Title: Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure

Release Date: 2015-01-17

Document Date: 2010-06-01

Description: This June 2010 CSEC presentation for the CSEC conference outlines counter-computer network exploitation (CCNE) techniques: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOP SECRET II COMINT

Pay attention to that man behind the

curtain:

Discovering aliens on CNE infrastructure

CSEC Counter-CNE

Target Analytics thread
SIGDEV Conference
NSA-June 2010

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

The need for Counter-CNE... ^

• Foreign and friendly actors often encountered

• CNE operators do not pursue them beyond their targets

• Reporting groups need to be made aware

• OPSEC evaluation is needed

• Active pursuit of CNE actors: a different ballgame

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Outline

• Introduction CCNE at CSEC

• CCNE tools and methods

• SNOWGLOBE

• De-confliction

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CCNE Group at CSEC

• Part of CSEC CNE operations (KO)

• Recently formed matrix team

• Analysts and operators from CNE Operations, 10 Reporting
Lines and Global Network Detection

• Mandate:

- Provide situational awareness to CNE operators

- Discover unknown actors on existing CNE targets

- Detect known actors on covert infrastructure

- Pursue known actors through CNE

- Review OPSEC of CNE operations

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CCNE team

Reverse engineering

T arget development

Active collection

nderstand
foreign CNE actors

oreign CNE
persona

Passive collection Develot

Collection signatures

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

5

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CNE Toolkit: WARRIORPRIDE

• WARRIORPRIDE (WP):

- Scalable, Flexible, Portable CNE platform

- Unified framework within CSEC and across the 5 eyes

- Do more with less effort

• Common framework for sharing code/plugins across the 5 eyes

• WARRIORPRIDE is an implementation of the "WZOWSKI” 5-eyes API

- WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ

• WARRIORPRIDE

- xml command output to operators

- Several plugins used for machine recon / OPSEC assessment

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

WARRIORPRIDE

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

7

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

WARRIORPRIDE plug-ins and output

• Several WP plugins are useful for CCNE:

- Slipstream : machine reconnaissance

- ImplantDetector: implant detection

- RootkitDetector: rootkit detection

- Chordflier/U ftp : file identification / retrieval

- NameDropper: DNS

- WormWood : network sniffing and characterization

• Already used for CNE OPSEC

• Used for precise identification and heuristics

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

8

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

WP xml output (raw)



cresponse xmlns:xsi-'http://www.w3. org/2001/XMLScherna-instance''

xsi:noNamespaceSchemaLocation="U_FileCollectorLp/U_FileCollectorLp_2.15.xsd"ximplantl

d>51.1.2.16050.0.0.101
ansactionld>3204532010-02-

23T15:53:06.3662010-02-

23T15:47:43.44800
Os>fcstartSucce

ssFALSE

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

WP SLIPSTREAM output (parsed)

[2010/05/18 - 16:28:05 (UTC)] Transaction Id: 582966
U_SLIPSTREAM -

Implantld: <51.8.1.13>

Timestamp (UTC): 2010/02/09 06:42:42

PAGE : 1 of 1

PID |Service Name

|Status ¡Startup Type ¡Service Process Type|Display Name

¡Binary Path

924 ¡AeLookupSvc ¡RUNNING ¡AUTOMATIC ¡SHARED

C:\WINDOWS\system32\svchost.exe -k netsvcs
0 ¡Alerter ¡STOPPED ¡DISABLED ¡SHARED

LocalService |

3184 |ALG ¡RUNNING ¡MANUAL ¡OWN PROCESS

C:\WIN DO WS\Sy ste m32\al g .exe

0 ¡AppMgmt ¡STOPPED ¡MANUAL ¡SHARED

-k netsvcs |

¡RUNNING ¡AUTOMATIC ¡SHARED

924 ¡AudioSrv
-k netsvcs

¡cation Experience Lookup Service |

¡Alerter ¡C:\WINDOWS\system32\svchost.exe -k

¡Application Layer Gateway Service |

¡Application Management ¡C:\WINDOWS\system32\svchost.exe

¡C:\WINDOWS\System32\svchost.exe

0 ¡BITS ¡STOPPED ¡MANUAL

C:\WINDOWS\system32\svchost.exe -k netsvcs
0 ¡Browser ¡STOPPED ¡AUTOMATIC

-k netsvcs |

1028 ¡CcEvtMgr ¡RUNNING ¡AUTOMATIC

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
1028 ¡ccSetMgr ¡RUNNING ¡AUTOMATIC

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

1708 ¡Cissesrv ¡RUNNING ¡AUTOMATIC

Files\HP\Cissesrv\cissesrv.exe" |

0 ¡CiSvc ¡STOPPED ¡DISABLED ¡SHARED

0 ¡ClipSrv

¡STOPPED ¡DISABLED

¡Windows Audio

¡Background Intelligent Transfer Service

I

¡Computer Browser

¡Symantec Event Manager

¡Symantec Settings Manager

I

¡OWN PROCESS ¡HP Smart Array SAS/SATA Event Notification Service ¡"C:\Program
¡Indexing Service ¡C:\WINDOWS\system32\cisvc.exe

¡OWN PROCESS ¡ClipBook

¡SHARED
¡SHARED
¡SHARED

I

¡SHARED

¡C:\WINDOWS\system32\svchost.exe
¡"C:\Program Files\Common
¡"C:\Program Files\Common

10

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

il»«

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

WP SLIPSTREAM output

[2010/05/18 - 16:28:06 (UTC)] Transaction Id: 582968
U_SLIPSTREAM -

Implantld: <51.8.1.13>

Timestamp (UTC): 2010/02/09 06:42:43

(parsed)

drivers

PAGE : 1 of 1

-I

SCM|Driver Name 1 I |Status |Startup Type |Driver Type 1 Display Name 1 Binary Path 1
1 lntoskrnl.exe 1 | | IRUNNING | | 1 1 1 |C :\WI N DO WS\sy ste m32\ntos krn 1. exe
¡hal.dll IRUNNING | | 1 |C:\WIN DOWS\system 32\hal.dll
IKDCOM.DLL IRUNNING | | 1 |C:\WI NDOWS\system32\KDCOM.DLL
IBOOTVID.dll 1 IRUNNING | | 1 |C:\WINDOWS\system32\BOOTVI D.dll
lACPI.sys IRUNNING | | 1 lACPI.sys 1
¡WMILIB.SYS I IRUNNING | | 1 |C :\WI NDOWS\system32\DRI VERS\WM 1 LI B. SYS
Ipci.sys IRUNNING | | 1 Ipci.sys 1
|isapnp.sys IRUNNING | | 1 psapnp.sys |
Ipciide.sys IRUNNING | | 1 Ipciide.sys |
IPCIIDEX.SYS IRUNNING | | 1 |C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
|MountMgr.sys IRUNNING | | |MountMgr.sys
|ftdisk.sys IRUNNING | | 1 |ftdisk.sys 1
|dmload.sys IRUNNING | | 1 |dmload.sys |
|dmio.sys IRUNNING | | 1 Idmlo.sys |
jvolsnap.sys IRUNNING | | 1 |volsnap.sys |

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

REPLICANTFARM

• Extend WP output to a signature based system:
REPLICANTFARM

• Module based parser/alert system running on real-time
CNE operational data

• Custom/module based analysis:

- Actors

- Implant technology

- Host based signatures

- Network based signatures

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H 11+1

Canada

TOP SECRET II COMINT

■ CCNE/Opsec WPID Alerts - Mozilla f irefd*

File Edit View History Bookmarks lools Help



é In

* -1

Most Visited lj Getting Started ;>j Latest Headlines ¿1 LTT < Operations < TW... - Dpsec - klsvn - Trac CCNE/Opsec: Systems □ http://obelix/systemInfo/

J CCNE/Opsec WPID Alerts x 0 Exploits

http://obelix/

CCNE/Opsec WPID Alerts x |V CCNE/Opsec WPiD Alerts x

CCNE/Opsec WPID Alerts

Note that the search is done with the fields as perl regular expressions..

REPLICANTFARM

C lurent Modu les: mod_10W_WTH_Implaiit .pi mod HW MM SHEPHERD.pl mod_l 10Q,_VO_Implant.pt moc_3 5_pracP'arents.pl mod_5W>_SD_MD C.pl mad_24_expecledArguments.pl mod_3M_UNTC_WTNPAC? pi mod_310_UNK_WTDOWTCEY.pl • h
tnc-dj l_cloaksd.pl mod_ 16_tecyclarsx sc.pl m od_ 2 C1 _SD_u H2 iFTP.pl mod_2 i_pfivilsH es.pl mod_3C 5_UlSIEJASEX.pl mod_3 ll_UNK_CIVETCAT.pl me
mcd_l 2W_AF_ALOOFNESS pi mcd_ 17_tmpaflcec.pl raod_2 U_pahmadinca.t ion.pl mod_300_UNK_TCPSRV3 2 .pi mod_3Cr 6_UNK_WTNU?DATE. pi mod_3 _mspra tender. pi mo
mod_ 102 _MM_REGE ACKU? .pi mod_103_MM_D0GHOUSE.pl mod_104_MM_WALKER.pl mod_12_system3 2var.pl mod_ ] S _p as swor¿fil t =r =. pi m cd_ 21 _=■: h seuls at .pi mod_30 l_UTiK_BLAZINGANGEL.pl mod_307_UNK_QUI\rEEINGSQUAB .pi mod_400_SS_WTNBEE.pl mo
fn&d_l 3_farpassTTOfd.pl mod_ 19 _k sraslcloattfi=. pi mod_2 7._n runinst aHerae. pi mod_302._TTNYWrEB.pl mod_30S_UME_WTND0.pl m«i_4Gl_SS_SSLlNST pi mo
mod_ 14_;t r aagsdllat t sa sions .pi mod_ 1 _p.acked.pl m od_ 2 3 _hi.ddcn.pl mod_30JJ2MK_CYDLL.pl mod_305_UNK_DIESELRATTLE.pl mod_402_SS_SharpR .pi mo

Ilots {.) ara
îtn.El=-
character
vrildcarda
Dot-Star (..*)
means any

manta: of

characters

Single WPID:

5r..s',.r..i3

Class C

WPID:

51UBV1U

lafrastrcctura:

A5tfl.

Type:
WPTD Regexp: Module Regexp: MM Historic: ’3
Live: ' .

| SubmitQuery |

ALERTS

Module: Date: Tag: MM File name:../dala^ore/arcltRre/2010/01/21/2 5
mod_l 03_MM_DOGHOUSE pi 2[H0-Q1-21T15:36:W.96S ■,’niID00M)27248i_18_Y2QlOMQlD21_H15M2ES59_MSfi42MU5OQNS0_RX[D05O_0OO_0

Details:

Possible MM DOGHOUSE driver Eie: C.WTNKTt£NtUdnstallQ24459SS.

Possible MV DOGHOUSE driver file: C:\WMNT.$NtUrAistallQ24459Ei''HfAsy^
Possible MM DOGHOUSE driver file: C:AV[MvT^NtUdnstallQ24459gS'netbt.sys.
Possible MM DOGHOUSE driver He: C:iWJNNr.$NtUninstaDQ2445?gi'.1cpT-sys;
Possible MM DOGHOUSE driver file: C:\WINNT(SN«inins1allQ244598$'.hotSx inf

^PULLEDPORK—



TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

cj CCNE/Opsec Mond umpprtracker viewer Mozilla Firefox

File Edit View History Bookmarks Tools Help

« -e

p Most Visited ijj Getting Started Latest Headlines JL LTT < Operations < TW... 1 Opsec - klsvn-Trac j_J CCNE/Opsec Systems C http://obelix/systemlnfo/

-L CCNE/Opsec WPIO Alerts x G CCNE/Opsec WPÍD Alerts L CCNE/Opsec WPID Alerts x Q CCNE/Opsec Mandumppr... x

CCNE/Opsec Mondumpprtracker viewer

Note that the search is dene on the wpidj with a simple wildcard and a perl regexp for xcs tommand lines..

Eunpht;

t A ■valise of* * in a v.jio tndicaies that ■class' is a wildcanJ.

• Single WPIO: SL.a.l. 13

• Cl*» E WPH>: 51.1.*. *

■ Class C WPIO: 51.3.1.*

■ The —Regexp Is a pari regular expression applied to its :orrjT_sr.d line. Only cswraasHidi tirass -satisfying its expression will te displayed.

• Tie -Regexp Ls a perl regular expression applied to its command line. Only command lines HOT sati«§ring ite expression will "be displayed.

pm cmdLint parear tipid lutSeea
|9räeds^nc.BH! C:' WTCDOWS'ívitsmôZffisÉedssync.exe v-tk &11 ;ia-JíEoiíT._0TiTjéri6 gt ; 2Ö15W55-24 12:13
ldwlrwiînf,aî.s £qi»t;t: Program. FiLsí' SynssEtK.' Symantec Exdpoir.i: Protection! UWHW:Lail.EK&qwt, &li ;iiRkitown_ííwiwi&gt ; 201MJ-24 04:05
1 Iwaübidfraxy fapwCiC: Proarar. Files-SymatiK'LivaVpistt'LpCaUtodcPs«y.«iafoiBK; {SL1CD2ÍE-1C4&-4ÍSÍ-&DDIXA+FAE545FBDF} £ li ;iaiííEtmrí_ty\vT^r£ gt ; 2010-05-24 04:05
1 iTsrallbsilrproxy |*qi»H;C: Program FiLeiVSyfsaEteo'Lix'eLpdate'XuCiUhacbProxy.aceifeqiayt; {E5A3EBEE-D5BXM21s-K6[)F-54C0B3739522} * H iimknOT^OTiTerÄ gt ; 2010-05-24 04:05
1 f £qií«;C: Fr:-arar. FLLk S'-rr.a:ia: LivîVçdaé'luCaLLCü-dcPi-îxy.atâÂq't«:; {Dû75?52S-C'5E ‘-isaL-5DCF-230; 1EEE'E-E3 \ &lt iiaikEBiir^treTuafi gi ; 2010-05-24 04:05
1 liKallbaftprory &qtot;C: Program Fila;' Symantec LivêUpdaié-L'bCjlllacl-SVoxy.atiÂqiiiw; {CÆ0DC234-fi5E!H1 ['iKCOls-l. sxs £qi»t;C:'PEO|lnHl.öL» *qisot;C: Program FilK'.Sv'ffianteo'lK'eUpdsie'.Ltisllexeárquot: -S Ält ;urXíno'KT_mRTierife,g t ; 2010-05-24 04:05
1 ses olívate *qi»H;C: Program Fil«'. Symantec' Symantec Endpoir-t Piore: non SeacLU .exe*ouot: -Embedding *H:,unkng'w>n onTeriSgl: 2010-05-24 04:04
ivmipívse.ene C:' '^TbnX»WS'^,4raTi52'w'beiTiliraiipiVbe,e3H -••erprad -Embedding £lt ;-L.r3a,.c,;r._b"T:erÆ gt ; 2010-05-24 02:10
Iftelpsvc.ace C:1 .WINDOWS PCHsaLtlî'HelpCtfEmarie;' HelpSvc.cwAqwM:; iEmbewing & 11 ;ur3a!.cf.f._cmT.er£ gt ; 2010-05-24 02:10
£qi»c,C: LIDiaraff.’-AP-P AcioraitPriai.ä.äXä&qisQi; .l-a-leamene *qisot;C: tID^monr.SpamAsas5in.iê-leâm exeÂqi»t; —tant —ror.5gparh=£ quot ; C : MDaemor. APP Spun* va ; ;i r_ deéiil r jet le >*q'¿o r ; —;itecorÆgpatt="C: AiDaemon SpamAesaesin mlesÄquot: —diiÆquorCAiDeemon PUBLICA EAYE5W1 EMA NOK-SPn.1 ILLA * nvsg" £1t ;urj:r_gr.r._cr,.TT.erife,g t ; 2010-05-23 19 JO
|iKMiaapfisite.at Sqisot: C: ADDaemon APP AocouniPmne.exefepiot ;. a * H iratfaLg'm; onTeriSet: 2010-05-23 19:30
1 ItarpnaH.ete ¿feqisor; G: MDjssimVAPP LisiPiiate.eKe&qiiot; s & It iiaUif-oti^oiineriS gt ; 2010-05-23 19:30
Isa-team, ace &qiVK;C: ilDaeraon' Sj^AesäK-ifA-^Ieam.exeÄqi»::; -apara -c*ES.gpait=&qj>oi:C:'.JiD34ra«i''APF.SparaA55a^ifi'd^T:Ii_n>les*£[Ubi; -aLter-erigföü:=¡£q.ivci;C^fCî3erabr.-SpaiyAisaSíir.'.rLilecÆqivet; -dir ÂqiHH;C:-.lïï>Kffior.f.PDT31JC~rSATŒSI~l.I&£A'.SPAM~l .IMAb.ma.g&quo:: * 11 ;ur3aig",b_cmT.erÄ gt ; 2010-05-23 19^0
md.updater.exe Sqisor C: .MD^mor.'.APP iMDUpdater.exe&quoi ; p=áüj.ijot;tíDaeraon ServerSquot: ,'s &1t ;iínlaig'«,n_msTer*,gt : 2010-05-23 1930
|cmd.exe * quor ; C: .M.TNTX>WS' system3 2 ornid .exeÄqivc t ; -r &qmr: C : MDaemon .APP Learr: baÆq-co i ; £1t ;urj:r_g,RT._o"T.erife,g t ; 2010-05-23 1930
||avupaae.ene íiqisKi C: MD-aeraor.' Se*urir.'PLu; a_.iipdate er.5Æa;adr; q r. & lt iiaUínoi^oiinériS gt ; 2010-05-23 14:21
|íiatííll32.aie C UTvDOWS' -t-y ;tem3 2' rursd 113 2. exe C: J50CLtME~TAILirSEr-l.TlTNAPPLIC~r SyraaiaK'.SyKfApp&' SyKnAppS.dll. UpdateSyîLrApp S & 11 :urZngf.f._cmT.er£ gt ; 2010-05-23 04:05
KcoiindpnMte.at *qi»t;C: tJDaemOT.'APPAccwifitPíime.eKe" d=L r^quct:C:'AÍI>aenvHí L*gs DldLogs Logs-201l>-05-21-Ffi-(X3-í>0-03.íipSqiK.i; p=*quot:C: AIDaemonLogafeiuotj r &1t ;unlaig'wn_oisTer*,gt : 2010-05-22 1932
|msfeed55ytyr.exe C: V*T>¡DOWS'.sysremi3 ? m^ed.i.!.vn-.exe sync ftll:urj:r_gr.r. merer*'et: 2010-05-22 0 3:16
1 lucallhadcproxy írq-icor: C: Program. Files1. Symantec' Lp/eUpdeie'XuCalLhadcPíioxy exe^qisot; { B L2CD25B-1040-40 36-9DDEM.4FÆ649FBDF} &1t ;iirJíngTi'n_OTXT!er*gt : 2010-05-22 04:05
1 lisKllbáftpfoxy &qii*c;C: Program FiLes.&>'raaEiK'LiveUpiaie'XuCalloaílíPí>osy.es.eiSq,i»t; {EiA3EBEE-D.5£^21 e-E-fOF-í4C0B3739522} & It iiaUif-oti^oiineriS gt ; 2010-05-22 04:05
1 [ucsllbadkproxy &qnsrt;C: Program Files' Svm^et LiveUpdaieluCjllbadFioxy.exs&qtim:; {D3T-5í»2-54>5E'-ladL-50CF-23Q51EEE7BE3 } &1t :uTL>aiQ''S‘n_ot>TÄr* gt : 20104)5-22 04:05
liKallhsífcproxy *qisot;C: Program Files'. SyffiafitefLix-eUpdaieX.uCiUl»rfePí03Cj-ace*qTsac; { C60IIC234-65 F9-+6T4-94AEr-S215BEFCA433 } *1i ;iînlaig'«,n_msTer*gt : 2010-05-22 04:05
1 liKonis-l .ate Squot;C: PEOGPA-1 SymantK LIYEUP- L LUCOM S- L .EXBfequo i : feltmrAr-orer- o~.~r.er*ei: 2010-05-22 04:05
l'baa'LL.exe |3rqi¡»t;C: Program Files'.Symantec'LiveUpdiie.Luall.exe&quct: -S &lt iiinknoTi^owner* gt : 2010-05-22 04:05

TOP SECRET II COMINT

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

REPLICANTFARM generic modules

• Packed

• Peb modification

• Privileges

• MS pretender

• System32 “variables” Other ideas___________

• Strange DLL
extensions

• Cloaked

• Recycler

• Rar password

• Tmp executable

• Kernel cloaking

• Schedule at

• Ntuninstall execution

• hidden

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada oar la suDériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Generic modules : example

my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe',
'winlogon.{l,3}\\.exe',

'services.{l,3}\\.exe',

'lsass.{l,3}\\.exe',

'spoolsv.{l,3}\\.exe',

'autochk.{l,3}\\.exe',
logon.{l,3}\\.scr',

'rundll32.{l,3}\\.exe',

'chkdsk.{l,3}\\.exe',

'chkntfs.{l,3}\\.exe',

'logonui.{l,3}\\.exe\

'ntoskrnl.{l,3}\\.exe',

'ntvdm.{l,3}\\.exe',

'rdpclip.{l,3}\\.exe',

'taskmgr.{l,3}\\.exe',

'userinit.{l,3}\\.exe',

'wscntfy.{l,3}\\.exe',

'tcpmon.{l,3}\\.dir );

foreach my SrunningProc (@runningProcs)

{

SalertText .= "Suspicious process detected, legitimate exe named appended with string:". SrunningProc . "An";

}

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/d ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

RF specific signatures

• KNOWN actor filenames, processes, covert stores:

- MAKERSMARK / FANNER

- SEEDSPHERE/BYZANTINE

- ALOOFNESS

- SNOWGLOBE

- VOYEUR

- SUPERDRAKE

- GOSSIPGIRL

• Infrastructure

- Known IP addresses

- Known DNS queries

• Other tools

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Specific signatures : example

# Check a known drivers present

my @driversPresent = xml_isDriverPresent( $xml, 'usbdevW.sys', ,acpimem32\\.sys',
,usblink32i\\.exe\ ,\\$NtUninstallQ722833\\$');

foreach my $driver (@driversPresent)

{

$alertText .= "Possible MM CARBON driver detected: ". $driver. "An";

}

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

18

/H ii+i

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Operations

• Routine operations for CCNE investigations on current
targets

- Execution of OPSEC related plugins

- Collection of files

- Examination of network activity

• Blanket approvals for addition of selectors to level 4 OPs
against known actors: example WATERMARK operations
against MAKERSMARK

• Standard operating procedures for level 2 - level 4
operataions against foreign CCNE actor infrastructures

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

CCNE / OPSEC page on 5-Eyes K1SVN

Wiki

• Contains reverse engineering reports for CNE / IO
consumption

• Even logs and notes for several actors

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

20

/H li+i

Canada

TOP SECRET II COMINT

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CCNE operations - Covert Infrastructure

• Some fusion of the WP and CCNE infrastructures

- Dedicated ORB for CCNE

- Unattributed dialups to the ORB

• Philosophy: use low hanging fruits against the actors
(public exploits and tools if available)

• Discussions regarding repurpose of foreign toolkits

• De-confliction

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada oar la suDériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

SNOWGLOBE

• Provide the historical account of the activity on
DOURMAGNUM (Imam Hussein University)

• Implant identified while investigating another
unattributed actor

• rar archiving of emails on target

• Beaconing using HTTP to php-based listening post

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/T 11+1

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

O CCNE/Opsec WP1D Alerts - Mozilla Firefox

hile Edit View History Bookmarks Tools Help

(On - C A ❖

Û -I

I Googf

Most Visited Q Getting Started j Latest Headlines »i LTT ic Operations < TW... - Opsee - klsvn - Trat ¡j CCNE/Opsec Systems http://obelix/system[nfo/

*L http://obelix/ ¿j CCNE/Opsec WPID Alerts x (£] CCNE/Opsec WPID Alerts x - Opsec-klsvn - Opsec - klsvn

CCNE/Opsec WPID Alerts

Note that the search is done with the fields as perl regular expressions..

Examples:

DeU (.) iß »bisU-tfearKi-a
Ti'ilifaitfdS

Dot-Star (, *) ewes. ay
raimfer of dsaraUBrs

WID: 5L,..S,..r.l3
CUM C WPID: 51-..E . 1
IrJrasmiinsre: ■ 50'.

Current Modules:

tt»d_ Lar.i .pi

modIl00_mi_3HEPHEED.pl

moUl^Cm YcARBON.pl '

I3»d_ 102_MM_REGBACE.UP.pl

med_103_MM_pOGHOUSE.pt

mcd~l04~mOvALKER.pl

3 r. od_ 11 M_VO_Iix.p lam .p L

m 11 disked. p 1

r.:d_12 M_AP_ALOOR>BSE ,pl

mod_ 12._system3 2v® pi

mrs_ 13 jfapa&STtwa pi

ST. ZS_ 1 -_:fi".ErÎL I eXCST.-■ Î Of. s. p I

m«l_ l.è _ja‘t>tPaïâEtï. pi
mod_ l 0Jj&rycterejKi.pl
o»d_ 17 _tE.pa;*:. pt
m-Cd_lS_passi5wdfi.ltas.pl
m«5 I0_kenv; Ldeül:Lr.ï.pL
EOd_L_pKfced.pL

i_2M_3D_MI2C.pl
L20l~SD_M25FIP.pl
i_2üjpaîoBidaŒài«î.pi
l_21_stfedis Le»t. pt
l22nnHitiv5ial Iex«.pL
l_2JJwMai.pl

3K«i_24_espK t-âdAr5iai.aitï pi

aL«f_15 jf ivil45é£.n L
flKXJJ M_Um_TCPSRV32, pi

1 J 0 L_LTvH_BLAZING_4XGEL.pl
jmxJJ {ÜTDTFWEB pi
ij OJ_Um_CÏDLL.pi

U M.UNR^mT ACP. p l rood.

LJDtfuNKJASEX.-pL mod'

l_j06_UNK_WINUPIMTE.pl iKOfii.

I_3 0T_U]\lK_QUT^'EE]NGS QUAB pi modi.

LjDsYjNkGwINDO.pL " W

!_j 0P_U?Æ._DIES ELRATTLE.pl mod.

310_LTTC_WTDOWKEY.pl
SI l~UKK~CI\,ETCAT.pi
3_aksjH«eKlsr.pl
4M_S S_WTNBEE.pt
'4-C'i"ss"sslp-;st"pl
402_SS_2hapR.pl

l_jM_SJ_DDLT.pL
L5_kHmKpe.pl
I_KO_CR_lMPLANT.pl
l_fid1_GE_FL.43.IE pi
!_5JawwnKtas. pi
L^CO.SC.CHOCOPOP. p l

fii«li_S_

n»d_9TOj

nBod_EeFl_

K'M._FJFI_

Rn

Type:
WPID R^np: Module Regexp: _700_SG_ HLs-lOfic: ®


Submit-Query |

ALERTS

WTIE'I

Details:

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Possible

Module: mod 700 SG CHOCOPOP pt Date: 7009-09-30T10:!8:41.906 Tag: SG FUe name: .. data5tore,arclm^,2009.'0930TO.'TXIDO{H)t>074573_18_Y2009M09D30_H10Ml

SXOWGLOBE CHOCOPOF process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected
SXOWGLOBE CHOCOPOP process detected

cmd.exe C ""c:\RECY
cmd.exe C ""ciTŒCY
" c uREC Y"CLER\S-1 -5-
"c uRECYCLESj'.S-1 - 5
cmd.exe /C ""c:\RECY
cmd.exe C ""c:\RECY
" c i'RECYCLERNS-l -5-
"c : 'EEC Y* C L E R' £ -1 - 5-
cmd.exe C ""c:\RECY
cmd.exe C ""c:\RECY
"c:’RECYCLER\S-l-5-
"c : 'EEC Y* C L E R '■ S -1 - 5-
cmd.exe IC ""ci'RECY
cmd.exe C ""ci'RECY

"CLER > S -1- 5-21-101796669-4102346S 75 -22098 32 36-500'!rar. exe " a -r -¡mil
"CLER-.S-1-5-21-10179666 9-41023468 75-22098 32 36-500''rar. exe" a -r -¡mil
-21-101796669-4102346S75-220983236-500Var.exe" a -r -inul -hplockless -
-21-101796669-4102346875-220983236-500''-rar.exe" a -r -inul -hplockless -
CLER'.S-1-5-21-101796669-4102346875-22098 32 36-500\rar.exe" a -r -¡mil.
'CLER>. S -1-5-21-101796669-4102346875-2209S 32 36- 5 DO'rar. exe " a -r -¡mil
-21-1017 9*6669-4102 346S75-2209 S3236-5 00 r ar.exe" a -r -inul -hplockless -
-21-101796669-4102346875-220983236-SOO'-rar.exe" a -r -inul -hplockless -
'CLER- S-1-5-21-101796669-4102346S 75-2209S 32 36-500''rar. exe" a -r -inul
CLER- S-1 -5-21-101796669-41023468 75 -22098 32 3 6-500 >rar. exe" a -r -inul
-21-1017 96669-4102 346S75-220983236-500 -rar.exe " a -r -inul -hplockless -
■21-101796669-4102346875-220983236-500'-rar.exe" a -r-inul -hplockless
'CLERS-l-5-21-lO1796669-4102346S75-2209S3236-5Q0rar.exe" a -r -¡mil
CLER-S-1-5-21-1.01796609-4102340S75-2209S3236-50DTar.exe" a -r -inul

-hplockless -aprfeghhi -tnld temp-168 .rar ciMDAEMON'Usersihu.a
-hplockless -aprfeghhi -tnld temp-168 .rar c: MDAEMOXUsersihu.a
apSXazarian -tnld Ci'WTXDOWS .TEMPT^.rar ci'MDAEMOX'Usi
apSXazarian -tnld C:\WINDOWS\TEMPU66.rar ci'MDAEMOX'Usi
-hplockless -apSXazarian -tnld temp'166.rar c:'MD AEMOX' Users'ih
-hplockless -apSXazarian -tnld temp\166.rar c:-MDAJE MOX'User s'J]
apkpnazari -tnld C: .WINDOWS1 TEZvlP' 166.rar c:'_vIDAEMON'.User:
apkpnazari -tnld Ci'WEXDOWS'-TEMP'.ldd.rar c:'.MD AEMOX'.User:
-hplockless -apkpnazari -tnld temp I66.rar cMDAEZvIOX'Users''ihu.
-hplockless -apkpnazari -tnld temp 166.rar c:'MDAEZvlOX;Users'ihu.
apmsaadati -tnl d Ci WTNDOWS'.TEMP' 166.rar c: \IDAEMOXUser
apmsaadati -tnld C:\WIHDOWS\TEMP-166.rar c: AIDAEMOX User
-hplockless -apmsaadati -tnld temp'-166.rar c:-MDAEMON\Users\ihu
-hplockless -apmsaadati -tnld temp'166.rar ci iNrlD-AEMOX Usersihu

-=DOURYLAGXUM=-

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

23

A|+|

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunicatk

SNOWGLOBE on target '

Possible SNOWGLOBE CHOCOPOP process
detected:

cmd.exe /C ""c:\RECYCLER\S-l-5-21-101796669-
4102346875-220983236-500\rar.exe" a -r -inul
-hplockless -aprfeghhi -tnld temp\168.rar
c:\MDAEMON\Users\ihu.ac.ir\rfeghhi\md5*.msg">nul.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET II COMINT

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

SNOWGLOBE implant

• Injects itself in svchost.exe

• No cloaking / no hooking

• Bootstraps in service called MSDTC64 (distributed
transaction coordinator 64b

• Service entry is permanent

• Executable kept on disk in system32

• Crypto: 16 byte string XOR

• http beacons and tasking

• Actor observed upgrading on target

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

SNOWGLOBE activity and attribution

• Targeting is scarce but resembles CT / CP priorities

• French localisation seen in exploit PDFs (GCHQ)

• French commentary in the binary

• French binary name / developer path

• Observed in Iran, Norway, Greece, Belgium, Algeria,
France, US targets

• Listening posts worldwide - several French legit sites

• Now seen in passive collection, several reports

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

De-confliction : on CCNE operations

• State-sponsored landscape is very busy

• CCNE Targets are de-conflicted

• Actors on CCNE targets are not

• Covert nature of foreign (and friendly actors) make de-
confliction challenging

• Often need to refer to precise technology for identification

• CNE / CCNE from SIGINT + HUMINT need to get
together on this issue

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET II COMINT

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

De-confliction FAIL

• Actor discovered

• 5 eyes effort

• Several cohabitations

• At CSEC: 400 man-hours:

- Over 20 CNE Operations

- Passive Collection

- 4 Reports

- Reverse engineering

- Planning of active operations

TS//SI//REL

SO

S1

driver

7

unpack

Decrypt

I

File

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

28

/H li+i

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada



Conclusion

• CCNE effort essential to the national cyber mandate:

- CNE situational awareness

- New actor discovery

- Tracking known actors

• Several new actors discovered using this process

• De-confliction needs to be improved

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

MM CCNE contacts

Safeguarding Canada’s security through information superiority

Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh