(U) Appendix B: Release Notes (U) Hive 2.9.1 User's Guide
• Fixes a Solaris bug that terminated operator access after closing a shell opened by the ILM
• Removes string definitions used to obfuscate debug code that was not needed in Hive
releases, but that could be revealing if found.(U) Pre-Deployment
• This release of Hive primarily addresses forensic issues discovered by a forensic analysis
performed by IOC/AFD on Hive version 2.5 and documented in their report from October 26,
2012 (AFD-2012-0973-2). Hive 2.6 changes the common trigger encoding along with the
encoding scheme for raw TCP and UDP triggers.
• The SSL server certificates used with the Hive client (command and control) are now read
from files rather than being hard-coded into the client. In addition, the Diffie-Hellman
parameters used to establish the SSL connections have been changed.
• Fixes a bug in the 2.5 code that was also carried into 2.5.1 that may lead to premature self-
deletion of the implant.
• Modifies all MikroTik, Linux, and Solaris code so any successful beacon or
trigger will also create a /var/.config timer file if it does not already exists.
Note that the trigger listening function will automatically self delete the
executable if it discovers that the /var/.config file does not exists. If a self
delete occurs, the normally empty /var/.config will contain a time stamp
when the actual self delete occurred using a yymmddHHMMSS format.
Previous versions would allow the executable to stay on the box but would
stop the process whenever the /var/.config file was removed. Version 2.4's
Caution for Solaris shells still applies. A new Hive updating script called
hiveReset_v1_0.py was added which also resets the self-delete timer for all
linux, Mikrotik, and Solaris devices.
• Allows operator to change the self delete timer from the previously hard
coded setting of 60 days. The delay option unit was changed to long versus
int to enable longer delays before the first beacon. A hiveUpdater.py script
was added to allow remote updates of Hive implants for Linux, Solaris, and
Mikrotik routers. Version 2.4's Caution for Solaris shells still applies.
• Allows full shell open capability for all boxes. Solaris boxes are cautioned to close any shells
they open at then end. Otherwise, when a Solaris shell is closed, the trigger session is also
closed. This code should remove Mikrotik "spillage" problems in beacons. Setting the
beacons initial delay with the -d option (i.e. -d 0 ) also stops all beacons.
For earlier history, please refer to prior User's Guides.