TOP SECRET II COMINT
Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité
Pay attention to that man behind the curtain:
Discovering aliens on CNE infrastructure
CSEC Counter-CNE
Target Analytics thread SIGDEV Conference
NSA-June 2010 Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v v d i I c l Q c l
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité
The need for Counter-CNE...
Foreign and friendly actors often encountered CNE operators do not pursue them beyond their targets Reporting groups need to be made aware OPSEC evaluation is needed Active pursuit of CNE actors: a different ballgame
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
l + l Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
Outline
• Introduction CCNE at CSEC • CCNE tools and methods • SNOWGLOBE • De-confliction
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CCNE Group at CSEC
• Part of CSEC CNE operations (KO) • Recently formed matrix team • Analysts and operators from CNE Operations, IO Reporting
Lines and Global Network Detection • Mandate:
- Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n 11*1
Canada
TOP SECRET II COMINT
l + l Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CCNE team
Reverse engineering
Target development
Active collection
nderstand foVeign CNE actors
oreign CNE persona
Passive collection Develop ColLrction signatures
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité
CNE Toolkit: WARRIORPRIDE
WARRIORPRIDE (WP): - Scalable, Flexible, Portable CNE platform - Unified framework within CSEC and across the 5 eyes - Do more with less effort
• Common framework for sharing code/plugins across the 5 eyes • WARRIORPRIDE is an implementation of the "WZOWSKI" 5-eyes API
- WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ
WARRIORPRIDE - xml command output to operators - Several plugins used for machine recon / OPSEC assessment
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
l + l Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
WARRIORPRIDE
; - C o m m a n d Prompt - U_Base x p i n k ¡ l o c a l h o s t > c l i s t p e e r p i n k ¡ l o c a l h o s t > r t l i s t p i n k ¡ l o c a l h o s t > s l l i s t p l u g i n p i n k ¡ l o c a l h o s t > ? p i n k ¡ l o c a l h o s t > s i 1 i s t p e r s i s t e n t p i n k ¡ l o c a l h o s t > s l l i s t s t o r e p i n k ¡ l o c a l h o s t > c g e t i m p l a n t i d p i n k ¡ l o c a l h o s t >
1 - O u t p u t 1
T r a n s a c t i o n I d : 1 3 8 5 4 6 Core s t o r a g e f i l e s f o r i m p l a n t 1 2 7 . 0 . . 0 . 1
P l u g i n S t o r e : c : \ T e m p \ ~ D F 3 B E 9 . t m p C o n f i g S t o r e : c : \ T e m p \ c o n f i g F i l e S y s . • sys H o t e t h a t t U
/
command does n o t l i s t p l u g i
real work
LP Side Plugin
Implant Side ' Plugin
comms
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT • J * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
WARRIORPRIDE plug-ins and output
• Several WP plugins are useful for CCNE: - Slipstream : machine reconnaissance - ImplantDetector : implant detection - RootkitDetector : rootkit detection - Chordflier/U ftp : file identification / retrieval - NameDropper : DNS - WormWood : network sniffing and characterization
• Already used for CNE OPSEC
• Used for precise identification and heuristics
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
WP xml output (raw)
<?xml version-'1.0" encoding-'UTF-8"?> cresponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="U_FileCollectorLp/U_FileCollectorLp_2.15.xsd"><implantl d>51.1.2.160</implantldxtransaction><transactionSource>50.0.0.101</transactionSourcextr ansactionld>320453</transactionldx/transaction><timestamp><TLT>2010-02-23T15:53:06.366</TLT><UTC>2010-02-23T15:47:43.448</UTCx/timestampxerrors><errorPlugin>0</errorPlugin><errorOs>0</error Osx/errorsxcommandlnfo>fcstart</commandlnfoxresponseDetailsxfcstartxstatus>Succe ss</statusxstandbyMode>FALSE</standbyModex/fcstartx/responseDetailsx/response>
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n 11*1
Canada
TOP SECRET II COMINT
l + l Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
WP SLIPSTREAM output (parsed) [2010/05/18 - 16:28:05 (UTC)] Transaction Id: 582966 U_SLIPSTREAM - <ssservices> Impiantici: <51.8.1.13> Timestamp (UTC): 2010/02/09 06:42:42
PAGE : 1 of 1
PID ¡Service Name IStatus |Startup Type |Service Process Type|Display Name |Binary Path
924 lAeLookupSvc |RUNNING |AUTOMATIC | SHARED C:\WINDOWS\system32\svchost.exe -k netsvcs
0 lAlerter |STOPPED |DISABLED |SHARED LocalService |
3184 |ALG IRUNNING |MANUAL |OWN PROCESS C:\WINDOWS\System32\alg.exe
0 lAppMgmt |STOPPED | MANUAL |SHARED -k netsvcs |
IRUNNING I AUTOMATIC |SHARED 924 lAudioSrv -k netsvcs
ication Experience Lookup Service |
lAlerter |C:\WINDOWS\system32\svchost.exe -k
|Application Layer Gateway Service |
|Application Management |C:\WINDOWS\system32\svchost.exe
|C:\WIND OWS\Syste m 32\svc host, exe
0 |BITS |STOPPED ¡MANUAL C:\WINDOWS\system32\svchost.exe -k netsvcs
0 |Browser |STOPPED ¡AUTOMATIC -k netsvcs |
1028 |ccEvtMgr IRUNNING |AUTOMATIC Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
1028 |ccSetMgr ¡RUNNING ¡AUTOMATIC Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
1708 |Cissesrv IRUNNING ¡AUTOMATIC Files\HP\Cissesrv\cissesrv.exe" |
0 |CiSvc ISTOPPED ¡DISABLED ¡SHARED
0 ¡ClipSrv ISTOPPED ¡DISABLED
¡Windows Audio
|Background Intelligent Transfer Service I
¡Computer Browser
¡Symantec Event Manager
¡Symantec Settings Manager I
¡OWN PROCESS ¡HP Smart Array SAS/SATA Event Notification Service ¡"C:\Program
¡Indexing Service ¡C:\WINDOWS\system32\cisvc.exe
¡OWN PROCESS ¡ClipBook
¡SHARED
¡SHARED
¡SHARED I
¡SHARED
¡C:\WINDOWS\system32\svchost.exe
¡"C:\Program Files\Common
¡"C:\Program Files\Common
/ n i i * i
Canada iO^^m
TOP SECRET II COMINT
l + l Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
WP SLIPSTREAM output... drivers [2010/05/18 - 16:28:06 (UTC)] Transaction Id: 582968 U_SLIPSTREAM - <ssdrivers> Impiantici: <51.8.1.13> Timestamp (UTC): 2010/02/09 06:42:43
PAGE : 1 of 1
- I SCM¡Driver Name
I
(parsed) i i i
|Status ¡Startup Type ¡Driver Type ¡Display Name ¡Binary Path
-I ¡ntoskrnl.exe ¡hal.dll
¡KDCOM.DLL
¡BOOTVID.dll I
¡ACPl.sys ¡WMILIB.SYS
I ¡pci.sys ¡isapnp.sys ¡pciide.sys ¡PCIIDEX.SYS
¡MountMgr.sys ¡ftdisk.sys ¡dmload.sys ¡dmio.sys ¡volsnap.sys
I I ¡RUNNING |
¡RUNNING | ¡RUNNING |
¡RUNNING |
¡RUNNING | ¡RUNNING |
¡RUNNING | ¡RUNNING |
¡RUNNING | ¡RUNNING |
¡RUNNING | ¡RUNNING |
¡RUNNING | ¡RUNNING | ¡RUNNING |
I ¡C:\WINDOWS\system32\ntoskrnl.exe
¡C:\WINDOWS\system32\hal.dll ¡C:\WINDOWS\system32\KDCOM.DLL
¡C:\WINDOWS\system32\BOOTVI D.dll
¡ACPl.sys ¡C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
¡pci.sys ¡isapnp.sys
¡pciide.sys ¡C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
¡MountMgr.sys ¡ftdisk.sys
¡dmload.sys ¡dmio.sys ¡volsnap.sys
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
REPLICANTFARM
• Extend WP output to a signature based system: REPLICANTFARM
• Module based parser/alert system running on real-time CNE operational data
• Custom/module based analysis: - Actors - Implant technology - Host based signatures - Network based signatures
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n 11*1
Canada
TOP SECRET II COMINT g , CCNE/Opsec WPID Alerts •
File Edit View History Bookmarks l a a l s Help
<«* • c Most Visited l j Getting Started ..j Latest Headlines * LTT < Operations < TW... 5 Opsec - klsvn - Trac
û - M E -
CCNE/Opsec Systems ,_, http://obelix/systemInfo/
_ CCNE/Opsec WPID Alerts x ( J Expioits Q CCNE/Opsec WPID Alerti x _ CCNE/Opsec WPID Alerts x ( J Expioits _ j rrttp://obeli>/ CCNE/Opsec WPÏD Alerts Q CCNE/Opsec WPID Alerti x
CCNE/Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions...
REPLICANTFARM Example
D a t a O are frifigla-diiracter wildcards
Dot-Star (..*) maaas any aiantar of characters :ingl= WPID: 3l,..B,.l\.13 CLaeC W P I D 51vsy.1v Infraitnicliire: S i t
DnnektUbdiJu: n»jJ_H>X'_WELtiçil^.t pi mDi_lW_MJl_iHEPHEED.pl jMd_l0l_HM_CARBON.pl a»a_102_MM_KEGBAetDi|^ mad_lM_MM_DOGHOUSE.Fl nMd_104_KIM_WALKER.pl
modi UKl_YC_irLplant.pl •.v.c-i_ i l_doaksi.p I mpd_l 2flö_AF_ALOOFNESS pi mod_ 12_systKm3 2vir.fl inni_13_farpa£iT^aiG.pl
ttioc_ 3 5 jtta ¿Parsa I j.pl opd_ 1&_iecyclere»L.pl moi_ 1 pi
13 _p is LViC'ifil c a-=. p I tiiM_19_ksrnsloLDatijiE.pl
l_pockfid.pl
mod_300_SD_ME0.pl modjü l_SD_MHiFIP.Fl tri- l"-_j what iv.i fìi-.H 11- n pi] mod_2 l_5c£«fcil4al.pl fiiM_22_ntLiiui t alluse.pi m 2 Ò _hiik-2i. pi
tiv[HÎ_24_Eîïp3eleâArj aaisîLl .pl J .•_pri''[.=EE-: .j [
moi_iC:_UKK_BLAZKGANGEL.pt avo4J02 TBiYWEBçâ ^.jJJÜJJJm.CYDLL .pi
Ml LTiE VttïPAtPpL mod j 10_DNÏ_WIDOWKEÏ4J aMd_afl5_UMI_IASEX.pl! œrf_3 ll_UMK_CKETCAT.pl mad_30S_UNE_WlMjPDATE pi ma<i_5_irLq»reteii!£e: pt mod_3C7_UKK_QLT."EHKGiQUli.pl mod_MO_ES_WlHEEE.pl H U H L 3 0 S _ U N K _ \ V I N D O pi mci+01_Si_4SLINST pi o»d_3(KL™ï_DIESELRATTLE.ïpI t .J_+D2_!È_3Lnj)E_îi:
ma nie ma 111"
ma ma
Regeip: Moduls Rigsip: MM
Type: ItLlcrie: ^
Submi t Query
A L E R T S
IryjKrrv Module: Date: Tag: MM
File name: ../dalaslaie/arcîiive/2010yBl/21/15 mod_i 03_MM_DOGHOUSE p! 2010-01-2 ITI 5:36:39.968
Tag: MM •'•naDOO&02724g5_lS_Y2Q10MÛlD21_H15M2ES59_MSfi42MU500NSO_RXro05D_K>0_0
Details: Possible MM DOGHOUSE driver Be: G-\WINNT($NlUninstallQ24459:8t. Possible MM DOGKOUSE driver fle: C:\WINNTs$NtUiiistallQ244598$,HfA^y| Possible MM DOGHOUSE driver file: C:AVTNTvT\SNtUmistallQ24459gS,netbt.sys. Possible MM DOGKOUSE driver He: C:\WIMNT.$NlUcinstanQ2445?g$s.1cp5).sys. Possible MM DOGHOUSE driver file: C:\WINI«n\lNfeninsl3ttQ24459g$,.hotSx inf
—PULLEDPORK—-
1 . 3
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
O CCNE/Opsec Mondumpprtracker viewer - Mozilla Firefox File Edit View History Bookmarks Tools Help
- C 4 r ( n £ • 1 I B ' | Google
p Most Visited J ? Getting Started Latest Headlines LTT < Operations < TW... ! Opsec - klsvn-Trac Q CCME/Opsec Systems Cj http://abelix/systemlrfo/
CCNE/Opsec Mondumppr... x
.Vpir thai the zeare.k ii dem on the \*pict vmh a impie vfiiácard and a perl regexpfer she fo/Kmand lines... Example
• A "valus of*1 Ln a wpitf uviiatss tívsc "cLass" is a wildesti. • Single WPHX. 51.8.1.13 • Class B WTn>: Í1.1.M • Class C WEED: 51.3.1.* • Ite —P.iïssp Is a pari raçu'Lai expression applied to its :crrjT_sr.d Ibis. Only comxnand lines satisfying its »pression will te displayed. • The -Re»exp Is s pari reEU'lar expression applied to its coix-ir-sr-d lies. Only cosraaiand lines HOT satUHn§ its expression. will 1» displayed.
[•WlUbBaif-. 51.8.1.13 L'i1:: hn: - 2 .H1 J ISO
c CCNE/Opsec WPIQ Alerts x CCNE/Opsec WPÏD Alerts « ,_, CCNE/Opsec WPJD Alerts
CCNE/Opsec Monrtumpprtracker viewer
proc cudLin« parait npid last Seen |flisfadssyikr.BM! C:' .WNDOWStap stEmjïvniBfeftd&syiic.e» syne S: 11 ;miaion i_cïwrwf & » t : 201SW55-24 12:13 |dwlw?inti!,sxs ftqi»c;C: Pfosraar.. FiLsï S-ynmHsc' Synam-K Er.c-psir.t: Piwsetìoa' D' 'ir 'iafì.sKS&ipiM; •felntrJ-aic r. OVT.ÎÎÊSI: 2010-0 -24 04:05 1 lwllindkfnixy fequK.C: Presfair. Filas' S>Biaasc' LivBUjxjta'' 1-CUUadfflnsy.qtrn:; {mOMSE-l 040-40 ÏÏ>DD-À4FAE64SFBDF} £ li ;Tiiïkiiewai_DWiMÎi äi ; 201MJ-24 04:05 1 lTKillb*£tpro*y fiqrayrC: Pfo»faiy, Files'. S ymutBt L IveUpcte .L »Cil ItadePnsy qra t : {E5A3EBEE-D5K0-421=-S6I>F-54C0B37J9521} Ä H :T5tìaiowii_trofyj& §t : 2(310-05-24 04:05 1 IwìilHarlimarp ¡£<p»t;C: P'ÍSHÍAR. Files' Symantec' LiveVpdati LuC llbackPiQ '.ae&qTM; {Dj "íOHí-OSE 7-4atíl-5,DCF-13D51EEE7HË3} & 11 ;Taûa!imni_tmTï6rà st ; 20100.5-24 04:05 1 lwallb*£kpRnq? ¡feqi»6t;C:' PfCîray. Fllss'i Symantec' qutt; {CífI>C23 4-í• F5-H5T4-S4AEHS215SEFCA433} fi 11 ;iaiJaoTm_Q7:Tjér¡S »i ; 2010-05-24 04:05 |liuooB»B~l,axa &qum;C: PRCGRA-l" Syitan.t 'IIVEVP-L'LVCOiiS-L.EXE&atoi; S: h si ; 2010-OJ-24 04:05 |luill.ai.ê fiqisot;C: Program FilesïSyiïttfttee'.LiveUpSate.Insti «cèfiquoi; -S fili ;niüavcwii_c.7iTi rÄi?t : M10A5-24 04:05 |sescln.atê S<pmt:C: Prapwt Files'. Symantec1 Symantec EndpouW Pietstti .SsseLU.«ieárqTj«M:: -EMteddiiyg filCTsrJíEOTT OTiTyj&et: 2(510-05-24 04:04 vnn¿pfvsíi.aK Ct' TbnXiiWS CEiJia TbOT'TímLpívsé. ses -ürcrsd -Eflibsdidûig fi h iTaüaioTioTrTMJÄ »i ; 201005-24 02:10 telpàve.ere fiqiKK;C:WINDOWS'PCHsaltfi"HelpCtfBifarisì' HalfSvc.ewftqww;,Efflteddiftg fi 11 ;iHiJifiOTm_Q7¡Tj3iS »i ; 2010-05-24 02:10 1 HZvffiH". Ctra.á. £<p»t.C: MDhoihi'APP ActoiBïtPïiaK.ssa&qiwt: .<S=l .'S &quatiC; -MDaaEori-Legi CldLogs Logs-201 0-03-22-Sat-ö0-00-20,zlp&qiwt. MDaanon1 Loa>£<pM¡; .i S: h ;iîk1îiîsïrîi_!îwtî3Â s t ; 2010-03-13 10:32 |¿*-1e*m.c9ce Stqasr C'. AIDAnTör/ SpifrLi li!. -tun —:ísr5péth=!Sqi30C;C: MEtenKWi' APP sit«wâ psth=&4î30t;C: MDaeta&r; SjarrAssâssLr iiilsi&quöt: -ötr Äqts«:C ..\iD r«wi\PUBLIC~l BAYBS]~l .IMA.fliaK-SP~l.IMA •.ms'ÄqiMM:; fili ;THil¿flown_TOTka,ift£i : 2(310-05-23 19:30 |*x<mftcpfis!is.i9i ftqiHH; C: AlDáeníon . PP AccoueiPfiîtË.Mife iiôl ; ¿ fi 11:T.r_kr_CT¡Yí =t: 2(310-05-23 19:30 1 li-sCpnaH.eíí Äqii&t; C: MEfeaïïw.'.!\PP ListPfiaa.íKífifltoc; s fi h ;L.rj-aicT,r._o"TrffÄ |i ; 2010-05-23 19:30 |-a-teant.exe SpaniAí.&s úi'ía-Iim.-aíifeq'M't; -spam -CKfi»patí: & [WH:C:'.SII>6DHJE:, J4PF.SpaniA3B«ste''itefii;Ii_nil53&epHH; jiC5C<Mifi3Mttb-Ä'qixM;C:'uvUteìman,SpanAssfcsm'ínleSiäqmM; -cii Äq-i»t;C::.liI>aaKw;-PüBLlC~l'B.A1tESI~LaiA' SPAM~1 .IMA'1.* msgftqucrt; fi 11 ;iaiJaoTm_Q7:Tjér¡S »i ; 2010-05-23 19:30
Âqiïfir; C: .MDj¿m&n'._cLPP . M D U p t ó r y : ;MI>*nKyn SavasS-quci: -'s fi li iisrJaiim OTTJJife ? t : 2G10-05-23 19:30 |em<J.«w ftqisot; C: ,WIKDOWS''ä>-stsm32 'cmd.ace&4|tsot ; e ftqiîM: C: JwlDaemw, APF-Lèarr. .tacSr<pv31 ; fili ;niüavcwii_c.7iTi rÄi?i : 2010-05-23 19:30 |emd.«» filijnailaioTra 2(310-05-23 19:30 Isvnijxíats.aw: &qi>&t;C: MD-bür.w.' q t fi h »i ; 2010-05-23 14:21 |ÍIHKÍL132.3JÍS C :' WT'-.TXíWS'-óy rayJ I fiäid 113 2. îse C: SyîjiAppS.dlL UpdsteSyXrAfpS fi 11 ;umJifiDTìa_oTHKffi sì ; 2010-05-23 04:05 1 iKontpnu. at ftqi»C;C:'lklDistmwi'AP,P Arcw.ißtPnaie.es&feqiioi; ,d=l z=Äqi»1:C:'AiDMirKWiXLags1 DlÄLoISM)5-2L-Ffi-00-00-03.r MDaenr-on'JjOj&ftqiUöt; ,Jr fili IIWjririCTÏOTHiÂ? 11 2010-05-22 19:32 mgfadwyftc.aw fi li :,nrj-:r_c,F:T._mTT.ArÄ,,
i? t : 2010-05-22 03:16 1 hieallhadqwcay qiart;C: Prosrsm Fi l - i "{B12CD2ïE- lC4&-4-D3&-0DDD-A4F. IŒ649FB.DF} fi H :iirJiiLC!Tï"n_o,wrb&r& si : M10-G5-22 04:05 1 luaUbaäqxozy &qi>&t;C: Piedras: FlLs.&>waiKXiv;U i LuCall&ad ösy.3LsÄqii!>t; {E5.13EBEE-D5E.0-421s-B.6I>F-54C0B373e'522J fi li ;L.rj-aicT,r._o"TrffÄ si ; 2010-05-22 04:05 1 hxallbKtproxy &qisw;:C: Pío arar. Files" Syoaaßtec' LivsUpdaieXi>C ltMdí iy.®L«&qTíoi;: {D376S«6-Û5B "-4ä11-^DCF-23&51EEE"S:E3 } fi'l i ;i¡TikiiQi«!_QisTserfi si : 201M5-22 04:05 1 luolUartproTy .Propra«. Files {C6ÖDC2]F9-+6T4-fl4,'Œ-S2L5BEFCA433} fi li iisrJaiim OTTJJife ? t : 2010-05-22 04:05 |lUOQfliS~l.aCS Sqi»t;C: iPROGRA-l SyasaHK' LrVXUP- LLUCOM S - L .EXEÂqto i : &1i;iHilaacTï3i 2010-05-22 04:05
feftbt^ PiDgim FilMVSyflisiitKXiv»lIpcïtti.tuall.«ce": -S fi H :"u.rJ-:r_OT5x_o"T-«5: ? t : 2010-05-22 04:05
TOP SECRET II COMINT
1*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
REPLICANTFARM generic modules Cloaked Recycler Rar password Tmp executable Packed Peb modification Privileges MS pretender System32 "variables Strange DLL extensions
Kernel cloaking Schedule at Ntuninstall execution hidden
Other ideas....
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité
Generic modules : example my @runningProcs = xml isProcessRunning( $xml, 'svchost.{l,3}\\.exe',
'winlogon.{l,3}\\.exe', 'services. {l,3}\\.exe', 'lsass.{l,3}\\.exe', 'spoolsv.{l,3}\\.exe', 'autochk.{l,3}\\.exe', 'logon.{l,3}\\.scr\ 'rundll32.{l,3}\\.exe', 'chkdsk.{l,3}\\.exe', 'chkntfs.{l,3}\\.exe', logonui.{l,3}\\.exe', 'ntoskrnl.{l,3}\\.exe', 'ntvdm.{l,3}\\.exe', 'rdpclip.{l,3}\\.exe', 'taskmgr.il.SJW.exe', 'userinit.{l,3}\\.exe', 'wscntfy.{l,3}\\.exe', 'tcpmon.{l,3}\\.dir);
foreach my SrunningProc (@runningProcs) {
SalertText .= "Suspicious process detected, legitimate exe named appended with string:". SrunningProc . "An"; }
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
RF specific signatures • KNOWN actor filenames, processes, covert
- MAKERSMARK / FANNER - SEEDSPHERE/BYZANTINE - ALOOFNESS - SNOWGLOBE - VOYEUR - SUPERDRAKE - GOSSIPGIRL
• Infrastructure - Known IP addresses - Known DNS queries
• Other tools
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
Specific signatures : example
# Check a known drivers present my @driversPresent = xml_isDriverPresent( $xml, 'usbdevW.sys', 'acpimem32\\.sys\
'usblink32iW.exe', ,\\$NtUninstallQ722833\\$');
foreach my $driver (@driversPresent) {
$alertText .= "Possible MM CARBON driver detected: " . $driver. "An"; }
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
Operations • Routine operations for CCNE investigations on current
targets - Execution of OPSEC related plugins - Collection of files - Examination of network activity
• Blanket approvals for addition of selectors to level 4 OPs against known actors: example WATERMARK operations against MAKERSMARK
• Standard operating procedures for level 2 - level 4 operataions against foreign CCNE actor infrastructures
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité
CCNE I OPSEC page on 5-Eyes K1SVN Wiki
1 Contains reverse engineering reports for CNE / IO consumption
Even logs and notes for several actors
TOP SECRET II COMINT
1 * 1 Communications Security Establishment Canada
Centre de la sécurité W ' S 1
des télécommunications Canada y i j i - /Tis.
« K CCNE operations - Covert Infrastructure ™
• Some fusion of the WP and CCNE infrastructures - Dedicated ORB for CCNE - Unattributed dialups to the ORB
• Philosophy: use low hanging fruits against the actors (public exploits and tools if available)
• Discussions regarding repurpose of foreign toolkits
• De-confliction
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
SNOWGLOBE
• Provide the historical account of the activity on DOUR MAGNUM (Imam Hussein University)
• Implant identified while investigating another unattributed actor
• rar archiving of emails on target
• Beaconing using HTTP to php-based listening post
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
TOP SECRET II COMINT
l + l Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
, 0 CCNE/Opsec WPID Alerts - Mozilla Finefox bile Edit View History Bookmarks Tools Help
® ~ c ^ ^ ^ H ^ l H i H H B I I I H H B H H H i i ^ ^ C • Most Visited Getting Started \ Latest Headlines i l LTT < Operations <TW.,, ? Opser - klsvn - Trac ,_j CCNE/Opsec Systems ,_j http://obelix/system[nfo/
LJ I Coogl
i L httpV/ötselix/ C j CCNE/Opsec WPID Alerts x j f j CCNE/Opsec WPID Alerts x i L httpV/ötselix/ C j CCNE/Opsec WPID Alerts x j f j CCNE/Opsec WPID Alerts x - Opsec-klsvn k - Opsec - klsvin
CCNE/Opsec WPID Alerts Note thai the search is done with the fields as perl regular expressions.. f I M, li'
L'ct: {.J * j .: _:j Ti-ilifcirds E'ZT-jCLT • "] T.'.i if": ! STi 11' ll ! of C'JUIllil-
OTHD: 5L ..E 1 13 C H R C T T I U : 51YS .1 irjiiiii-ifLii ~jb'
Current \ nl u V i ncdiooejsujiiçim.j.. Cf.afl_lffi)_ÏBl_SHEPHIKD.pl rad i« IM CMraCKjil mod_lKi_UÌOaGBACKUP .ft cmd_ ie j_MM_DOGRaUSE pa n u l _ l M M M _ W J I L K E H pi
BMd_i I tfJ_¥ 'J_bnp Lmk nral_ l l _ d ö Ä e d pi m M J i m _ . 4 F _ A l j O O F I ] B 5 5 . p l rr.BÖ_ 12_! E-y-siayj 2 v r p i
1 " —.T.'ii" il pi iy.M_14_tEiir.zäMI sûicar.s ¡MIE.il
r j i l i _ p : :• i . i w . l t I [ : p I möd_19_lMiie ¿iMfcrng -.1 n.M_l_i 11:1:1::.
l _2ß l_5D_MI2JPn\ j i L
pi
tedAjijiäf.aite. p i S j o t _r.1
HD0_5iM_Lm._THÌPSEV; j p i
n a y f J 5 J _ T I K " ™ i E B pi irDiJO LWli.CYDLL-.pL
l_ ia i_LUE:_WIMPACP.pl HKJÎ. m«l_305_UNIt_U.5EJLpL a a l
l_3M_nNi:_™roPQATK.pl raoc c-.rd_Jl)T_UNK_(jUI\"EHIK'G5qU.lEpl mod
I J O I t U N I C T V K D O p l u s e iy .« !_ iW_UNlL_D!ZSELF. iTTLE. f l HU9.
|gB>JUMK3mOWKEÏ.|ll ?il_LT,,K_CI\,ErCATpl
11:11 111. »0_ES_WI I IBHE.p l +:i_55_SELHTST.pL «2_55_SlMpR.p l
!_;ÏÏJ_£J_DDNT.pL mod_:_! l« l_5_trjiwitLpî pi m«t_BW>_' !_HO_&R_I l IFL. i . \T.pL 1T.-X_Ç->J_
UJï!_51! l_GR_FL.Î i lE p i m>d._RFI_ S L ' i i K T t K ' p l
ttlODIifgocp: MniiultStçiip: _700_SG_ Tipt:
HLtla c: • - 1
Lin:
Submil ÜLteiy
ALERTS
VVI'fl): J
Details: Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible
MnduLe: mod 700 SG CHOCOPOP pl Date: 2O09-09-3Ori0:lS:4L906 Tag: SG File name: data5tore,^clm:e.,2009-,D9'3(},10'TXÎD[)[KX)074573 18 Y2009M09D30 H10M1
SNOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected:
cmd.exe C ""c:\RECY cmd.exe /C l,Mc: KECY "c:'RECYCLER'-.S-l-5-"c:\RECYCLEK.\S-l-5 cmd.exe C ""c:\RECY cmd.exe Ç ""c'JRECY "c:\RECYCLES\S-l-5. "c : 'RECYCLER'-.S-l -3-cmd.exe C ""c: RECY cmd.exe C "nc:'RECY "c:'RECYCLER'-£-l-5-V'KECYCLER'-S-l-;-cmd.exe C ""c: RECY cmd.exe C "VRECY
CLER\S-1-5-21-10179666fr CLERS-1-5-21-101796669 •21-101796669-4102346875-•21-101796669-4102.346875-CLER' S-1-5-21-101796669-CLER'S-l -5-21-101796669--21-101796669-4102346875-21-101796669-4102346875-CLER S-1-3-21-101796669 CLER' S-l-5-21-101796669--21-101796669-4102346875-•21-101796669-4102346875-CLER S-1-5-21-101796669-CLER S-l-5-21-101796669-
4102346S 75 -22098 32 36-500'' -4102346S 75-2209S 3236-5001
-220983236-500Var.ex.e" a -r 220983236-500\rar.exe" a -r -4102346B 75 -2209S 32 36-500' -4102346S 75 -2209S 3236-5001
220983236-500rar.ex.e" a -r -220983236-500\rar.ex.e" a -r -4102346S 75-2209S 32 36-500' -4102346S 75 -220963236-5001
220983236-500 rar.es.e" a -r -2209B3236-S00kai.exe" a -r -4102346S 75-2209S 32 36-500' -4102346S 75-2209S 32 36-5 Off
rar.exe" a -r -¡mil -hplockless -aprfeghlii -ttild temp-168.rar c^'MDAEMOX'Users'ihu.a 'rar.exe" a -r -inui -hplockless -aprfeglihi -mid temp-168.rar c:-iCDAEMOX-L"sers'iliu.a -iid -hplockless -apSXaiarian -tnld C:'.\VUgDOW£\TEMP\166.rar c:1EDAEMOK:Usi -kail -hplockless -apSXaiarian -tnld C:\WINDOWS\TEMP\166xai cjMDAEMOH\Usi rar.exe" a -r -¡mil -hplockless -apSXazarian-tnld temp,'166.rar c'MDAEMOITiUsers'jh 'rar.exe" a -r -¡mil -hplockless -apSXazariati-told temp\166.rar c:'-\EDAEMOX'Users ib -itiul -hplockless -apkpnazari -mid C'WIXDOWS'TEMP' 166.rar c.'ivIDAEMON'JJaa: -mill -hplockless -apkpnazari -told C:\WINDOWS\TEMPUSS.iaf c:\MDAEMOX.,Usei: rar.exe" a -r -¡mil -hplockless -apkpnazari -tnld temp 166.rar giMDAEMON\Users1ibii. rar.exe" a-r-inul -hplockless-apkpnazari-tnld temp 166.rar c:'\tDAEMOX'L"sers'.ihu. -mul -hplockless -apmsaadati -tnld C:\WINDOWS\TEMP\t66jar c: 1EDAEMOX User •mill -hplockless -apmsaadati -tnld C: WIKDOWS TEMP 166.rar c:'i^DAEMONJJsci rar.exe" a -r -¡mil -hplockless -apmsaadati -mid temp 166.rar c:\MDAEMON\Users\ihii rar.exe" a -r -¡mil -hplockless -apmsaadati -mid temp' 166.rar ci-iED.AEMOX'Users-ihii
-=-D OT7RMAGNI.~M= - -
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
23 / n
Canada
TOP SECRET II COMINT
1*1 Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
SNOWGLOBE on target
Possible SNOWGLOBE CHOCOPOP process detected:
cmd.exe /C ""c:\RECYCLER\S-l-5-21-101796669-4102346875-220983236-500\rar.exe" a -r -inul -hplockless -aprfeghhi - tnld temp\168.rar c:\MDAEMON\Users\ihu.ac.ir\rfeghhi\md5*. msg">nul.
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
SNOWGLOBE implant
• Injects itself in svchost.exe • No cloaking / no hooking • Bootstraps in service called MSDTC64 (distributed
transaction coordinator 64b • Service entry is permanent • Executable kept on disk in system32 • Crypto: 16 byte string XOR • http beacons and tasking • Actor observed upgrading on target
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
TOP SECRET II COMINT • j*. • Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
SNOWGLOBE activity and attribution '
• Targeting is scarce but resembles CT / CP priorities • French localisation seen in exploit PDFs (GCHQ) • French commentary in the binary • French binary name / developer path • Observed in Iran, Norway, Greece, Belgium, Algeria,
France, US targets • Listening posts worldwide - several French legit sites
• Now seen in passive collection, several reports
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n 1 1 * 1
Canada
TOP SECRET II COMINT
l + l Communications Security Establishment Canada
Centre de la sécurité W ' S 1
des télécommunications Canada y i j i - /Tis.
De-confliction : on CCNE operations
• State-sponsored landscape is very busy • CCNE Targets are de-conflicted • Actors on CCNE targets are not • Covert nature of foreign (and friendly actors) make de-
confliction challenging • Often need to refer to precise technology for identification • CNE / CCNE from SIGINT + HUMINT need to get
together on this issue
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n
Canada
TOP SECRET II COMINT
l + l Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
De-confliction FAIL
Actor discovered 5 eyes effort Several cohabitations At CSEC: 400 man-hours: - Over 20 CNE Operations - Passive Collection - 4 Reports - Reverse engineering - Planning of active operations
so S1
driver y unpack
wintogon
CMD I J HTTP
Internet \
\
T S / / S I / / R E L
I DEV
! s l -Decrypt
I File
\
Kernel
S2
Implant
User tfm Internet
28 / n
Canada
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Conclusion
• CCNE effort essential to the national cyber mandate: - CNE situational awareness - New actor discovery - Tracking known actors
• Several new actors discovered using this process
• De-confliction needs to be improved
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
/ n 1 1 * 1
Canada
TOP SECRET II COMINT • j*. • Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada
MM CCNE contacts
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information