configuration.

config.name.

config.guid.

config.plist.

3.2   System Concepts and Capabilities

has elapsed and the target user is browsing with Safari or Firefox. The command and control beacon data is encrypted in an HTTP GET/POST request or response.

   Prerequisites

NightSkies User Guide.

Equipment Familiarization

NightSkies User Guide.

4.   Operation

4.1   Configuration

unless specified otherwise.

.password.

• Enable date: date after which implant is enabled.

Limit: maximum number of cautious boots before uninstall.

• Beacon URL: This is the URL the beacon will attempt to download.

• Client ID: this is a unique identifier for the implant.

Time interval since last successful LP communication before uninstall.

• Minimum Delay between beacons in seconds.

• Failsafe attempt: beacon with out network checks.

• Maximum Delay: if failsafe is enabled, this is the maximum amount of time in seconds we wait before attempting a failsafe beacon.

• Applications used to detect activity.

4.2   Installation and Setup

DarkSeaSkies is installed from a bootable flash drive. The following instructions detail how to make the installation flash drive from any Apple computer running Mac OSX 10.5 (Leopard).

1. Format flash drive:

elect the flash drive; click on the “Partition” tab; select “1

Partition” under “Volume Scheme”; click “Options” button; select “GUID Partition Table” radio button; edit “Name” field appropriately; select “Mac OS Extended (journaled)” as the “Format”; click “Apply”.

2. Copy Installer EFI file to the flash drive.

> cp I.efi /Volumes/I/I.efi

3. Bless the Installer EFI file on the flash drive.

> sudo bless –-folder /Volumes/I/ –-file

/Volumes/I/I.efi —bootinfo

The following message is expected and not an error.

an’t load /Volues/I//usr/standalone/ppc/bootx.bootinfo

4. Eject the flash drive.

> diskutil eject /Volumes/I

5. Insert the flash drive into the target.

implant GUID then the implant will be updated.

NightSkies User Guide.

Initiating a Session

NightSkies User Guide.

Stopping and Suspending Work

NightSkies User Guide.

4.5   Contingencies and Alternate States and Modes of Operation

> nvram $(cat

variable and their meanings are also described in section 3.1.

variable will not exist in the case that the target was booted to an OS other than Mac OSX 10.5 or to an EFI application such as Refit.

> nvram $(cat limit.guid):$(cat limit.name)=%xx%xx%xx

2.

is written to NVRAM. On the next boot DarkSeaSkies will be un-installed.

Problem Reporting

Contact NCS/IOC/EDG/AED/UDB for assistance.

5.   Additional Operational Procedures (Not Applicable)

System Backup and Restore (Not Applicable)

Troubleshooting

Configuration variable with the following command:

> sudo nvram –d $(cat config.guid):$(cat config.name).

This should be followed by a reboot.

8.   Error Messages

NVRAM variable. See section 3.1 for more information.

9.   Notes

9.1   Acronyms/Abbreviations

The Acronyms/Abbreviations used in this document are shown in Table 9.1 -1.

Acronyms/Abbreviations

 

9.2   Definitions

Definitions of common terms used within this document may be found in the Engineering Development Group Program Management Lexicon.

The terms and definitions unique to this document are shown in Table 9.2 -2.

Table 9.2-2 Definitions

 

 

 

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *