TOP TO USA, FVEY

 

 

 

?Using the XKS CNE dataset and a i
DISGRUNTLEDDUCK fingerprint, we now see at ieast
21 TAO boxes with evidence of this intrusion set, most

of which are associated with projects aimed at Iran
WMD targets." -- MHS, July 2010

 

MarchUSA, FVEY

 

   
  



Overall Classificatio

 

The overall classification of this
presentation is:

TOP TO USA, FVEY



 

  
 
 

TO USA, FVEY

7   at is 

 

 

- A suite of software running on a Linux host

- Classically, used for DNI processing,
selection and survey

- A distributed hierarchy of servers at field
sites and headquarters

- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows

- Web and programmatic front-ends

TO USA, FVEY

 

  
 
 

TO USA, FVEY

7   at is 

 

 

- A suite of software running on a Linux host

- Classically, used for DNI processing,
selection and survey

- A distributed hierarchy of servers at field
sites and headquarters

- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows

- Web and programmatic front-ends

TO USA, FVEY

 

  
 

TOP TO USA, FVEY



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IF: Metlurewer: shared by Hft: at ETD - Flrefux
II glen: I Igrnr'}: ?nnkn?er? _nn 5 Help
-
a   I'llpa UL: [1131' w:  
I ru- I lEElherna- - 'Il'u'il?uadid. :13 I  gl'dLJ'Ebi I D3- if TE HHEVSCEHE - Fur gala;  3 
:r'ctc-Ir L: 1 
33:33:34: I: w: mg :33
Elm: ??dnm ?32m 333-31 I I-ucrp-ntz. 5:331:33 Eran:- Amunt E?xm :rurI r4 Hm:-
IQ I'Eil I 
Elsewul'w?w? I. . ann 1'1 3 .175 [Elan'E-anrt'zh'n lI-Irn- Hum-113m; .1 .111
m:
WEB BB 
1? 
33.3 14
i?z-I?lims; 
a n] 
523',- :n:-Jar
[El I
El 323-311 slmwu mmamwly 
II: 
II3I: 3.13." IILILII5: 
I: .L'll Egad Lht'l E'tlht' ll TI.I Pull ll 5H: FI lCilf FII I: .3 gilu.?l TI.I Cit} (IF: LH.
5 1? Hwir?-? mum! ?543m: ?3333:3113 m? 5334 33:31 HFIJII I 3543: 4333 3 Fl? I 35-33: at?
LII-lama:sz 55- 2354 1533 FFI: 4333 33? FR 33
[3 533533 . . . . . .
lLlh?iJf uwu umuu 55- 3334 3133 ll! 4333 .335 II: 43
I: U45
magnum WE 5334 1353 F3. 4333 33? FR 33 3
I533 Imam? 3:113:33 umn LIME 55- 2.334 L135 r5: 4333 33? HEUILLTEUF 43
Tin-.1 Pam-mm. ?533:3 ?3333mm 5334 11:13 I Imus 4333 Ive-1H5 .II
Ellillr'?l'It LII-lawns 55- 2354 15.3; FFI: 4333 33? FR HEUILLTEUF 33?
El 315 5.5- i-?i-FlI-ul- 3-53? I I5 I-.II 4353-: II: HI I 

I mam-I23 55- 5334 3:133 FP. 4333 23? FR 43
I'll
??aw us-Imu LIME 35- 2:34 mu 4333 335 II: 43
I ?awn Imam? 5:134 1531 4333 Fl? 
San -3: DH FF- 2354 1543 FFI: 4333 325 FR 43
It Inn-334nm:  5.5- 3334 Hill!" HI 4331-: HI II
El 33333:: MB Ff- 5334 1553 PP. 4333 23? FR 43:
I I 
iryl?ggn' 
and 1-: . P393 1 rf l'i l? #1  P393 Eirn' TIE raw-I rI.-r p1 gr.) Flier] eyi35313557333313
:r'ctc-Ir L: 1 
lune 

 

 

 

TOP TO USA, FVEY

 

TOP SECR MIN EL TO USA, FVEY

Exa Ie  

 

   

 

 

 

- Let?s try a search for suspicious 

http_activity search, 5-eyes defeat, look for fingerprints:


- While the search runs, some gotchas:
- You choose where your query is run
- Content and metadata age?off

- Burden is on user/auditor to comply with
USSID-18 or other rules

- Geolocation based on IP

TOP TO USA, FVEY

 

 TO USA, 

Search Results

   
 

- 

jle Edit glow lliitorg' Qooltrnarlts Idol; Help

 

I
I I I


This system is audit-1d for 13 and Human Rights act compliance

 

 

l? U511, M15. 

  
[la?1' 
     - Probably NOT CNE

34m [Ii-or 3? 1 1 l-lL-i lJrruIalF: more: 1 {1?1117} er=n= A1111er norm 1 3on1

   but definitely

 FECII Enter tin-ct to soonUaer Flaunt: 

 

 

 

 

 


EEK?LLuulunuan lD?lE-l??
El Lantant- 15-132: a I I a r-

LGEBZUM: 

I: 
I J1ian?515'hm Ecnct fit-211.1 lncalaiIJELI nag 1552134935?:

 - Content: maybe a

El Find fingergri rt


 HTFP tunnel for some



a  weird protocol?
1n?
a  Reset from locall . .

El Find heal-


- Should we write a

132?430?

 Fingerprint?

I ll

 

 

 

This Hahn [m ?ilhls Hal cumpliunu:

 

USA. ALIS. CAN HIL
Donn:  a

 

 

 

TO USA, FVEY

 

  
  

TO USA, FVEY

 7  Fin - - ri Lll??l Gigi

 

 

- Useful for identifying classes of traffic or
particular targets (for SIGDEV or collection):

mail/webmail/yahoo
browser/Gellphone/blackberry
topic/sZB/chinese4missile
0 appid a contest, highest scoring appid wins
0 fingerprint many fingerprints per session

- microplugin a fingerprint or appid that is
relatively complex extracts and databases
metadata)

TO USA, FVEY

 

  
  

TO USA, 

Fingerprints and Appi (more)

 

 

 

- Written in language called (go
genesis?language):

2.0) 
or 'wikimedia?);



dns_host(' erofreex.info or datayakoz.info 
or erogirlx.info or pornero.info or 

If a fingerprint contains a schema definition, a

search form automatically appears in the
XKEYSCORE GUI

- Power users can drop in to to express
themselves

TO USA, FVEY

 

  
  

TO USA, 

More about seaf

 

 

 

- Many different searches
I Base search is Full Log DNI

I Depending on traffic type, will generate searchable
results for (example):

HTFP Activity Network GEO Info
Information

Extracted Files Email Registry
Addresses

Logins and Document Machine Info

Passwords Metadata

0 workfIOW a user query that is run
automatically usually every 24 hours

TO USA, FVEY

 

  
  

TO USA, 



 

 

 

- Not all sites run latest XKEYSCORE
software or fingerprints

- fingerprint submission:

- XKEYSCORE team weighs mission-worthiness of user
fingerprints vs computational cost

- Content and metadata ageoff

TO USA, FVEY

 

  
 

 

TOP TO USA, FVEY



 

 

 

Lots of endpoint data flows into XKS
TAO (no ECIs), GCHQ (almost all)

Other limited flows include SIGINT
Forensics Center, TAO STAT

XKEYSCORE works well for endpoint data

Sometimes the paradigm breaks 
collected browser history file)

TOP TO USA, FVEY

  
  

TOP SECR MIN EL TO USA, FVEY

 

 

 

 

- Payload types:

dirwalk, extracted file, system
survey, network config, captured
credentials, registry query, key
logger, etc.

Labeled dnt_payload in appid/fingerprint
ontology

- Let?s look at some DANDERSPRITZ


TOP TO USA, FVEY

 

 

  

TOP TO USA, FVEY

XKEYSCORE CNE mi

?le En?r Elm-u HiEI'nr'f

I Jinks-Len? Had. Luau-u: Bil-?33?! 3:5555iur1 'Iu' FEE TECG 1'62 =rT1Ei=wiE 

r: nk'l'na H5:

Inn 5

UTEHEF - H?lill? Fire?u.

   

 

 

GE


31 2

35!? 





Thisaiylilun irn-Iudilui fur and Human 

II: LELEE FICATIDH: 5 RETFHIEH-I HTHFI TIEI 5h. AU 5. 12AM . '3 
?Ill'icwc 

PIT. TE 

 

assign  Haadari?:  um. :41 

 

 



mil-lath

$59954:-

FI 3E 
_l I nt

 

l1.-





El?.

El 

d?lleaJ 
:l I?Ind nap-Jana Eula at Baas: 




 

 

 

 

 

 

 

 


{Process



tPruca-aa
{Process
{Process
{Process
rPrucess

tF'ruca-aa.
tF'ruca-aa.
EPW121155-
{Princess



tPruca-aa.


{Process






{Process



tPruca-aa
{Process
{Process

rPrucess

tF'ruca-aa.
{Process
cl'mmaa
{Princess


cruntianTim??EEI -
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll 
EIt'J-ll 
-
-
craat1anl1aa?'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll 
-
-
-
creatln-nl 
-
-
EIt'J-ll -
-
-
-
crEIatln-nl 
-
-
EIt'J-ll -
-
-
craat1anl1aa-'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll 
-
-
-
craatmnl 
-
-
EIt'J-ll -
-
-
urn-atln-nl -
creatln-nl 
-



  

P??I'LLlu'lulJ' IHL



 



IEIJ: L'a'?l'liu'hll?'d"


.E'iE'ilIl??"

3? 


IED: ME. 



in?? 

35' 


IEEI: 




312500330003"












IEIJ: 

151539313533"





IED: 2-1 


5.1112! 

5.1132: 
5.1112: 
IEE: ii 



- 1112115135.?5353] 5 



  

Iii-:51: riptian-' Initial'

da?anptiar' 
HERE r1pt1an=' Initial"
"Hi 
"Hi 

daacriptiunJ Initial 
daaudptiam' Initial
113151: ript1arI-' _nitia_ 
113151: rip-narr' _nitia_'
HERE r1pt1an=' :nitla'. 
"Hi 
daacriptinn?' Initial
daacdptiw' Initial
Iii-:51: riptian-' Initial
-nitia-'
r1pt1an=' :nitla'. 
HIE-51: rlptiam' :nitla'."
'Ili 
daacdptiw' Initial
Iii-:51: riptian-' Initial 
Iii-:51: riptian-' Initial 
daecnptiar' -nitia- 

tie-'31: r1pt1an=' 
'Ili 
Il??tri?l 'Ili 

daacriptiun?' Initial 
Iii-:51: riptian-' Initial 
113151: rip-narr' _nitia_ 
_nitia_ 
descriptiarp' Initial"
"Hi 
daacriptiun?' Initial 
daacdptiw' Initial 
daaudptiam' Initial
113151: rip-narr' _nitia_ 
HERE r1pt1an=' Initial"
11-351: r1pt1an=' Started"
5  
daacriptinn?' Star'tcd"
daaudptiam' Start-2d"
nut1an-' t-tar'tcd"
dean npt1an-' btar?ted"
descriptimp' Started"

  

lid-453'

p1a='723'


lid?'BEJ'
rid-'EGS'















f1d='2215'


lid?1:321:-

uni?'er'



lid-'TSS'
lid?'45?

uni?1211'








IsaudIt-atl Tar and Human 

5E1: Ll 5h. AU 5. CAN. GER. 



paid- I3-1.: as: .caad??raccash





ppjd- :Hcac?'mmaab
pp?- 

at: 



mid?"44mm 'Jc't?cr'uic: . I:wa run-Eras":





.i-J-L-Hu'Flnu-inu




. BIB-1.4 



uran-



rag-i. Erie-t-I'llra-zasaa-
re?ner. Enter-I11 run-29555


ppjd? .axaur'Prn-Eaasa

EHIPWDEIEEJ-
agar .5 


'55 .amfP?rnnass-r

unad- 'ia'lil .caadxrraccash




  

 

 

TOP TO USA, FVEY

 

Len gin


 

 

  

 

 

   

TOP SECR MIN EL TO USA, FVEY

 XKEYSCORE 

 

 

 

- Recent Developments

- Upgrade of XKEYSCORE CNE
- Keyloggers: keylogger/perfect/extension

- PCAP Reingestion
- Router Redirection

TOP TO USA, FVEY

 

TOP SECR MIN EL TO USA, FVEY

nter CN oddity-9y

(refer to Counter CNE Resources 

 

 
   


. ..

.Itl .) 

. II 
I II

I 

I 
r'lj'f a] 

I

I 
1 

 

 

- Hypothesis/research?driven

I ?Could South Korean CNE be using similar selectors to
FVEY 

I ?What keywords could be used to find keyloggers
(?example: keylog OR keystroke?)

- Bogus or Unusual Traffic
I GET with content (example in this presentation)
- HTFP POST at odd hours (from Russia 0200-03592)
- Funky user agents

- Known-Host or User driven drop sites)
0 XKEYSCORE is GOOD at these kinds of things

TOP TO USA, FVEY

 

TOP TO USA, FVEY

CNE-S  

 
   

 

 

 

- Registry searches SIMBAR)

Fused Active/ Passive search
0 common selectors
- document hashes

- Known Processes (malicious
executables or code)

 Let?s enhance the process list appid

- map-reduce within CNE cluster using
GENESIS calls

TOP TO USA, FVEY

 

  
  

TOP TO USA, FVEY

 KEYS co RE weeps 

 

 

 

0  at all (well, automatically, anyways)

- Paired traffic heuristic-based approach

In imbalance GET without
response)

- mismatch*

-  on an automatic basis

- Network or host characterization
- Changes in mapping over time
- Changes over time in malware comms

TOP TO USA, FVEY

 

  
 

 

TOP TO USA, FVEY

7C 0 te oorces

 

 

 

I How to Discover Intrusions [using by?
and (paper)
I MHS INDEX Foreign CNE Discovery Page
CNE Discovery
I CSEC and GCHQ DONUT (unknown protocols):


- GCHQ Discovery Posted some Research of Detecting Man-on-the-Side
Attacks:


GCQH Disco Team posts for different Intrusions and some Details:


- The GCHQ DISCO team also posts Discovery Theories they run once a
week:

Afternoons
i XKEYSCORE Fingerprints

TOP TO USA, FVEY

   
 

Elle Edit

TOP TO USA, FVEY

. Success Stor

 Using TAO?obtained Iranian implant keys, inlin
using XKS microplugin keylogger data!

Ei new liturgy- Elan: I-trn ants

  
 

CLASSIFICATIDH: T0 ?545;. ALIS.

 

Wile

- HS 

 

 

IDQIE Help

?it?n?l IE nudltacl fur 15 ENE. Hl?hti A131: 
GBH. 

     

132:: viewer

 

DE-Ltl-Zlii me

2011?03?23 15:51:23 

Bess-inn  Header 



 

Case: 

   

not

httpEJIJ-Hcs-central .cnr-p .nsa .Ic aynutsmn pa: 

 

Fran-I Tu PDT T1: Per: Prntuc: Length
Imn} Unllc-Li Sum-:5; .12325 tap 3203
Attachments Meta  
Ivan?? 'r il-  Tl'! 

 

 

 

 

Quick 
I??esemn
I: r??ittaeh ments

te-xt
He?nggerntt

 

Sui.? 
id Find fingerprint

 

Find traffic. cm
7'3 3311:1163
1?d.132.1E?D.3d
Find aggliratinn
mailfwebmailfyaheu
Finti DFGW hash


  

TE-

?nti or ecesinn


 

 



 

 

Virus scan results

Using THT fernlatter

un k315wn_1 93 1 

t3 unread: ?Edna-3 . Mail, - MeaLlLa Pirate-1: 



E1 E1

FIIZD alwar Eiarn let:


The page at Bays: 

Hurt-raid} ?Huh-nut Midi], Muxi11d 





[Backup-ace] Ga [Eack?pace] [Eack?pace] [Right Alt] -
Messenger e2:-

5.1111 [space] 

  

?e unread} Enheel Hail. mehrn' azilln Pirefex eh




 

Dune

 

THIEI: system audlted fur 13 and Human Act 

TGP USA, ALIS, CAM. GER, MIL
a if?

TOP TO USA, FVEY

 





     
  

 



 



 

  

H.101 

  
   

 

1,3,2?  TOP TO USA, FVEY
I ma {?053ng 

?m

333nm            
ms. 
- MHS Index Team

-@nsa.ic.gov
0 RESSION

 

- NSA/Countering Foreign Intelligence
 

NTOC 

- XKEYSCORE


TOP TO USA, FVEY