TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE DRAFT Kaspersky User-Agent Strings 3? September 2008 Derived ram: SAKCC SM 1-52 Dated: 3 anuary 2007 Declassify 0n: 20320103 101 STCRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L (CHREL) K115 persky User?Agent Strings September 2008 BY: REVIEWED BY: IDAICCS RELEASED BY: Chief, Sim TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L PO FIT DO CU NTATI PAG Public reporting burden for this collection of iniorn?ation is eetin?ated to a-.rerage1 hour per response. including the tinte tor re-.riewing instructions. searching existing data sources. gathering and n?aintaining the data needed. and eon?pleting and reviewing the collection at iniorn?ation. Send eon?ntente regarding this burden eetin?ate or an}r other aspect of this collection of iniorn?ation. including suggestions for reducing this burden. to Head-quarters Services. Directorate for Interntation Operations and Reports. 1215 Jefferson Davis Highway. Suite1204.A.rlington. VA 22202-4302. and to the Otiice oi tuianagentent and Etudget. Paperwork Fteduetion Project [0?04- 0188]. DC 20503. 1. AGENCY USE ONLY {Leave blank] 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September gang Technical SIGINT Report 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS {Ci-Fl Kaspersky ser-Agent Strings e. I PERFORMING ORGANIZATION AND 8. PERFORMING ORGANIZATION REPORT NUMBER National Security Agency Ft. George G. Mead el MD 20155-5400 9. econeoniner'raoNnoniNe scenes earners; AND 1e. neeacr FIEPOFIT S- 11. SUPPLEMENTARY NOTES I 123. STATEMENT 12b. DISTRIBUTION THIS DOCUMENT MAY NOT BE RELEASED OR REPRODUCED IN WHOLE OR IN PART WITHOUT PRIOR APPROVAL OF THE ISSUING OFFICE. 13. AB STRACT (SHHSIHRELI We discovered that Kaspersk}: User?Agent strings contain encoded 1versions ol' the Kaspersk}: serial numbers and that part of the User?Agent stringT can he used as a machine identifier. 14. SUBJECT TERM 15. NUMBER OF PAGES Kaspersky, User-Agent, machine identi?er 3 18. PRICE COOE A SECURITY CLASSIFCATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT TOP EL USA. USATOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL SSTITECIIJXXIZUUS Tahle 0f Contents (LT) Imrmluctinn (LT) USN?Agent Strings Updams Fields and EmailingT Types User-Agent Strings (1. Serial (LT) Kc}: Files 8. a] TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL (CHREL) Kaspersky User?Agent Strings (U) (UHFOLKD Kaspersky Lah is a priyately held contpany with headquarters in Moscow-r, with regional offices elsewhere. Kaspersky has {at least) three products Kaspersky Internet Security Kaspersky Anti?Virus and Kaspersky Mohile Security The Anti-Virus engine is used by other security yendors. Kaspersky products are quite popular in some parts of the world. This work was heguu with - at SCAMP 20th at Ins/cen? Princeton.. (U) Data We used YACIITSIIUP ntetat'lata records for our study of Kaspersky User?Agent strings, as well as some information discoyered by using I?Liroogle searches on the Internet. (U) User-Agent Strings The Kaspersky client sends its own User?Agent strings when requesting updates. Sonte examples are Host: User?Agent: GET Host: dnl?us?.kaspersky?lahs.cont User?Agent: The Kaspersky User-Agent strings are ol" three types 1. 2. unt 3093 um The User?Agent strings use the characters which is the same alphahet as is used in haseo4 encoding. Further, the last twelye characters of the third type are, in tact, haseo4 encoding oi" the yersion nunther. These yersion nunthers range from 6.0.2.614 to 8.0.0.35? in our data. TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL (U) Updates The update requests we uhseryed ul?ten ueeurred en a regular basis, ul'ten eyery 20, 40, 120 err 140 minutes when the Inaehine is urn?line. They began with a GET request for an indes page, i.e. andinr This was immediately l?ellnwed by a set pl" requests for update files: first, a set pl" l'iles sueh as {hlst hlaek list, ids intrusiun deteetiun systern, ay 2 antiyirus, upd 2 update}, then, a set pl" l?iles sueh as and a set nl? files such as .r?dil'l?sh?tutnPatehesr?kay 1 .32 lfaypgui.ppl.ryh. We did not see any use pl" query strings ennkies in the update requests. User-Agent Fields and Encoding New we turn our attention tn the User-Agent strings thernselyes. Let us take a typieal example, as ahnye: 1 The last 12 eharaeters are the hase?4 enended string Ny4ijAuh-iTIl, which, in this ease, tn 10.0125 {the yersien number) and leay es us with uInB 098 IntIngy TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL (SEISWREL) At first, it that thuru aru l?iult'ls suuaratucl hy characturs, hut luuking nturu clusuly, it cart hu suun that thuru aru twu suts ul? characturs, ancl i.u. twu suts ul?32 characters uach. It that uach l?iult'l is a sut ul? characturs 1"runt thu sucuncl sut 1"ulluwut'l hy a charactur 1?runt thu 1"irst sut. Wu huliuyu that thu characturs aru curnuusurl ul" a luarling l'lag hit 1"ulluwut'l hy 1"iyu intulliguncu hits, whuru thu 1"lag hit inrlicatus thu unrl ul" a 1"iulcl. Thus wu uarsu thu ahuyu string intu 1"iulcls: untB 0'98 untB A Fiult'l unu ant'l 1"iult'l thruu aru nurntally thu santu ant'l thu l?irst thruu l?iult'ls aru usually twu ur thruu lung. Fiult'l sis is always unu ur twu lung, ahuut hall" ul" thu tintu twu lung. 11" it is twu lung, thu sucunt'l charactur is a Sincu is thu sucunt'l charactur ul" thu first aluhahut sut, its natural yaluu is 1. That is, if wu ruyursu thu urclur ul" thu characturs in this 1"iult'l, thu untiru l?iulcl takus un yaluus 0?63. Taking this as uur cuu, wu cunclut'lut'l that thu urclur ul?thu characturs in uach 1"iult'l shuulcl hu ruyursct'l, ancl uach l?iult'l ruurusunts a nunthur uncut'lucl hasu32, with uncI?uf?l?iulrl 1"lags. (SHSIHREL) With this intururutatiun, l?iult'l 1"iyu au uars tu hu 1"lat uyur thu rangu IH It 2 thu largust yaluu suun huing 261 142, whtlu 2 2262144. (SHSIIREL) Thu l'irst liyu 1"iult'ls tu match with suucil?ic cliunts. Thu ntain uscuutiun is Du Bk? Du l?j?nt Ku {anuthur uarsut'l Kasuursky LTsur?Agunt) which is scun with a largu nunthur ul? cliunts. ?ts wu shall suu, l?iult'ls twu, thrcu, ancl 1"uur aru thu surial nunthur, ancl this particular surial nunthur is unu ul? thusu huing uassucl aruunt'l un thu Inturnut. Stuclying thu 11th ul" GET rcquusts, wu uhsuryu that in many casus, thuru is an uuclatu ruquust at rugular inturyals. Pruhahly such a rcquust is ntaclu in all casus in which thu ntachinu is un-linu. Thusu ruquusts hugin with a ruquust 1"ur unu ur twu int'lus uagus, 1"ullmyut'l hy 1"urthur rcquusts 1"ur uut'latu l?ilus, all with thu santu LTsur-r?kgunt. Latur, un thu rugular huat, thu nust ruquust will hayu thu santu LTsur??tgunt string, uscuut that l?iult'l sis will hayu changut'l: Thu Jul 3 21 13:56 2008 Du Esi ll leUI?u A 6.0.2.618 Thu Jul 3 23:33:56 2008 Du Esi ll leUnt B: A 6.0.2.618 Thu huat at which thu ruquusts aru ntaclu tu hu currulatut'l with thu tyuu ancl yursiun nunthur. Thu tyuu 2 ruquusts ul'tun cuntu uyury 21} ntinutus, ancl ahuut 21 ?36 ul? thu tintu ticks uu with an incruntunt alturnating hutwcun 3i} and 34, ntucl 63. Thu tyuu 3 ruquusts ul'tun cuntu at huats ul" 121} ur 141} ntinutus, ticking uu hy 24 in thu 121} casu, ancl 39 in thu 141} casu, huth Inucl 64. TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL Fielrl severt, il'present irt type 2 strirtgs, is art er irt tvpe 3 strirtgs there is a field severt, anrl pessil'ilv a field eight, 1n eur rlata, the type 2 strirtgs, urtless there is a field seven with art the requests enlv ask l'er kle files, such as finrles26/a0602g.sritl.klz. v?tlse irt eur data, the 3 strings witlt ne eighth l?ielrl, i.e. rte value, were all l'rerit versien 6.0.2.614, while nene 61" the versien 6.0.2.614 strings harl a severtth field. We believe these inrlieate serviees anrlt?een1"iguratiens. (U) 'l?ypes nf' User-Agent Strings (SIISIHREL) There isn't much tn sav al'ieut the first tvpe el' LTser?r?tgent string, 1t pres urital'ilv represents serite lirititerl eapal'iilitv trial versien. The tvpe is ritere interesting as it parses as rleseriherl al'ieve. The parserl versien usually begins Dp Bk? Dp 1j5rit, 1"ellewerl a field l'ive ritestlv 61' length three er l'eur, a sixth field which tieks tip as rliseusserl l'iel'ere, anrl pessil'ilv a seventh l'ielrl eensisting 61' art The ene eseeptien is the Dp Bk? Dp lj5rit Kn ritentienerl aheve, irt whieh 1"ielt'l live is twe leng. Further, this ene rlnes net tiek up, hut alwavs appears the same. We have ritere inl'erritatien al'ieut the thirrl tvpe, irt which the last 12 eharaeters are the eneerlerl versien numbers. We el'iserverl: Versien First Fielrl 6.0.2.614 Dp, Bkt, er 6.0.2.618 Dp, er Dr 6.0.2.621 Dp, Bks, er Brit2 6.0.3.832 Dt, er Dz 2.0.0.1 19 Britt 2.0.0.124 Britt 2.0.0.125 Bkt, er Britt 2.0.1.321 Britt, er Brit 2.0.1.323 Britu 2.0.1.325 Britt, er Brit u, er 8.0.0.352 an, er an 86 it seems that the first field is traeking aleng with the versien rt urithers, se it eeulrl relate tn the rlate at which the prerluet is aetivaterl, but is net rlireetlv equivalent tn the versien nuritl'ier. Type 3 strings are all seven er eight l'ielt'ls leng. TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TEN iH?Hf) (101. .13 ?1 11 1.111111. 11137311 1111111 .1113 111 113.113.111.13 3m 1131-1113 3111 1111 11311111311 113111.131 3111 31 113111131 31.1 31 11.111311111113111111111 311113311 3111 _13 111311137311 111133311 3111 ?113111133113 3113 1111111131311 111 31.1 31 11.111311111113111111111 311113311 3111 _13 1113111331: 111.111 3111 111113 31111111 ?11311 111 1113111113 31.13111111111 1111.131: 3111 111111 1111133311 11 31111; '31111111 3111 111.131.11111111 3111133113111 1.11111 1311111311 11111311 3111 _13 11131113311 111.111 31.11 111111 3311313 ("13111111131131 11311d 33113311 1111.11 111113111 1 1131111131] ?1 1131111131 [11331111133131 0'9 Slum-E1111? blimd-?SEH (1171701 I 81190?11101} 117173817171113171100111111} ?1 I I ?5 El ZEN VEUBL ?178 LU 9171} 130?3 II ?3330 93 ?111 IE 8 I Italy: ?8 {1311617111 '31 1:1 918031?8 I 3317353001)"13170004153111} 1131111 33113311 113111 11111113111 1; 11311111301 1131111131 111113111111131111 1111131113d 1111,1111 1131? EWEUI 1131111 33113311 115111 11111113111 1; 3311111391 1131111131 [11331111133131 111113111311 EUWWS [1133301 98171 r-Nr-x J- 1 ll {El-?Pl?rl? 9817001 Ell-?3} 173111 I 39101?018091}?th 13H PUld lI 13111111111 [13 '1311131111 3111 113 1.1311133 1.1111131 31.1 113111111 ?1113111111111 311113311 1.11111 1113111111111 1111131113 [11.111111 11333 _13 111111?3113 .13} 3.111111 1.131111 _13 1311 113.111 3.1311 ?333.1111111?331711011?331111 13111111111 1111.133 11111.1. 11.11311 3111 311113 311.11 111 ?.131.11111111311113311 11 111111 1311111311 11111311 11 1111111133 1131111111 1131133331} 11111133} 1111 113111: 1131111111 1111111. 113111 .1311 11111.1. 311133 111311113111 11111113111111} 1131111113113} 5111111111113 1111-11111 (1311111111111) BHUEIXXKIDEIMLES EHEN) 110.]. TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L One el' the User-Agent strings, when parsed, {Dp Bk? Dp [jint [I42w). By een 1rertingT these strings inte hesadeeirnal nurnhers, this 00000009 0000049e 00000009 000l'8l2? 0003e37?0. New examine the lines ahere. We find serial nurnher 049e?0000fi9? 00018120. We also have {an Brnu B248l? Ehl which equates te 000004l'1 0000092e 000004ee 03he20he 00020?al' 00000032, whiehrnatehes 092C- 0004CE-03BC20E5E, ahuve. There are also close matches: 000004ee 000002134 000004ee 02l?17?80e0 00005d9e with and 000004ed 00000494 000004ed 02439hl2 000136213 with 0494-0004CD-02439E4C. (U) Key Files We leeated three key files and examined them. The first four hytes til the key l'iles eentain the signature Kst. Alter an initial header, the key files can he parsed intu with an algerithrn like In general, the ?elds til the reeurds are as l?ullews {in hes}: Pesitien Content Speci?c kind of in l'errnatien in the 1value field 2 00 TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL (i TEN MESH 0J1 11011 PUB nElElzlS ?Hd ?Nd n1311]}1 1511] 3:111] ?2111? 11311133113 31.11 113111113 111311111 13 111 '31111 3111111 3111111113311 3111 113 1313111113 3111131111111 11311.3 .111 1131111113111 3113 113111111 33111 13 3311.11 3113111311 311311131 13113311 131 3113111111 ("1311111131131 5311.1 al?lld? {112112-1110311-3311113-113331 :1131131311 113311 131311 3113111133 3111 31311133311 13 13.133 1131113311 3111 11133311131 3.133 333111 3311133311 1311113 ?1311131111 3111 1111 1111113113 3111311 Sim 11311131111313 31113.3 311 31 1133111113 1131111 11313113353111 3111-1 ("1311111131131 ?3311111113113 1113131111113 111111.111 133111 33311113 1113 1131113111131111 313111 1313 31 3111113131111 311 11131111 11 ?13111111: .1311 1131133113 1711311131113 311 31 111133111113 11311111 111113 ?1]11111) 13 1131 ?1131113331 ?31111311 531135311 3111 1111311133 33111 .1311 3111 1131111113113) 1331111 3331111111 11113 1111 1113111 111533311 113111111 ?131113311 13 111 11311113 131 13111111111 1131133 3111 3331111113 11131113 1113 1111311133 11111111 1: 31.1111 11111.1 331111131113 3311311131] '81111112 1: 31.111 113111111 111 31113331 3111 111 113111113 3113111111111 33113311 111113 31111311 1311111113113 3111 111111 1: 31111 1131111111 111 1113331 3111 111 11311113 131 31111] 3111 1111111 31111 11311111 111 11111331 3111 111 11311113 13131.1 13111111111 11111131311 31111131111111.1113} '113 113113111 31.11 133111 .1311 131113 111111} 3111 111 111 313113 13131.1 1: 31.13 3.3111 .1311 11131 13111311 131111111 3111 11111.1 ?33: 3111111111 1113113113 1131111111 131111111 111 5111311311 3111 113111111 111 1113331 13 131 131111 13131111113113) 39 (19 99 DE (111 E1) ?19113 19 39113 (11, 119 E1: EL E1) {111 EL 19 ?11? [11} 91 BE 11} {11} ?11111} [11} 10:] 113111118118} 3?1l?31?1 +111 ?11131.1 31.111 31:61; ?111151131 1113111113 311111 31111?3 11111.1 13111111113311 ?111113=gz ?11111111 311111?1121?) ?11131.1 31111?172131} ?111113111 2111} 1131111351 13 81} 1?3 {11} 8 81111311111111331/118 EH111) Ol JUL TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL (SEISWREL) things, l'ilcs cnntain hnsc?4 strings, such ?Elf-i GMTAUNIHRONWE 1 1 5cllN4?tnt 1k rcInJ EUUNPVR 1 5R1 1 IL Unt?2133VrSW't1?tc't?t?J Phi which tcr: 1(i4?rlN5n ijlq 10r?2 1rWEs 1 UK??ng which to anything (U) It appcars that string tisch tn is in nniquc clicnt, carrics for scrinl can hc tisch l?crr Wc hclicvc Uscr?Agcnt stringT cnrrics in formation scrviccs for or Study cl" :1 l?cw strings, scrinl nctivntinn kcys, kc}: l'ilcs this. TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL TGIF 0 USA, AUS, CAN, GER, MEL DISTRIBUTION Hatri?cupy DC 324 distribute GCHQ (B133 ll - TGIF TD USA, AUS, CAN, GER, MEL TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L