an eas win: using sigint to learn about ew viruses · top secret//comint//re tlo usa, aus, can,...
TRANSCRIPT
![Page 1: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/1.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
An Eas
about
Win: Using SIGINT to Learn
ew Viruses Project CAMBERDADA B y H l , 1412 (IAD) E t ^ ^ ^ H . V252 (NTOC)
Derived From: NSA/CSSM 1-52 Dated: 20070108
Declassify On: 20370301
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 2: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/2.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Overall classification
TOPSECRET//COMINT// REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
![Page 3: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/3.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
BRICKTOP (2009)
Tascom RusComNet Kaspersky
R osobor on nstitute of Information Moscow
& Telecommunication Analytical Technology Corporation
( N A T ) Farrötech
Comstar Komet
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 4: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/4.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
0
IR 0
Á H T M B H p y C
KacnepcKoro
PR
J U
GE
0
m 4a
c
IN o JP 0
JO 0 :
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 5: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/5.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Sample Email Received by an AV Vendor
P W Z A 2 0 1 2 0 5 1 0 2 1 8 3 5 0 0 0 0 1 9 7 5 0 6
Good day,
A phishing scam file is attached for your analysis. Zip file password = virus
The file tricks the user into giving her/his bank account credentials. This can be verified by clicking on the Sign In button.
FYI: https://www.virustotal.com/file/8fb6447fdc9cfe204cde...
Regards, Francois Picard www. NewRoma. net
Attachment: BMOFinancialGroup.zip TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 6: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/6.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
h
Ô %
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 7: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/7.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Work Flow
TOP S EC R ET//CO MINT//R E L TO USA, AUS, CAN, GBR, NZL
![Page 8: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/8.jpg)
Analytic value
SIGINT brings in -10 potentially malicious files per day for malware triage
Over 500 potentially malicious files collected since 2009
~ 50 CAMBERDADA signatures deployed to NIPRnet for alerting
9 domains mitigated
![Page 9: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/9.jpg)
DNS Interdiction
Ä9 domains under DNS Interdiction
itCloudshield intercepts the DNS request
it Returns the address of a DoD listening post
SIMunged version of the request is sent out
it DNS response is sent to a log
![Page 10: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/10.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Current status
it CRN
•SSO
Overhead
•SCS
• FORNSAT
it IN L-C-2010-147 - Multi-Country: Computer Network Ops
it Dozens of CADENCE selectors
»PINWALE daily queries; EXIT4 models
Ml MAILORDER TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
![Page 11: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/11.jpg)
What else can we do?
£§TAO can repurpose the malware
itCheck Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product
it Monitor the folks who provide the malware to see if they're into more nefarious activity
^Establish automated reporting
![Page 12: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/12.jpg)
More Targets!
Viritpro (Italy)
AVG (Czech)
k7computing (India)
Spy-Emergency (Slovakia)
fsb-antivirus (France)
eAladdin Norman (Israel)
F-prot (Norway) (Iceland)
Bit-Defender (Romania)
F-secure (Finland)
Ikarus (Austria)
Nod32 (Slovakia)
Hauri (Korea)
Avira (Germany)
Ahnlab (S Korea)
Emsisoft (Austria)
Eset (Slovakia)
Arcabit (Poland)
Novirusthanks (Italy)
Avast (Czech)
DrWeb (Russia)
Antiy (Chinese)
Checkpoint (Israel)
![Page 13: An Eas Win: Using SIGINT to Learn about ew Viruses · TOP SECRET//COMINT//RE TLO USA, AUS, CAN, GBR, NZL An Eas about Win: Using SIGINT to Learn ew Viruses Project CAMBERDADA ByHl,](https://reader034.vdocuments.us/reader034/viewer/2022042106/5e847367599a4427cb7e4347/html5/thumbnails/13.jpg)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
T H A N K
14121 V252 A N K
Y Y O U
# Derived From: NSA/CSSM 1-52 Dated: 20070108
Declassify On: 20370301
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL