Network Infrastructure

TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor. This persistence effort would use one’s reverse engineering, computer architecture, “C” programming and
assembly language coding skills.

Read ► Persistence Division

STYLISHCHAMP

STYLISHCHAMP is a tool that can create a HPA on a hard drive and then provide raw reads and writes to this area. This tool should incorporate latest TWISTEDKILT code so that it can support SATA drives. This will allow SWAP to be used on newer systems. Currently, only IDE drives
are used.

Read ► Persistence Division, ► Windows Tools

CENTRICDUD

CENTRICDUD is a tool to read and writes bytes in the CMOS. It needs to be rewritten and productized so that it can be incorporated into a proper UR plug—in. The driver associated with this tool also needs to be redone as it is being flagged by PSPs for unknown reasons. This tool is used both by the BIOS team as well as the IT Geo team.

Read ► Persistence Division, ► Windows Tools

WISTFULTOLL

WISTFULTOLL is the premiere target survey tool for Windows that runs on almost all targets automatically. It brings back information about the target system’s machine and operating system that is invaluable for both the Persistence Division and analysts enterprise wide. New features
need to be added to WISTFULTOLL as well as it being refactored.

Read ► Persistence Division, ► Windows Tools

GOPHERRAGE

GOPHERRAGE is a project that seeks to develop a hypervisor implant that would leverage both AMD and Intel’s virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door.

Develop a hypervisor implant that would leverage both Intel’s and AMDS virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door access. The idea would be similar to what BERSERKR can do from SMM in that it should be able to use “the machine’s network interface card (NIC) to communicate independently of the host operating system (OS)”. Also, this hypervisor implant should have full read/write access of host memory so it will be possible to change Host OS behavior in ways that could allow code execution, OS injection, system
survye, VM break-in, etc.

GOPHERRAGE is the Persistence Division’s pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment.

Read ► Persistence Division

BERSERKR

BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications. (TS//SI//REL) Some notable applications that need development:

  • KIRKBOMB — Windows kernel examination to detect loaded drivers, running processes as well. There is a prototype which works on Windows 7, this needs to work on XP and 2008 including
    64-bit systems.
  • SODAPRESSED — Linux application persistence. Given a running installation of Linux, install some application or inject something into memory which will. This currently works on certain
    Versions of Linux without SELinux enabled.

There may also be requirements in the near future for:

  • A Collection tool that runs from BERSERKR.

Read ► Persistence Division