Vault7: CIA’s SSH sniffer – BothanSpy

Few days ago, WikiLeaks published the next CIA leak in their Vault7 series. This time it’s BothanSpy – a keylogger and traffic sniffer for SSH clients running on Windows or Linux (RHEL, CentOS, Debian, etc) machines.

New client + library

The software itself is a modified ssh client + library, and two python scripts doing the actual work. This means, that the attacker needs direct access to the server to be able to modify the basic system files – or force the admin to install a root kit containing the malware. After installation, BothanSpy will create an encryped file containing all username and passwords you typed in when logging in to other servers. The encrypted data containing your logins needs to be downloaded later, then decrypted and analysed.

More Windows?

From my point of view, this software mainly attacks Windows systems, as modern Linux distributions contain own security software like SELinux. Besides, any regular SSH software upgrade would overwrite the “hacked” version with the regular one. As the software targets Xshell on Windows machines, which would not be upgraded by regular system process, the chances to collect larger ammount of passes is higher on Windows machines – even facing the fact that SSH is more commonly used on Linux.

Second besides – I personally use key-based logins on many servers, making this attack/malware totaly useless.