an eas win: using sigint to learn about ew viruses · top secret//comint//re tlo usa, aus, can,...
TRANSCRIPT
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
An Eas
about
Win: Using SIGINT to Learn
ew Viruses Project CAMBERDADA B y H l , 1412 (IAD) E t ^ ^ ^ H . V252 (NTOC)
Derived From: NSA/CSSM 1-52 Dated: 20070108
Declassify On: 20370301
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Overall classification
TOPSECRET//COMINT// REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
BRICKTOP (2009)
Tascom RusComNet Kaspersky
R osobor on nstitute of Information Moscow
& Telecommunication Analytical Technology Corporation
( N A T ) Farrötech
Comstar Komet
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
0
IR 0
Á H T M B H p y C
KacnepcKoro
PR
J U
GE
0
m 4a
c
IN o JP 0
JO 0 :
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Sample Email Received by an AV Vendor
P W Z A 2 0 1 2 0 5 1 0 2 1 8 3 5 0 0 0 0 1 9 7 5 0 6
Good day,
A phishing scam file is attached for your analysis. Zip file password = virus
The file tricks the user into giving her/his bank account credentials. This can be verified by clicking on the Sign In button.
FYI: https://www.virustotal.com/file/8fb6447fdc9cfe204cde...
Regards, Francois Picard www. NewRoma. net
Attachment: BMOFinancialGroup.zip TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
h
Ô %
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Work Flow
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
Analytic value
SIGINT brings in -10 potentially malicious files per day for malware triage
Over 500 potentially malicious files collected since 2009
~ 50 CAMBERDADA signatures deployed to NIPRnet for alerting
9 domains mitigated
DNS Interdiction
Ä9 domains under DNS Interdiction
itCloudshield intercepts the DNS request
it Returns the address of a DoD listening post
SIMunged version of the request is sent out
it DNS response is sent to a log
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Current status
it CRN
•SSO
Overhead
•SCS
• FORNSAT
it IN L-C-2010-147 - Multi-Country: Computer Network Ops
it Dozens of CADENCE selectors
»PINWALE daily queries; EXIT4 models
Ml MAILORDER TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
What else can we do?
£§TAO can repurpose the malware
itCheck Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product
it Monitor the folks who provide the malware to see if they're into more nefarious activity
^Establish automated reporting
More Targets!
Viritpro (Italy)
AVG (Czech)
k7computing (India)
Spy-Emergency (Slovakia)
fsb-antivirus (France)
eAladdin Norman (Israel)
F-prot (Norway) (Iceland)
Bit-Defender (Romania)
F-secure (Finland)
Ikarus (Austria)
Nod32 (Slovakia)
Hauri (Korea)
Avira (Germany)
Ahnlab (S Korea)
Emsisoft (Austria)
Eset (Slovakia)
Arcabit (Poland)
Novirusthanks (Italy)
Avast (Czech)
DrWeb (Russia)
Antiy (Chinese)
Checkpoint (Israel)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
T H A N K
14121 V252 A N K
Y Y O U
# Derived From: NSA/CSSM 1-52 Dated: 20070108
Declassify On: 20370301
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL