OCR of the Document

View the Document >>

National Security Agency/Central Security Service, Draft, Kaspersky User-Agent Strings, September 2008. Top Secret/Comint/Rel to USA, Aus, Can, GBR, NZL.

TOP SECRETHCOMINTHREL TO USA AUS CAN GBR NZL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE DRAFT Kaspersky User-Agent Strings 3 September 2008 Derived rem SAKCC SM 1-52 Dated 3 anuary 2007 Declassify 0n 20320103 101 STCRETHCOMINTHREL TO USA AUS CAN GBR NZL TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZ-L CHREL K115 persky User Agent Strings September 2008 BY REVIEWED BY RELEASED BY Chief 5m TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZ-L PO RT DO CU NTATI PAG Public reperting burden ler thie eelleetien cl inlern atien ie eetin ated te a- rerage1 hdur per reepenee including the inetruetidne eearehing existing data gathering and n aintaining the data needed and een pleting and reviewing the eelleetidn cl inlern atidn Send een ntente regarding thie burden eetin ate er an r ether aepeet el thie eelleetien el inlern atien including euggeetiene ler redueing thie burden te Head-quarters Direeterate ler lnlerntatien Operatiene and Reperte 1215 Jellereen Davie Highway Suite 1204 Arlingten VA 22202-4302 and la the Diliee el l-iianagentent and Eludget Paperwerlr Fleduetien Prejeet 0 04- 0188 DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED September gang Technical SIGINT Repcrl 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS Ci-'Fl Kaepereky eer-Agent Strings e I PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER National Security Agency Ft George G Mead el MD 20155-5400 9 eneneenmei-raewneniwe NAl-ilEiS AND AD 1e AGENCY REPORT NUMBER S- 11 SUPPLEMENTARY NOTES I 123 STATEMENT 12b DISTRIBUTION THIS DOCUMENT MAY NOT BE RELEASED OR REPRODUCED IN WHOLE OR IN PART WITHOUT PRIOR APPROVAL OF THE ISSUING OFFICE 13 AB STRACT SHHSIHRELJI We that Kass-Derek User Agent strings eentain eneeded 1rereittrne el' the Kaepereky serial numbers and that part 01' the User Agent string can he used as a machine identifier 14 SUBJECT TERM 15 NUMBER OF PAGES Kaepereky User-Agent machine identi er 3 18 PRICE COOE A SECURITY CLASSIFCATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT TOP EL USA USATOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL SSTITECIIJXXIZUUS Tahle 0f Contents LT Imrmluctinn LT USN Agent Strings Updams User Agcm Fields and EmailingT Types User-Agent Strings 1 Serial LT Kc Files 8 a TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZL CHREL Kaspersky User Agent Strings U Intruductiun UHFO L10 Kaspersky Lah is a priyately held with headquarters in Mescnw with reginnal crl'l'ices elsewhere Kaspersky has at least three Kaspersky Internet Security Kaspersky Anti Virus and Kaspersky Mcrhile Security The Anti-Virus engine is used by ether security Kaspersky are quite pnpular in some parts 01' the This werk was hegun with - at SCAMP 20th at Ins cen Princeten U Data We used YACIITSIIUP ruetat'lata l'crr nur study 01' Kaspersky User Agent strings as well as some disccwered by using searches en the Internet U User-Agent Strings The Kaspersky client sends its User Agent strings when requesting updates Scene examples are Inst User Agent Inst dnl us kaspersky lahs ccun User Agent The Kaspersky User-Agent strings are 01 three types 1 2 unt 3093 um The User Agent strings use the characters which is the same alphahet as is used in hase il enceding Further the last twelye characters at the third type are in fact hase il el the yersien nunther These yersien nunthers range rent 6 11 2 6 14 tn 8 0 0 35 in eur data TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZL U Updates Thu upclatc rcqucsts wc crl tcn uccurrct'l an a rcgular hasis crl'tcn 2t 40 120 ur 140 ntinutcs ntachinc is un linc The hcgan with a GET rcqucst l ur an int'lcs pagc is ancliur This was l crlluwct'l by a ul rcqucsts l crr upclatc l'ilcs first a cpl l'ilcs such as hlst hlack list ids intrusiun as antivirus uncl unclatc thcn a ul l ilcs such as and a cpl l ilcs such as Wc t'lit'l an usc cit qucry strings or in upclatc rcqucsts User-Agent Fields and Encoding Nuw wc turn uur tu strings us takc a typical as ahcwc untBUQBunt 1 last 12 arc hasct i4 string which in this casc 10 0125 thc 1rcrsicrn ant'l lcav cs us with untB 098 TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL TOP SECRETHCONIINTHREL T1 USA AUS CAN GBR NZL At rst it appLars that terL arL1iL1L s staratLLI 11y but upon lL1L1king clL1sL1y it can 11L that terL arL twL1 1 anL'I i L twL1 1 1132 characters Lach It aanars that Lach is a L11 1rL1111 chL1nL'I 111111 1111LLI 11y a charactLr 1rL1111 1irst sLt WL that arL L11a lLaLling 1 ag hit 11y 1i11L 11its thL11ag hit inLIiLath L11 a1iLlLI Thus wLnarsL string into urnB 11913 urnB gn1g1111B A FiLlL l mm and arL nL1rn1a11y san1L anL'I 1irst 1iL1L'ls am usually two or lL1ng F'iLlL'l sis is always mm or 111111 111ng a11L1ut 11al1L11thL tin1L twL1 111ng 11 it is twL1 111ng chL1nL'I charactLr is a SincL is chL1nL'l charactLr L11 rst alphath sLt its natural 11aluL is 1 That is i1 wL rL11LrsL L1rL'lLr L11 in this LntirL1iLlL takLs L111 11aluLs 11 113 Taking this as L1ur cuL that L11 irt Lach shL1ulL'I 11L anL'I Lach a nun111Lr 11asL32 with 11ags SHSIHREL With this intLrantatiLn 1iLlL 1i11Lar1I Lars tL1 11L 1lat rangL 11 11a1uL 11Ling -I_g71 2111 142 11111i1L 2 22112144 SHSIIREL ThL1irst 1i11L 1iL1L s aanar tL1 match with 1snLLi1ic LliLnts T11Ln1ain is 111 Bk Dn 1j5111 K11 anL1t1 1Lr parsLL'I Kasersky LTer AgLnt which is with a largL nun111Lr L11 cliLnts As wL shall 1L1ur arL erial nun111Lr and this particular erial nu11111Lr1s mm 111 thL1sL11Ling nassLLI arL1unL'I L111 StuL'Iying 1 L1w quuLsts wL L111er11L that in many LasLs terL is an upL'latL quuLst at rLgular intLr11als PrL1l1a11ly such a quuLst is 1 in all LasLs in which 111ac11inL1s 11n- linL quuLsts 11Lgin with a quuLst 1L1r 11nL L1r twL1 pagLs 11y 1urter quuLsts 1L1r upL'latL 1ilLs all with san1L LTer-AgLnt LatLr L111 rLgular 11Lat nL1Lt quuLst will ha11L san1L LTer AgLnt string that si1L will ha11L changLL'I Thu Jul 3 2 1 13 11 211118 Dp Esi 11111111111 Eq 11l111 A 111 112 1118 Thu Jul 3 23 33 1 211118 Dp Esi llQil11111Eq 11Bz A 111 112 1118 11Lat at which quuLsts arL 111aL'lL appLars tL1 11L with 1t1L t11nL anLI 11LrsiL1n nu11111Lr 2 quuLsts 111th LL1111L L11Lry 211 111inuth anL'I al111ut 21 11 L11 tiIttL ticks up with art incrLIttht 311 and 113 Th 3 quuLsts 111th LL1111L at 11Lats L11 1211 L1r 1411 111inuth ticking up 11y 241nt 1 1211 as 1 anL' 39 in TOP SECRETHCONIINTHREL T1 USA AUS CAN GBR NZL TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZL SIISWREL Fielrl seyen il'present irt type 2 strirtgs is art er irt type 3 strirtgs there is a field seyen anrl pessil'ily a field eight In eur rlata the type 2 strirtgs urtless there is a field seyen with art the requests enly ask l'er files such as Alse irt eur rlata the type 3 strings with ne eighth l ielrl i e rte yalue were all l'rerit yersien 0 0 2 6114 while nene til the yersien 0 0 2 014 strings harl a seyenth field We believe these inrlieate seryiees anrlt enn1 iguratiens U 'l ypes nf' User-Agent Strings SHSIHREL There isn't much tn say aheut the first type 01' User Agent string 1t pres urital'ily represents serite lirititerl eapal'iility trial yersien The type is ritere interesting as it parses as rleseriherl aheye The parserl yersien usually begins Dp Bk Dp 1j5rit 1 ellewerl by a field l'iye ritestly 01' length three er l'eur a sixth field which tieks tip as rliseusserl l'iel'ere anrl pessil'ily a seyenth l'ielrl eensisting 01' art The ene eseeptien is the Dp Bk Dp lj5rit Kn ritentienerl al'ieye irt whieh 1 ielt'l l iye is twe lung Further this ene rlnes net tiek up but always appears the We haye ritere inl'erritatien aheut the thirrl type irt which the last 12 characters are the eneerlerl yersittn numbers We el'iseryerl Versien First Fielrl 5 0 2 614 Dp Bkt er 6 0 2 618 Dp er Dr 0 0 2 021 Dp Bks er Brit2 0 0 3 832 Dt er Dz 2 0 0 1 19 Britt 2 0 0 124 Britt 2 0 0 125 Bkt er Britt 2 0 1 321 Britt er Brit 2 0 1 323 Britu 2 0 1 325 Britt er Brit u er 8 0 0 352 an er an Se it seems that the first field is tracking alnng with the yersien rt urithers se it eeulrl relate tn the rlate at which the prerluet is aetiyaterl but is net rlireetly equiyalent tn the yersien nuritl'ier Type 3 strings are all seyen er eight l'ielt'ls lung TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL TEN MESH 110 11 111 11 1111111311 1113311 1111111 11111 111 113111331111 31 1 333113 3111 111 113111111111 111113131 3111 111 113111131311 111 3 1113111111 13111111111 33113311 3111 13 1113111333 111111333 3111 1111111133113 31111 1111111131311 111 311 111 3 111311111113111111111 33113311 3111111 1113111333 13111 3111 1111111 31111 31 11311 111 1113111113 3113111111111 1111 133 3111 111111 3 1113111111 11 113111 '3111113 3111 31 13111111111 331133113111 111111 13111111111 1111133 3111 _111 11131111133 13111 3111 111111 33111111 1311111131131 1311d 33113311 111111 1111111111 1 1111111331 1 111111111131 1111111111111131111 1'9 SHEA-111131 11717111 1 31191111101 I $1111 101711171 I 11181 EEII 11181181 1 178 111 1 91711111013 38111 3 8 1 93 I I 3131111 33113311 1113111 31111111111 1 111111133111 111111111131 1111111111111131111 1111111313d 31111 11 11111 1 1 131- 1l0d- 11 1H EWEUI-UIWQU-EDEU 3131111 33113311 115111 31111111111 3 1111111131113 11111111131 1111111111111131111 1111111313d 311118 LIDDEUI 11 9817111 E3E1 r-Nr-x 1 1 1 El- 31111 11 181711111 1 1711111311111 1911111111 8111111 191111111 311171 gl- EU ET 8331111111 391111110 8 E111 13H PUld 1311 lI 13111111111 131 135 '1311131111 1111 1111 113131111 111111111 3 1 11 113111 11 313111111111 33113311 111111 3 13111111111 1111 133 _111 13111111 113113 _111 _1111 11 31111 111 3111111 113113 _111 133 113111 31311 1111 133 1111 311 3 1311 31 11 33113 31111 111 1311111111133113311 11 111111 13111111111 1111 133 11 11111111113 113111131 1311'513331111111 33 311 113113 331111111 1111 311 33111 113 31 1111 31 3111113 313111111111 1111131311311 1311111131131 3111111111113 1111-1113 11115111115311 13311111311113 311111133111331 133 110 TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZ-L Onc ul'thc crccurringT strings Dp Bk Dp ljirn By cun 1rcrtingT strings intu hcsurlccirnnl this hccurncs 00000009 0000049c 00000009 00018120 0003c3 0 Nuw lincs Wc incl scrinl 000181120 Wc an Brnu 87 481 E111 which cquntcs tu 0000041'1 0000092c 000004cc 0313cT0hc 0002061311 00000032 which 092C- arc clusc 000004cc 000007114 000004cc 02h 80c0 00005c 9c with 000004ch 00000494 000004cr 0243913132 00013621 with 0494-0004CD-02439E4C U Key Files Wc kc l'ilcs and l irst l'uur1'iytcs ul' kc l'ilcs signsturc Kst After an initial hcurlcr kcy l'ilcs can In intu with an algurithrn likc In l'iclt'ls crl' rccurcls ns l crlluws in huts Pusitiun Spccilic kinrl 01' in in 1ruluc l'iclrl 00 TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL i TEN 11811 UL 11011 PUB 1311 Ed Nd n131 1 1511 3 111 2111 13311133113 31 11 113111113 111311111 13 111 '31111 3111113 3111111113311 3111 113 1313111113 3111131111111 11311 3 111 1331111113131 3113 113111111 33111 13 3311 11 3113111311 311311131 3113311 131 3113131111 1311111131131 5311 1 311313111 312132-1110311-333113-33331 813333-1111 13-33131111-811111 1333131311 113311 531311 3113111133 3111 35311133311 13 13 133 1131113311 3111 11133311131 3 133 3 33111 3311133311 1311113 1311131111 3111 1111 1311113113 11311111311 3111311 53 133 11311131111313 31113 3 311 311133111113 1131111 11313113353111 3111-1 1311111131131 3311111113113 1113131111113 111111 111 133111 33311113 1113 1131113111131111 313111 1313 31 3111133311 311 11131111 11 13111111 1331 1131133113 1711311131113 311 31 511133111113 11311111 1 11113 1 1111 13 1131 1131113331 31111311 531135311 3111 1111311133 33111 1311 3111 1131111113113 1331111 3331111111 11113 1111 1113111 111533311 113111111 131113311 13 111 11311113 131 13111111111 1131133 3111 3331111313 11131113 1113 1111311133 11111111 1 31 1111 11111 1 331111131113 3311311131 '81111112 1 31 111 113111111 111 31113331 3111 111 113111113 3113111111111 33113311 111113 31111311 1311111113113 3111 111111 1 31111 1131111111 111 1113331 3111 111 11311113 131 31111 3111 1111111 1 31111 11311111 111 1 1111331 3111 111 11311113 13131 1 13111111111 11111131311 31111131111111 1113 '113 1 1311331 31 1 133111 1311 131113 111111 3111 111 111 313113 13131 1 1 31 13 3 3111 1311 11131 13111311 131111151 3111 11111 1 33 3111111111 1113113113 1131111111 131111111 111 311311311 3111 113111111 111 1 113331 13 131 131111 13131111113113 E1 39 19 99 DE 311 E1 19113 19 39113 111 119 E11 EL E1 111 EL 19 11 11 91 BE 11 11 311 11 11 311111113113 10 113111118118 3 1l 31 1 111 13131 1 31 111 91 31 111151131 1113113113 311111 31111 3 11111 1 3111111113311 1311111132113 1313111 311111 1121 13131 1 31111 172131 111113111 2111 1131111351 13 81 1 3 11 8 81111313131111331 118 Ol JUL TOP SECRETHCONIINTHREL TO USA AUS CAN GBR NZL SEISWREL things l'ilcs cnntain hnsc ii strings such Elf-i GMTAUNIHRONWE 1 1 5cllN4 tnt 1k rcInJ EUUNPVR 1 5R1 1 IL Phi which tcr 1 i4 rlN5n ijlq 10r 2 1 which tn anything U It appcars that string tn is in nniquc clicnt carrics l crr scrinl can hc l crr Wc hclicvc Uscr Agcnt stringT cnrrics in scrviccs l crr nr Study cl 1 l cw 1rr-rrsicrns strings scrinl nctivntinn kcys kc l'ilcs this TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZL TD USA AUS CAN GER MEL DISTRIBUTION Hairi cupy DC 324 ux 30 distribute 1-D IDAJCC IDAICC TD USA AUS CAN GER MEL TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZ-L TOP SECRETHCONIINTHREL T0 USA AUS CAN GBR NZ-L                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu