OCR of the Document

View the Document >>

Communications Security Establishment Canada, Pay attention to that man behind the curtain: Discovering aliens on CNE Infrastructure, June 2010. Top Secret/Comint.

TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Pay attention to that man behind the curtain Discovering aliens on CNE infrastructure CSEC Counter-CNE Target Analytics thread SIGDEV Conference NSA June 2010 Safeguarding Canada '3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i'information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada The need for - Foreign and friendly actors often encountered - CNE operators do not pursue them beyond their targets - Reporting groups need to be made aware OPSEC evaluation is needed - Active pursuit of ONE actors a different ballgame Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de I information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Outline - Introduction CCNE at CSEC - CCNE tools and methods SNOWGLOBE - De-confliction Safeguarding Canada s security through information superiority a Pr server la s curit du Canada par la sup riorit de i information TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada I CCNE Group at CSEC - Part of CSEC CNE operations KO - Recently formed matrix team - and operators from CNE Operations IO Reporting Lines and Global Network Detection - Mandate Provide situational awareness to CNE operators Discover unknown actors on existing CNE targets Detect known actors on covert infrastructure Pursue known actors through CNE Review OPSEC of CNE operations Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada CCNE team Reverse engineering Target devel prnent I nderstand 1 eign CNE actors Active c011 - tion oreign CNE persona Passive colletion Develo tion signatures Safeguarding Canada '3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i'information a TOP SECRET II COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada CNE Toolkit WARRIORPRIDE WARRIORPRIDE WP Scalable Flexible Portable CNE platform Unified framework within CSEC and across the 5 eyes Do more with less effort - Common framework for sharing code plugins across the 5 eyes - WARRIORPRIDE is an implementation of the 5-eyes API WARRIORPRIDE command output to operators Several plugins used for machine recon OPSEC assessment Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de l information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada WARRIORPRIDE Transaction Id 133545 Core storage files for implant Plugin Store Config Store o ETaanoonfigFilaSys-sys Note that a command does not list plugi real work Implant com ms Safeguarding Canada 5 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada AM- WARRIORPRIDE plug-ins and output - Several WP plugins are useful for CCNE Slipstream machine reconnaissance ImplantDetector implant detection RootkitDetector rootkit detection Chordflier U_ftp file identification retrieval NameDropper DNS WormWood network sniffing and characterization - Already used for CNE OPSEC - Used for precise identification and heuristics Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I Communications Security Centre de la s curit g' 3 Establishment Canada des t l communications Canada 1_ WP output raw xml response Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de I information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada 1'11 WP SLIPSTREAM output parsed 2010105118 - 16 28 05 Transaction Id 582966 - Implantld 51 8 1 13 Timestamp UTC 2010102109 06 42 42 PAGE 1 of 1 PID Service Name I Status Startup Type Service Process Type Disp ay Name Binary Path 924 AeLookupSvc Application Experience Lookup Service -k 0 A erter A erter -k LocalService 3184 PROCESS App ication Layer Gateway Service 0 App ication Management -k 924 AudioSrv Windovvs Audio -k 0 Background Intelligent Transfer Service -k 0 Brovvser Computer Browser -k 1028 Symantec Event Manager Files Common Files Symantec 1h ccCommon 1028 ccSetMgr Symantec Settings Manager Files Common Files Symantec 1h ccCommon 1708 Cissesrv PROCESS Smart Array SAS1SATA Event Notification Service iles HP Cissesrv cissesrv exe 0 CiSvc Indexing Service 0 C ipSrv PROCESS C ipBook Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada WP SLIPSTREAM drivers parsed Implantld 51 8 1 13 Timestamp UTC 2010 02 09 06 42 43 PAGE SCM Driver Name Status Startup Type Driver Type Display Name Binary Path i i i i i i pci sys pci sys isapnp sys isapnp sys pciide sys pciide sys ftdisk sys ftdisk sys dm oad sys dmload sys dmio sys dmio sys Vo snap sys Vo snap sys Safeguarding Canada s security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada - Extend WP output to a signature based system REPLICANTFARM - Module based parser alert system running on real-time CNE operational data Custom module based analysis Actors Implant technology Host based signatures Network based signatures Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET ll COMINT Jun- Eile Edit Eiew History ookmarks Iools Help 0 is Most Visited Getting Started Latest Headlines 1 HT - Operations Opsec Trac Systems WPID Alests Exploits r- http obelixl Alerts WPID Alerts WFPID Alerts REPLICANTFARM No as re the more is done with Ilse elds a per regular Examples i Data are airigl-i L character wildeaxtle Dal Pl mod_l pl 13le 5 l lls pj m-Eli_2 0 131 mod_3 l _lm_mWTEY_pl mo mad 1m Ram P1 mod 1 mad_23_prisrileges pl mad mod 3 one number of mod_'l mlel mmLE mun-1L3 _mspu etendet pl l B character P1 mod magi mun-Ll pl min-cl ma Single med 103 m4 mGHOU '1 mod_19_kemelelna1ting pl mod_21_nnmiusrallexee pl mo ad_1m_hmll_wm mod mull mad_23_hidden pl mad_303 mo-ci mo Clam - - WE 51233 11 I Infrastructure THE m Middle Regen l lislmic 0 Live Submit Query I ALERT Module Dale Tag File name mod_l 2010-01-21T153539963 MRI am eta ils Possible Fill-l driver le Possible ml driver le Possible Lil-l driver le Possible EDI driver le 24459331tcpipjys Possible Full-l driver le 1L5 TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada CCNEfOpsec viewer Mozilla Firefox 6 9 Most Visited Getting Started Latest Headlines 1 LTF Operations 3' Opser TraC Systems CCNEr'O-psec WPID Alerts WPID Alerts a WPID Alerts CCNEfOpsec 3- CCNEr Opsec viewer Nate r1713 ear c done on upi i a impl'e witty-d and aperi' Lb command fins Exemplar A value act a wpia Loci-sate that - La53' is a aim-Jam Eirtgle 5 1 13 Class 181151 13 Che 51 5 1 Tilte egexp is a perL regLLir expression applied no dte li r_e saliei 'ijtg die expression u'ill be displayed The Regexp L a perL reg-Liar EXWESELDT applied to te corrurmtd li r_e Orly command Lire NOT undying dte will be damaged mar 513 1 13 -2 1101 - I pm I cmdline I parent Tl pi I lather I a ecasyeexe IE2 ayaterrjl e eaesgrxexe yjte 1515-55 14 11 13 I5 qw C Fragrant Pile Banana 5311212135 Ear-pain Pia-team 515435 14 54 55 Program 33122135 LiveL'pdele' Lutellbej mg eae qm I5 251555 14 54 55 Iliazallhe mramy qum C Fragrant F'tLes surname 3951 I5 54 55 I I5 qlsoc C From 53 31 21- LiveTJpa ate' LuCallmiRamyerLe qua-c 19915-5523 113 15 3 I5 g1 54 55 Ilazallbe rprm' I quacgc Fragrant Syn- re LiveL'paate LUCallbeerraayeae qm I5 54 55 I Hamel eae 53 23 15 I5 gr 151543 5 14 54 55 I l'r aLLerLe lam-at C Fragrant Syn- le J iveLipaere LuaLLerLekquar I 2515 0 5 1-1 54 55 5-1294 1515-55 14 91 15 1915-55 34 91 10 mamas 3 19 3 lanes 3 3 19 35 I quatg C Fragrant F'tLes Spun-due Syn-ante Fraceztiart E ntbea5ir_g I5 I1 mipu1 aeerre It ayaterrjl'a'aen aerated Embed-dim Ik Itelpweeae I quacgc FBHeaLdt HelpCH matte HelpSi- eexe qaat Bath-emit I5 I5 -qwnC 3113mm APP 4 l amateur Lag Clara-gs q mlg Ermaemar Lag 5 qwr I5a leameae I ql'atgc 5 113551 Spat-Assam ltaat Bum-art AFF Amen-m Span-Assassiimlea qmtg ai r kiln-ant L Jae-ntacrt tatsg qtotg gr rms-13 19 30 19 39 qum C lineman APP a la gt liarpnuteexe I qrsocg C Amieentart APP LisMJeexe qt-atg 5 I5 Isa learteae I quacgc L Ja-entart Spar-Assam eel learneae qaat 5 pant MDae-rttar APP Spat-Assam ceatlt_mtes q_tar Millet-mar SperrAsmsir-xules qm ai r quacgc 3Mart I5 Ia Au are-reae Lmaemart APP 'qutglmaeneart Serw'aaqtaatg 5 I lrgarlmmut_aa1ter gr lea-Aerie I ql'ocgc synerer era-Aeratizqt'et - squacgt LDaentart'APF Lear'rtbat equar 1515554 3 19 3 5 15154154 3 19 3 5 lanes 3 3 19 35 Inn-05 13 19 30 14 11 Ien-Lexe I quot C Extrema syn ij era-Lexekquar - 41m C l Zreertrtan APF IE Imapaareexe I quocgc imman' Sem q PLu mtpureeae zquar r InmaLljlexe IE2 ayaterrjl amalLiJexe C Syw le UpcareSyKrAp-ps I quatg E imam-art APP _a l smear-art Lag DlaLags l F - aa lei quat p 52qtotg C hmaemart Lags auar 1' I5 IC I5 Ilusallbequ'm liquor C Program Files 151555 23 94 95 19 31 93 15 I 1515-05-1 54 55 I qrsocg C Fragrant Spa-arm LiveLIpaare' 3951 I5 54 55 Ilusallbequ'm quuocgc Frog-ant File Symm e-z LiveL'pdate 5551 5-553 Ii I15l5-55-11 54 55 I l'asellhe 'prm' I qwtg C Fragrant Symertre LiveL'paate q rsacg 850134313 1 smosqss I5 54 55 I ma a ere I quatgc 5335-311 aLE quar IE I 1515-05-11 54 55 IltaLLe1e quuotg Program Files Epistle LiIr'eprciate -5 I1515-55-JJ 54 55 -v Milt tum ram cu Una-luv 1 0 v TOP SECRET COMINT HI REPLICANTFARM generic modules - Cloaked - Kernel cloaking - Recycler - Schedule at - Rar password - Ntuninstall execution - executable - hidden - Packed - Peb modification - Privileges - MS pretender - System32 variables Other - Strange DLL exte SI 0 Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de l information a TOP SECRET II COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Generic modules example my @runningProcs xml_isProcessRunning $xml foreach my $runningProc @runningProcs $a ertText 2 Suspicious process detected legitimate exe named appended with string $runningProc Safeguarding Canada s security through information superiority a Pr server la s curit du Canada par la sup riorit de i information TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada RF specific signatures - KNOWN actor filenames processes covert stores ALOOFNESS SNOWGLOBE VOYEUR SUPERDRAKE GOSSIPGIRL - Infrastructure Known IP addresses Known DNS queries - Other tools Safeguarding Canada '3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i'information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Specific signatures example Check a known drivers present my @driversPresent xml_isDriverPresent $xml foreach my $driver @driversPresent $a ertText 2 Possible MM CARBON driver detected $driver Safeguarding Canada s security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Operations - Routine operations for CCNE investigations on current targets Execution of OPSEC related plugins Collection of files Examination of network activity - Blanket approvals for addition of selectors to level 4 OPs against known actors example WATERMARK operations against MAKERSMARK - Standard operating procedures for level 2 level 4 operataions against foreign CCNE actor infrastructures Safeguarding Canada s security through information superiority il l'I Pr server la s curit du Canada par la sup riorit de I information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada CCNE I OPSEC page on 5-Eyes Wiki - Contains reverse engineering reports for ONE IO consumption - Even logs and notes for several actors Safeguarding Canada 5 security through information superiority 1WI Preserver la s curit du Canada par la superiorite de i information a 20 TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada a i CCNE operations Covert Infrastructure Some fusion of the WP and CCNE infrastructures Dedicated ORB for CCNE Unattributed dialups to the ORB - Philosophy use low hanging fruits against the actors public exploits and tools if available - Discussions regarding repurpose of foreign toolkits - De-confliction Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada i i - Provide the historical account of the activity on DOURMAGNUM Imam Hussein University - Implant identified while investigating another unattributed actor - rar archiving of emails on target - Beaconing using HTTP to php-based listening post Safeguarding Canada 3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET II COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada WPID Alerts - Mozilia Firefclx Eile Edit Eiew History ookmarks Idols elp - Most u'isited Getting Started Latest Headlines 1 - Operations 3' Opsec - - Trac Systems http obeliio CCNEfOpsec WPID Alerts r WPID Alerts 3 Opsec 1 Opsec CCNEiOpse-c Alerts New that the sears-5 is done with e eid asper i' reguiar Exam Gum Humble 1 I D9120 neung mm mm 1 mud-1w im m_11_eleaked pl mad_15_privileges_pt mad_5_1mcawnlpe pl mod_ - m-lm-Lm-mm m_17_tnmexec pl m_3m_cm_msm31 p1 _sos_LMc_mePmm p1 m_sm_en_mmLm pi my Worm m w lm mmgw 1 um_4oo_ss_3mBEE_pt m_so1_eR_FLAMs pl um_1m_ - Single mud-w Pf m_13_md pl m_4o1_ss_ssLm-5T_pi m_s_mm p1 mod_RFI_ - - - m_1 _ptdoed pL m_13_mm p1 min- LEW mod mu I W 313 THE 3mm Module Regen Hm 9 Live Submit Duet - I ALERTS W-E odule Date Tag so File name Details Possible SNOWGILOBE CHOCOPDP process detected cmdexe EC 3 r i nul -hploclcless 3prfeghbi 41116 Possible SNOWGILOBE CHOCOPDP process detected cmdexe 3 r i nul -hplockless 3prfeghl1i 41116 Possible SNOWGILOBE CHOCOPDP process detected 3 r irlu l hploclv 1ess told 66 r3 r Possible SNOWGLOBE CHOCOPDP process detected 3 r iI1ul hplocldess told 66 r3 r cf -mAEhiOF-Usl Possible SNOWGILOBE CHOCOPDP process detected cmd exe EC 3 r i nul i1ploclcless Possible CHOCOPDP process detected cmd exe 6 2 3 r i nul hploclr_less 3pSI-'313ri311 Possible SNOWGLOBE CHOCOPDP process detected 3 r irlu l hploclv 1ess 3plcp 1323 i m1d Cris- l sEL-ION-Lser Possible SNOWGLOBE CHOCOPDP process detected 3 r i 1u l hplockless m1d Possible SNOWGILOBE CHOCOPDP process detected cmd exe EC 6 2 1 1 3 r inul hplocldess 3p1ip11333ri tnld temp-16613 Possible SNOWGLOBE CHOCOPDP process detected cmd exe 6 2 3 inul hplockless ml 6 Possible SNOWGILOBE CHOCOPDP process detected 3 r irlu l hploclv 1ess 311111533636 -m1 6 66 3 Possible SNOWGILOBE CHOCOPDP process detected 1-5-2 01 3 -r -i 1ul -hplockless -3pms33636 - cn1 66 3 Possible SNOWGILOBE CHOCOPDP process detected cmd exe 3C 3 -r -inul -hplockless -3pms33 l3 ci 4 116 temp-16613 Possible SNOWGILOBE CHOCOPDP process detected cmd exe 1 6-2 3 -inul -hploc1 less 4131115334136 4 116 l D Safeguarding Canada security through information superiority Preserver Ia securite du Canada par la superiorite de I'information 2 3 TOP SECRET II COMINT I I nications Security Centre de la s curit Establishment Canada des telecommunications Canada I 7 i SNOWGLOBE on target Possible SNOWGLOBE CHOCOPOP process detected cmd exe a -r -inu -hp ockless -aprfeghhi -tn1d temp 168 rar c M Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada SNOWGLOBE implant - Injects itself in svchost exe - No cloaking no hooking - Bootstraps in service called distributed transaction coordinator 64b Service entry is permanent - Executable kept on disk in system32 16 byte string XOR - beacons and tasking - Actor observed upgrading on target Safeguarding Canada 3 security through information superiority il l'I Preserver la s curit du Canada par la superiorite de i information 2 5 a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada SNOWGLOBE activity and attribution - Targeting is scarce but resembles CT CP priorities - French localisation seen in exploit PDFs GCHQ - French commentary in the binary - French binary name developer path - Observed in Iran Norway Greece Belgium Algeria France US targets - Listening posts worldwide several French legit sites - Now seen in passive collection several reports Safeguarding Canada 3 security through information superiority dl' Preserver la s curit du Canada par la superiorite de I information a 26 TOP SECRET II COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada De-confliction on CCNE operations - State-sponsored landscape is very busy CCNE Targets are de-conflicted - Actors on CCNE targets are not - Covert nature of foreign and friendly actors make de- confliction challenging - Often need to refer to precise technology for identification - CNE CCNE from SIGINT HUMINT need to get together on this issue Safeguarding Canada 5 security through information superiority il l'I Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET COMINT I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada De-confliction FAIL Actor discovered TS i'i' SI 1 REL 5 eyes effort SO 31 DEV - Several cohabitations - W7 i T Decn'pt - At CSEC 400 man-hours I Over 20 CNE Operations Passive Collection User 4 winlogon winlogon PBOI Reverse engineering Fax Planning of active operations in Safeguarding Canada '3 security through information superiority dl l'l Pr server la s curit du Canada par la sup riorit de i'information a TOP SECRET COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada - Conclusion CCNE effort essential to the national cyber mandate CNE situational awareness New actor discovery Tracking known actors Several new actors discovered using this process - De-confliction needs to be improved Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de i information a TOP SECRET ll COMINT I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Canada 30