Title: An Easy Way to Win: Using SIGINT to Learn about New Viruses (Project Camberdada)

Release Date: 2015-06-22

Document Date: 2010-01-01

Description: This 2010 NSA presentation describes Project Camberdada, an attempt to subvert popular antivirus software by means of surveilling email traffic: see the Intercept article Popular Security Software Came Under Relentless NSA and GCHQ Attacks, 22 June 2015.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

An Eas
Using S
about P

fwmuuuu

IGINT to Learn
iew Viruses

Project CAMBERDADA
ByHH, 1412 (IAD)

V252||

Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20370301

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Overall classification

TO PS EC RET//COMI NT//

REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

BRICKTOP (2009)

Tascom RusComNet

Kaspersky

Rosoboron

nstitute of Information

& Telecommunication

Analytical Technology Corporation


Comstar Komet

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

ÁHTkiBnpyc

KacnepcKoro

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Sample Email Received by an

AV Vendor

P WZA20120510218350000197506

Good day,

A phishing scam file is attached for your analysis.

Zip file password = virus

The file tricks the user into giving her/his bank account
credentials. This can be verified by clicking on the Sign In
button.

FYI: https: / / www. vi rustotal. com /file /8f b6447fdc9cfe204cde...

Regards,

Francois Picard
www. NewRoma. net

Attachment: BMOFinancialGroup.zip

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Work Flow

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Analytic value

SSIGINT brings in ~10 potentially malicious
files per day for malware triage

SOver 500 potentially malicious files collected
since 2009

S~ 50 CAMBERDADA signatures deployed to
NIPRnet for alerting

S9 domains mitigated

DNS Interdiction

Ml 9 domains under DNS Interdiction
MICloudshield intercepts the DNS request
Ml Returns the address of a DoD listening post
MIMunged version of the request is sent out
it DNS response is sent to a log

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Current status

it CRN

■SSO

■ Overhead
■SCS

■FORNSAT

it IN L-C-2010-147 - Multi-Country: Computer
Network Ops

it Dozens of CADENCE selectors
MtPINWALE daily queries; EXIT4 models
it MAILORDER

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

What else can we do?

STAO can repurpose the malware

®Check Kaspersky AV to see if they continue to
let any of these virus files through their Anti-
Virus product

SMonitor the folks who provide the malware
to see if they’re into more nefarious activity

f Establish automated reporting

More Targets!

Viritpro

(Italy)

AVG

(Czech)

fsb-antivirus

(France)

eAladdin
Norman (Israel)
F-prot (Norway)

(Iceland)

Bit-Defender

(Romania)

F-secure

(Finland)

k7computing Ikarus Hauri (Korea) Arcabit (Poland)
(India) (Austria) Avira
Spy-Emergency Nod32 (Germany) Novirusthanks
(Slovakia) (Slovakia) Ahnlab (Italy)
(S Korea)

DrWeb

(Russia)

Antiy

(Chinese)

Emsisoft

(Austria)

Eset

(Slovakia)

Avast

(Czech)

Checkpoint

(Israel)

no*:

• Derived From: NSA/CSSM 1-52

Dated: 20070108
Declassify On: 20370301

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh