top secret ii comint - electronic frontier foundation · • modul baseed parser/aler systet m...

$: TOP SECRET II COMINT - Electronic Frontier Foundation · • Modul baseed parser/aler systet m runnin ogn real-time ... HUHL30S_UNK_\VINDO pi mci+01_Si_4SLINS pi T ... TOP SECRET$
TOP SECRET II COMINT

Establishment Canada des télécommunications Canada I ^ I Communications Security Centre de la sécurité

Pay attention to that man behind the curtain:

Discovering aliens on CNE infrastructure

CSEC Counter-CNE

Target Analytics thread SIGDEV Conference

NSA-June 2010 Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v v d i I c l Q c l



The need for Counter-CNE...

Foreign and friendly actors often encountered CNE operators do not pursue them beyond their targets Reporting groups need to be made aware OPSEC evaluation is needed Active pursuit of CNE actors: a different ballgame

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information

/ n

Canada


l + l Communications Security Establishment Canada

Centre de la sécurité des télécommunications Canada

Outline

• Introduction CCNE at CSEC • CCNE tools and methods • SNOWGLOBE • De-confliction


/ n

Canada


1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

CCNE Group at CSEC

• Part of CSEC CNE operations (KO) • Recently formed matrix team • Analysts and operators from CNE Operations, IO Reporting

Lines and Global Network Detection • Mandate:

- Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations


/ n 11*1

Canada


l + l Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

CCNE team

Reverse engineering

Target development

Active collection

nderstand foVeign CNE actors

oreign CNE persona

Passive collection Develop ColLrction signatures


/ n

Canada



CNE Toolkit: WARRIORPRIDE

WARRIORPRIDE (WP): - Scalable, Flexible, Portable CNE platform - Unified framework within CSEC and across the 5 eyes - Do more with less effort

• Common framework for sharing code/plugins across the 5 eyes • WARRIORPRIDE is an implementation of the "WZOWSKI" 5-eyes API

- WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ

WARRIORPRIDE - xml command output to operators - Several plugins used for machine recon / OPSEC assessment


/ n

Canada



WARRIORPRIDE

; - C o m m a n d Prompt - U_Base x p i n k ¡ l o c a l h o s t > c l i s t p e e r p i n k ¡ l o c a l h o s t > r t l i s t p i n k ¡ l o c a l h o s t > s l l i s t p l u g i n p i n k ¡ l o c a l h o s t > ? p i n k ¡ l o c a l h o s t > s i 1 i s t p e r s i s t e n t p i n k ¡ l o c a l h o s t > s l l i s t s t o r e p i n k ¡ l o c a l h o s t > c g e t i m p l a n t i d p i n k ¡ l o c a l h o s t >

1 - O u t p u t 1

T r a n s a c t i o n I d : 1 3 8 5 4 6 Core s t o r a g e f i l e s f o r i m p l a n t 1 2 7 . 0 . . 0 . 1

P l u g i n S t o r e : c : \ T e m p \ ~ D F 3 B E 9 . t m p C o n f i g S t o r e : c : \ T e m p \ c o n f i g F i l e S y s . • sys H o t e t h a t t U

/

command does n o t l i s t p l u g i

real work

LP Side Plugin

Implant Side ' Plugin

comms


/ n

Canada

TOP SECRET II COMINT • J * . • Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

WARRIORPRIDE plug-ins and output

• Several WP plugins are useful for CCNE: - Slipstream : machine reconnaissance - ImplantDetector : implant detection - RootkitDetector : rootkit detection - Chordflier/U ftp : file identification / retrieval - NameDropper : DNS - WormWood : network sniffing and characterization

• Already used for CNE OPSEC

• Used for precise identification and heuristics



WP xml output (raw)

<?xml version-'1.0" encoding-'UTF-8"?> cresponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="U_FileCollectorLp/U_FileCollectorLp_2.15.xsd"><implantl d>51.1.2.160</implantldxtransaction><transactionSource>50.0.0.101</transactionSourcextr ansactionld>320453</transactionldx/transaction><timestamp><TLT>2010-02-23T15:53:06.366</TLT><UTC>2010-02-23T15:47:43.448</UTCx/timestampxerrors><errorPlugin>0</errorPlugin><errorOs>0</error Osx/errorsxcommandlnfo>fcstart</commandlnfoxresponseDetailsxfcstartxstatus>Succe ss</statusxstandbyMode>FALSE</standbyModex/fcstartx/responseDetailsx/response>


/ n 11*1

Canada

http://www.w3.org/2001/XMLSchema-instance




WP SLIPSTREAM output (parsed) [2010/05/18 - 16:28:05 (UTC)] Transaction Id: 582966 U_SLIPSTREAM - <ssservices> Impiantici: <51.8.1.13> Timestamp (UTC): 2010/02/09 06:42:42

PAGE : 1 of 1

PID ¡Service Name IStatus |Startup Type |Service Process Type|Display Name |Binary Path

924 lAeLookupSvc |RUNNING |AUTOMATIC | SHARED C:\WINDOWS\system32\svchost.exe -k netsvcs

0 lAlerter |STOPPED |DISABLED |SHARED LocalService |

3184 |ALG IRUNNING |MANUAL |OWN PROCESS C:\WINDOWS\System32\alg.exe

0 lAppMgmt |STOPPED | MANUAL |SHARED -k netsvcs |

IRUNNING I AUTOMATIC |SHARED 924 lAudioSrv -k netsvcs

ication Experience Lookup Service |

lAlerter |C:\WINDOWS\system32\svchost.exe -k

|Application Layer Gateway Service |

|Application Management |C:\WINDOWS\system32\svchost.exe

|C:\WIND OWS\Syste m 32\svc host, exe

0 |BITS |STOPPED ¡MANUAL C:\WINDOWS\system32\svchost.exe -k netsvcs

0 |Browser |STOPPED ¡AUTOMATIC -k netsvcs |

1028 |ccEvtMgr IRUNNING |AUTOMATIC Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

1028 |ccSetMgr ¡RUNNING ¡AUTOMATIC Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

1708 |Cissesrv IRUNNING ¡AUTOMATIC Files\HP\Cissesrv\cissesrv.exe" |

0 |CiSvc ISTOPPED ¡DISABLED ¡SHARED

0 ¡ClipSrv ISTOPPED ¡DISABLED

¡Windows Audio

|Background Intelligent Transfer Service I

¡Computer Browser

¡Symantec Event Manager

¡Symantec Settings Manager I

¡OWN PROCESS ¡HP Smart Array SAS/SATA Event Notification Service ¡"C:\Program

¡Indexing Service ¡C:\WINDOWS\system32\cisvc.exe

¡OWN PROCESS ¡ClipBook

¡SHARED

¡SHARED

¡SHARED I

¡SHARED

¡C:\WINDOWS\system32\svchost.exe

¡"C:\Program Files\Common

¡"C:\Program Files\Common

/ n i i * i

Canada iO^^m




WP SLIPSTREAM output... drivers [2010/05/18 - 16:28:06 (UTC)] Transaction Id: 582968 U_SLIPSTREAM - <ssdrivers> Impiantici: <51.8.1.13> Timestamp (UTC): 2010/02/09 06:42:43

PAGE : 1 of 1

- I SCM¡Driver Name

I

(parsed) i i i

|Status ¡Startup Type ¡Driver Type ¡Display Name ¡Binary Path

-I ¡ntoskrnl.exe ¡hal.dll

¡KDCOM.DLL

¡BOOTVID.dll I

¡ACPl.sys ¡WMILIB.SYS

I ¡pci.sys ¡isapnp.sys ¡pciide.sys ¡PCIIDEX.SYS

¡MountMgr.sys ¡ftdisk.sys ¡dmload.sys ¡dmio.sys ¡volsnap.sys

I I ¡RUNNING |

¡RUNNING | ¡RUNNING |

¡RUNNING |





¡RUNNING | ¡RUNNING | ¡RUNNING |

I ¡C:\WINDOWS\system32\ntoskrnl.exe

¡C:\WINDOWS\system32\hal.dll ¡C:\WINDOWS\system32\KDCOM.DLL

¡C:\WINDOWS\system32\BOOTVI D.dll

¡ACPl.sys ¡C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

¡pci.sys ¡isapnp.sys

¡pciide.sys ¡C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

¡MountMgr.sys ¡ftdisk.sys

¡dmload.sys ¡dmio.sys ¡volsnap.sys


/ n

Canada



REPLICANTFARM

• Extend WP output to a signature based system: REPLICANTFARM

• Module based parser/alert system running on real-time CNE operational data

• Custom/module based analysis: - Actors - Implant technology - Host based signatures - Network based signatures


/ n 11*1

Canada

TOP SECRET II COMINT g , CCNE/Opsec WPID Alerts •

File Edit View History Bookmarks l a a l s Help

<«* • c Most Visited l j Getting Started ..j Latest Headlines * LTT < Operations < TW... 5 Opsec - klsvn - Trac

û - M E -

CCNE/Opsec Systems ,_, http://obelix/systemInfo/

_ CCNE/Opsec WPID Alerts x ( J Expioits Q CCNE/Opsec WPID Alerti x _ CCNE/Opsec WPID Alerts x ( J Expioits _ j rrttp://obeli>/ CCNE/Opsec WPÏD Alerts Q CCNE/Opsec WPID Alerti x

CCNE/Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions...

REPLICANTFARM Example

D a t a O are frifigla-diiracter wildcards

Dot-Star (..*) maaas any aiantar of characters :ingl= WPID: 3l,..B,.l\.13 CLaeC W P I D 51vsy.1v Infraitnicliire: S i t

DnnektUbdiJu: n»jJ_H>X'_WELtiçil^.t pi mDi_lW_MJl_iHEPHEED.pl jMd_l0l_HM_CARBON.pl a»a_102_MM_KEGBAetDi|^ mad_lM_MM_DOGHOUSE.Fl nMd_104_KIM_WALKER.pl

modi UKl_YC_irLplant.pl •.v.c-i_ i l_doaksi.p I mpd_l 2flö_AF_ALOOFNESS pi mod_ 12_systKm3 2vir.fl inni_13_farpa£iT^aiG.pl

ttioc_ 3 5 jtta ¿Parsa I j.pl opd_ 1&_iecyclere»L.pl moi_ 1 pi

13 _p is LViC'ifil c a-=. p I tiiM_19_ksrnsloLDatijiE.pl

l_pockfid.pl

mod_300_SD_ME0.pl modjü l_SD_MHiFIP.Fl tri- l"-_j what iv.i fìi-.H 11- n pi] mod_2 l_5c£«fcil4al.pl fiiM_22_ntLiiui t alluse.pi m 2 Ò _hiik-2i. pi

tiv[HÎ_24_Eîïp3eleâArj aaisîLl .pl J .•_pri''[.=EE-: .j [

moi_iC:_UKK_BLAZKGANGEL.pt avo4J02 TBiYWEBçâ ^.jJJÜJJJm.CYDLL .pi

Ml LTiE VttïPAtPpL mod j 10_DNÏ_WIDOWKEÏ4J aMd_afl5_UMI_IASEX.pl! œrf_3 ll_UMK_CKETCAT.pl mad_30S_UNE_WlMjPDATE pi ma<i_5_irLq»reteii!£e: pt mod_3C7_UKK_QLT."EHKGiQUli.pl mod_MO_ES_WlHEEE.pl H U H L 3 0 S _ U N K _ \ V I N D O pi mci+01_Si_4SLINST pi o»d_3(KL™ï_DIESELRATTLE.ïpI t .J_+D2_!È_3Lnj)E_îi:

ma nie ma 111"

ma ma

Regeip: Moduls Rigsip: MM

Type: ItLlcrie: ^

Submi t Query

A L E R T S

IryjKrrv Module: Date: Tag: MM

File name: ../dalaslaie/arcîiive/2010yBl/21/15 mod_i 03_MM_DOGHOUSE p! 2010-01-2 ITI 5:36:39.968

Tag: MM •'•naDOO&02724g5_lS_Y2Q10MÛlD21_H15M2ES59_MSfi42MU500NSO_RXro05D_K>0_0

Details: Possible MM DOGHOUSE driver Be: G-\WINNT($NlUninstallQ24459:8t. Possible MM DOGKOUSE driver fle: C:\WINNTs$NtUiiistallQ244598$,HfA^y| Possible MM DOGHOUSE driver file: C:AVTNTvT\SNtUmistallQ24459gS,netbt.sys. Possible MM DOGKOUSE driver He: C:\WIMNT.$NlUcinstanQ2445?g$s.1cp5).sys. Possible MM DOGHOUSE driver file: C:\WINI«n\lNfeninsl3ttQ24459g$,.hotSx inf

—PULLEDPORK—-

1 . 3

http://obelix/systemInfo/

TOP SECRET II COMINT • j * . • Communications Security Centre de la sécurité


O CCNE/Opsec Mondumpprtracker viewer - Mozilla Firefox File Edit View History Bookmarks Tools Help

- C 4 r ( n £ • 1 I B ' | Google

p Most Visited J ? Getting Started Latest Headlines LTT < Operations < TW... ! Opsec - klsvn-Trac Q CCME/Opsec Systems Cj http://abelix/systemlrfo/

CCNE/Opsec Mondumppr... x

.Vpir thai the zeare.k ii dem on the \*pict vmh a impie vfiiácard and a perl regexpfer she fo/Kmand lines... Example

• A "valus of*1 Ln a wpitf uviiatss tívsc "cLass" is a wildesti. • Single WPHX. 51.8.1.13 • Class B WTn>: Í1.1.M • Class C WEED: 51.3.1.* • Ite —P.iïssp Is a pari raçu'Lai expression applied to its :crrjT_sr.d Ibis. Only comxnand lines satisfying its »pression will te displayed. • The -Re»exp Is s pari reEU'lar expression applied to its coix-ir-sr-d lies. Only cosraaiand lines HOT satUHn§ its expression. will 1» displayed.

[•WlUbBaif-. 51.8.1.13 L'i1:: hn: - 2 .H1 J ISO

c CCNE/Opsec WPIQ Alerts x CCNE/Opsec WPÏD Alerts « ,_, CCNE/Opsec WPJD Alerts

CCNE/Opsec Monrtumpprtracker viewer

proc cudLin« parait npid last Seen |flisfadssyikr.BM! C:' .WNDOWStap stEmjïvniBfeftd&syiic.e» syne S: 11 ;miaion i_cïwrwf & » t : 201SW55-24 12:13 |dwlw?inti!,sxs ftqi»c;C: Pfosraar.. FiLsï S-ynmHsc' Synam-K Er.c-psir.t: Piwsetìoa' D' 'ir 'iafì.sKS&ipiM; •felntrJ-aic r. OVT.ÎÎÊSI: 2010-0 -24 04:05 1 lwllindkfnixy fequK.C: Presfair. Filas' S>Biaasc' LivBUjxjta'' 1-CUUadfflnsy.qtrn:; {mOMSE-l 040-40 ÏÏ>DD-À4FAE64SFBDF} £ li ;Tiiïkiiewai_DWiMÎi äi ; 201MJ-24 04:05 1 lTKillb*£tpro*y fiqrayrC: Pfo»faiy, Files'. S ymutBt L IveUpcte .L »Cil ItadePnsy qra t : {E5A3EBEE-D5K0-421=-S6I>F-54C0B37J9521} Ä H :T5tìaiowii_trofyj& §t : 2(310-05-24 04:05 1 IwìilHarlimarp ¡£<p»t;C: P'ÍSHÍAR. Files' Symantec' LiveVpdati LuC llbackPiQ '.ae&qTM; {Dj "íOHí-OSE 7-4atíl-5,DCF-13D51EEE7HË3} & 11 ;Taûa!imni_tmTï6rà st ; 20100.5-24 04:05 1 lwallb*£kpRnq? ¡feqi»6t;C:' PfCîray. Fllss'i Symantec' qutt; {CífI>C23 4-í• F5-H5T4-S4AEHS215SEFCA433} fi 11 ;iaiJaoTm_Q7:Tjér¡S »i ; 2010-05-24 04:05 |liuooB»B~l,axa &qum;C: PRCGRA-l" Syitan.t 'IIVEVP-L'LVCOiiS-L.EXE&atoi; S: h si ; 2010-OJ-24 04:05 |luill.ai.ê fiqisot;C: Program FilesïSyiïttfttee'.LiveUpSate.Insti «cèfiquoi; -S fili ;niüavcwii_c.7iTi rÄi?t : M10A5-24 04:05 |sescln.atê S<pmt:C: Prapwt Files'. Symantec1 Symantec EndpouW Pietstti .SsseLU.«ieárqTj«M:: -EMteddiiyg filCTsrJíEOTT OTiTyj&et: 2(510-05-24 04:04 vnn¿pfvsíi.aK Ct' TbnXiiWS CEiJia TbOT'TímLpívsé. ses -ürcrsd -Eflibsdidûig fi h iTaüaioTioTrTMJÄ »i ; 201005-24 02:10 telpàve.ere fiqiKK;C:WINDOWS'PCHsaltfi"HelpCtfBifarisì' HalfSvc.ewftqww;,Efflteddiftg fi 11 ;iHiJifiOTm_Q7¡Tj3iS »i ; 2010-05-24 02:10 1 HZvffiH". Ctra.á. £<p»t.C: MDhoihi'APP ActoiBïtPïiaK.ssa&qiwt: .<S=l .'S &quatiC; -MDaaEori-Legi CldLogs Logs-201 0-03-22-Sat-ö0-00-20,zlp&qiwt. MDaanon1 Loa>£<pM¡; .i S: h ;iîk1îiîsïrîi_!îwtî3Â s t ; 2010-03-13 10:32 |¿*-1e*m.c9ce Stqasr C'. AIDAnTör/ SpifrLi li!. -tun —:ísr5péth=!Sqi30C;C: MEtenKWi' APP sit«wâ psth=&4î30t;C: MDaeta&r; SjarrAssâssLr iiilsi&quöt: -ötr Äqts«:C ..\iD r«wi\PUBLIC~l BAYBS]~l .IMA.fliaK-SP~l.IMA •.ms'ÄqiMM:; fili ;THil¿flown_TOTka,ift£i : 2(310-05-23 19:30 |*x<mftcpfis!is.i9i ftqiHH; C: AlDáeníon . PP AccoueiPfiîtË.Mife iiôl ; ¿ fi 11:T.r_kr_CT¡Yí =t: 2(310-05-23 19:30 1 li-sCpnaH.eíí Äqii&t; C: MEfeaïïw.'.!\PP ListPfiaa.íKífifltoc; s fi h ;L.rj-aicT,r._o"TrffÄ |i ; 2010-05-23 19:30 |-a-teant.exe SpaniAí.&s úi'ía-Iim.-aíifeq'M't; -spam -CKfi»patí: & [WH:C:'.SII>6DHJE:, J4PF.SpaniA3B«ste''itefii;Ii_nil53&epHH; jiC5C<Mifi3Mttb-Ä'qixM;C:'uvUteìman,SpanAssfcsm'ínleSiäqmM; -cii Äq-i»t;C::.liI>aaKw;-PüBLlC~l'B.A1tESI~LaiA' SPAM~1 .IMA'1.* msgftqucrt; fi 11 ;iaiJaoTm_Q7:Tjér¡S »i ; 2010-05-23 19:30

Âqiïfir; C: .MDj¿m&n'._cLPP . M D U p t ó r y : ;MI>*nKyn SavasS-quci: -'s fi li iisrJaiim OTTJJife ? t : 2G10-05-23 19:30 |em<J.«w ftqisot; C: ,WIKDOWS''ä>-stsm32 'cmd.ace&4|tsot ; e ftqiîM: C: JwlDaemw, APF-Lèarr. .tacSr<pv31 ; fili ;niüavcwii_c.7iTi rÄi?i : 2010-05-23 19:30 |emd.«» filijnailaioTra 2(310-05-23 19:30 Isvnijxíats.aw: &qi>&t;C: MD-bür.w.' q t fi h »i ; 2010-05-23 14:21 |ÍIHKÍL132.3JÍS C :' WT'-.TXíWS'-óy rayJ I fiäid 113 2. îse C: SyîjiAppS.dlL UpdsteSyXrAfpS fi 11 ;umJifiDTìa_oTHKffi sì ; 2010-05-23 04:05 1 iKontpnu. at ftqi»C;C:'lklDistmwi'AP,P Arcw.ißtPnaie.es&feqiioi; ,d=l z=Äqi»1:C:'AiDMirKWiXLags1 DlÄLoISM)5-2L-Ffi-00-00-03.r MDaenr-on'JjOj&ftqiUöt; ,Jr fili IIWjririCTÏOTHiÂ? 11 2010-05-22 19:32 mgfadwyftc.aw fi li :,nrj-:r_c,F:T._mTT.ArÄ,,

i? t : 2010-05-22 03:16 1 hieallhadqwcay qiart;C: Prosrsm Fi l - i "{B12CD2ïE- lC4&-4-D3&-0DDD-A4F. IŒ649FB.DF} fi H :iirJiiLC!Tï"n_o,wrb&r& si : M10-G5-22 04:05 1 luaUbaäqxozy &qi>&t;C: Piedras: FlLs.&>waiKXiv;U i LuCall&ad ösy.3LsÄqii!>t; {E5.13EBEE-D5E.0-421s-B.6I>F-54C0B373e'522J fi li ;L.rj-aicT,r._o"TrffÄ si ; 2010-05-22 04:05 1 hxallbKtproxy &qisw;:C: Pío arar. Files" Syoaaßtec' LivsUpdaieXi>C ltMdí iy.®L«&qTíoi;: {D376S«6-Û5B "-4ä11-^DCF-23&51EEE"S:E3 } fi'l i ;i¡TikiiQi«!_QisTserfi si : 201M5-22 04:05 1 luolUartproTy .Propra«. Files {C6ÖDC2]F9-+6T4-fl4,'Œ-S2L5BEFCA433} fi li iisrJaiim OTTJJife ? t : 2010-05-22 04:05 |lUOQfliS~l.aCS Sqi»t;C: iPROGRA-l SyasaHK' LrVXUP- LLUCOM S - L .EXEÂqto i : &1i;iHilaacTï3i 2010-05-22 04:05

feftbt^ PiDgim FilMVSyflisiitKXiv»lIpcïtti.tuall.«ce&quot: -S fi H :"u.rJ-:r_OT5x_o"T-«5: ? t : 2010-05-22 04:05

http://abelix/systemlrfo/


1*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

REPLICANTFARM generic modules Cloaked Recycler Rar password Tmp executable Packed Peb modification Privileges MS pretender System32 "variables Strange DLL extensions

Kernel cloaking Schedule at Ntuninstall execution hidden

Other ideas....




Generic modules : example my @runningProcs = xml isProcessRunning( $xml, 'svchost.{l,3}\\.exe',

'winlogon.{l,3}\\.exe', 'services. {l,3}\\.exe', 'lsass.{l,3}\\.exe', 'spoolsv.{l,3}\\.exe', 'autochk.{l,3}\\.exe', 'logon.{l,3}\\.scr\ 'rundll32.{l,3}\\.exe', 'chkdsk.{l,3}\\.exe', 'chkntfs.{l,3}\\.exe', logonui.{l,3}\\.exe', 'ntoskrnl.{l,3}\\.exe', 'ntvdm.{l,3}\\.exe', 'rdpclip.{l,3}\\.exe', 'taskmgr.il.SJW.exe', 'userinit.{l,3}\\.exe', 'wscntfy.{l,3}\\.exe', 'tcpmon.{l,3}\\.dir);

foreach my SrunningProc (@runningProcs) {

SalertText .= "Suspicious process detected, legitimate exe named appended with string:". SrunningProc . "An"; }


/ n

Canada



RF specific signatures • KNOWN actor filenames, processes, covert

- MAKERSMARK / FANNER - SEEDSPHERE/BYZANTINE - ALOOFNESS - SNOWGLOBE - VOYEUR - SUPERDRAKE - GOSSIPGIRL

• Infrastructure - Known IP addresses - Known DNS queries

• Other tools




Specific signatures : example

# Check a known drivers present my @driversPresent = xml_isDriverPresent( $xml, 'usbdevW.sys', 'acpimem32\\.sys\

'usblink32iW.exe', ,\\$NtUninstallQ722833\\$');

foreach my $driver (@driversPresent) {

$alertText .= "Possible MM CARBON driver detected: " . $driver. "An"; }



Operations • Routine operations for CCNE investigations on current

targets - Execution of OPSEC related plugins - Collection of files - Examination of network activity

• Blanket approvals for addition of selectors to level 4 OPs against known actors: example WATERMARK operations against MAKERSMARK

• Standard operating procedures for level 2 - level 4 operataions against foreign CCNE actor infrastructures


/ n

Canada



CCNE I OPSEC page on 5-Eyes K1SVN Wiki

1 Contains reverse engineering reports for CNE / IO consumption

Even logs and notes for several actors


1 * 1 Communications Security Establishment Canada

Centre de la sécurité W ' S 1

des télécommunications Canada y i j i - /Tis.

« K CCNE operations - Covert Infrastructure ™

• Some fusion of the WP and CCNE infrastructures - Dedicated ORB for CCNE - Unattributed dialups to the ORB

• Philosophy: use low hanging fruits against the actors (public exploits and tools if available)

• Discussions regarding repurpose of foreign toolkits

• De-confliction


/ n

Canada



SNOWGLOBE

• Provide the historical account of the activity on DOUR MAGNUM (Imam Hussein University)

• Implant identified while investigating another unattributed actor

• rar archiving of emails on target

• Beaconing using HTTP to php-based listening post





, 0 CCNE/Opsec WPID Alerts - Mozilla Finefox bile Edit View History Bookmarks Tools Help

® ~ c ^ ^ ^ H ^ l H i H H B I I I H H B H H H i i ^ ^ C • Most Visited Getting Started \ Latest Headlines i l LTT < Operations <TW.,, ? Opser - klsvn - Trac ,_j CCNE/Opsec Systems ,_j http://obelix/system[nfo/

LJ I Coogl

i L httpV/ötselix/ C j CCNE/Opsec WPID Alerts x j f j CCNE/Opsec WPID Alerts x i L httpV/ötselix/ C j CCNE/Opsec WPID Alerts x j f j CCNE/Opsec WPID Alerts x - Opsec-klsvn k - Opsec - klsvin

CCNE/Opsec WPID Alerts Note thai the search is done with the fields as perl regular expressions.. f I M, li'

L'ct: {.J * j .: _:j Ti-ilifcirds E'ZT-jCLT • "] T.'.i if": ! STi 11' ll ! of C'JUIllil-

OTHD: 5L ..E 1 13 C H R C T T I U : 51YS .1 irjiiiii-ifLii ~jb'

Current \ nl u V i ncdiooejsujiiçim.j.. Cf.afl_lffi)_ÏBl_SHEPHIKD.pl rad i« IM CMraCKjil mod_lKi_UÌOaGBACKUP .ft cmd_ ie j_MM_DOGRaUSE pa n u l _ l M M M _ W J I L K E H pi

BMd_i I tfJ_¥ 'J_bnp Lmk nral_ l l _ d ö Ä e d pi m M J i m _ . 4 F _ A l j O O F I ] B 5 5 . p l rr.BÖ_ 12_! E-y-siayj 2 v r p i

1 " —.T.'ii" il pi iy.M_14_tEiir.zäMI sûicar.s ¡MIE.il

r j i l i _ p : :• i . i w . l t I [ : p I möd_19_lMiie ¿iMfcrng -.1 n.M_l_i 11:1:1::.

l _2ß l_5D_MI2JPn\ j i L

pi

tedAjijiäf.aite. p i S j o t _r.1

HD0_5iM_Lm._THÌPSEV; j p i

n a y f J 5 J _ T I K " ™ i E B pi irDiJO LWli.CYDLL-.pL

l_ ia i_LUE:_WIMPACP.pl HKJÎ. m«l_305_UNIt_U.5EJLpL a a l

l_3M_nNi:_™roPQATK.pl raoc c-.rd_Jl)T_UNK_(jUI\"EHIK'G5qU.lEpl mod

I J O I t U N I C T V K D O p l u s e iy .« !_ iW_UNlL_D!ZSELF. iTTLE. f l HU9.

|gB>JUMK3mOWKEÏ.|ll ?il_LT,,K_CI\,ErCATpl

11:11 111. »0_ES_WI I IBHE.p l +:i_55_SELHTST.pL «2_55_SlMpR.p l

!_;ÏÏJ_£J_DDNT.pL mod_:_! l« l_5_trjiwitLpî pi m«t_BW>_' !_HO_&R_I l IFL. i . \T.pL 1T.-X_Ç->J_

UJï!_51! l_GR_FL.Î i lE p i m>d._RFI_ S L ' i i K T t K ' p l

ttlODIifgocp: MniiultStçiip: _700_SG_ Tipt:

HLtla c: • - 1

Lin:

Submil ÜLteiy

ALERTS

VVI'fl): J

Details: Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible Possible

MnduLe: mod 700 SG CHOCOPOP pl Date: 2O09-09-3Ori0:lS:4L906 Tag: SG File name: data5tore,^clm:e.,2009-,D9'3(},10'TXÎD[)[KX)074573 18 Y2009M09D30 H10M1

SNOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected: SXOWGLOBE CHOCOPOP process detected:

cmd.exe C ""c:\RECY cmd.exe /C l,Mc: KECY "c:'RECYCLER'-.S-l-5-"c:\RECYCLEK.\S-l-5 cmd.exe C ""c:\RECY cmd.exe Ç ""c'JRECY "c:\RECYCLES\S-l-5. "c : 'RECYCLER'-.S-l -3-cmd.exe C ""c: RECY cmd.exe C "nc:'RECY "c:'RECYCLER'-£-l-5-V'KECYCLER'-S-l-;-cmd.exe C ""c: RECY cmd.exe C "VRECY

CLER\S-1-5-21-10179666fr CLERS-1-5-21-101796669 •21-101796669-4102346875-•21-101796669-4102.346875-CLER' S-1-5-21-101796669-CLER'S-l -5-21-101796669--21-101796669-4102346875-21-101796669-4102346875-CLER S-1-3-21-101796669 CLER' S-l-5-21-101796669--21-101796669-4102346875-•21-101796669-4102346875-CLER S-1-5-21-101796669-CLER S-l-5-21-101796669-

4102346S 75 -22098 32 36-500'' -4102346S 75-2209S 3236-5001

-220983236-500Var.ex.e" a -r 220983236-500\rar.exe" a -r -4102346B 75 -2209S 32 36-500' -4102346S 75 -2209S 3236-5001

220983236-500rar.ex.e" a -r -220983236-500\rar.ex.e" a -r -4102346S 75-2209S 32 36-500' -4102346S 75 -220963236-5001

220983236-500 rar.es.e" a -r -2209B3236-S00kai.exe" a -r -4102346S 75-2209S 32 36-500' -4102346S 75-2209S 32 36-5 Off

rar.exe" a -r -¡mil -hplockless -aprfeghlii -ttild temp-168.rar c^'MDAEMOX'Users'ihu.a 'rar.exe" a -r -inui -hplockless -aprfeglihi -mid temp-168.rar c:-iCDAEMOX-L"sers'iliu.a -iid -hplockless -apSXaiarian -tnld C:'.\VUgDOW£\TEMP\166.rar c:1EDAEMOK:Usi -kail -hplockless -apSXaiarian -tnld C:\WINDOWS\TEMP\166xai cjMDAEMOH\Usi rar.exe" a -r -¡mil -hplockless -apSXazarian-tnld temp,'166.rar c'MDAEMOITiUsers'jh 'rar.exe" a -r -¡mil -hplockless -apSXazariati-told temp\166.rar c:'-\EDAEMOX'Users ib -itiul -hplockless -apkpnazari -mid C'WIXDOWS'TEMP' 166.rar c.'ivIDAEMON'JJaa: -mill -hplockless -apkpnazari -told C:\WINDOWS\TEMPUSS.iaf c:\MDAEMOX.,Usei: rar.exe" a -r -¡mil -hplockless -apkpnazari -tnld temp 166.rar giMDAEMON\Users1ibii. rar.exe" a-r-inul -hplockless-apkpnazari-tnld temp 166.rar c:'\tDAEMOX'L"sers'.ihu. -mul -hplockless -apmsaadati -tnld C:\WINDOWS\TEMP\t66jar c: 1EDAEMOX User •mill -hplockless -apmsaadati -tnld C: WIKDOWS TEMP 166.rar c:'i^DAEMONJJsci rar.exe" a -r -¡mil -hplockless -apmsaadati -mid temp 166.rar c:\MDAEMON\Users\ihii rar.exe" a -r -¡mil -hplockless -apmsaadati -mid temp' 166.rar ci-iED.AEMOX'Users-ihii

-=-D OT7RMAGNI.~M= - -


23 / n

Canada

http://obelix/system%5bnfo/


1*1 Communications Security Establishment Canada


SNOWGLOBE on target

Possible SNOWGLOBE CHOCOPOP process detected:

cmd.exe /C ""c:\RECYCLER\S-l-5-21-101796669-4102346875-220983236-500\rar.exe" a -r -inul -hplockless -aprfeghhi - tnld temp\168.rar c:\MDAEMON\Users\ihu.ac.ir\rfeghhi\md5*. msg">nul.


/ n

Canada



SNOWGLOBE implant

• Injects itself in svchost.exe • No cloaking / no hooking • Bootstraps in service called MSDTC64 (distributed

transaction coordinator 64b • Service entry is permanent • Executable kept on disk in system32 • Crypto: 16 byte string XOR • http beacons and tasking • Actor observed upgrading on target


TOP SECRET II COMINT • j*. • Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

SNOWGLOBE activity and attribution '

• Targeting is scarce but resembles CT / CP priorities • French localisation seen in exploit PDFs (GCHQ) • French commentary in the binary • French binary name / developer path • Observed in Iran, Norway, Greece, Belgium, Algeria,

France, US targets • Listening posts worldwide - several French legit sites

• Now seen in passive collection, several reports


/ n 1 1 * 1

Canada



Centre de la sécurité W ' S 1

des télécommunications Canada y i j i - /Tis.

De-confliction : on CCNE operations

• State-sponsored landscape is very busy • CCNE Targets are de-conflicted • Actors on CCNE targets are not • Covert nature of foreign (and friendly actors) make de-

confliction challenging • Often need to refer to precise technology for identification • CNE / CCNE from SIGINT + HUMINT need to get

together on this issue


/ n

Canada



De-confliction FAIL

Actor discovered 5 eyes effort Several cohabitations At CSEC: 400 man-hours: - Over 20 CNE Operations - Passive Collection - 4 Reports - Reverse engineering - Planning of active operations

so S1

driver y unpack

wintogon

CMD I J HTTP

Internet \

\

T S / / S I / / R E L

I DEV

! s l -Decrypt

I File

\

Kernel

S2

Implant

User tfm Internet

28 / n

Canada



Conclusion

• CCNE effort essential to the national cyber mandate: - CNE situational awareness - New actor discovery - Tracking known actors

• Several new actors discovered using this process

• De-confliction needs to be improved


/ n 1 1 * 1

Canada

TOP SECRET II COMINT • j*. • Communications Security Centre de la sécurité


MM CCNE contacts


top secret ii comint - electronic frontier foundation · • modul baseed parser/aler systet m...

Documents