As to be expected the USG.NSA has monitored Torrent and other file sharing networks while spreading malware from the early days of filesharing. Remember that they don't1 want you2 to have nice things.
SECRET STRAP1 COMINT
The maximum classification allowed on GCWiki is TOP SECRET STRAP1 COMINT. Click to report
inappropriate content.
For GCWiki help contact: Support page
SEBACIUM
From GCWiki
(Redirected from File Transfer – FTP)
Jump to: navigation, search
Contents
1 Overview
2 Monitoring – DIRTY RAT
3 Information Operations – PLAGUE RAT
4 Effects – ROBO RAT
4.1 Future work
5 Tasking
6 Classification policy
6.1 Data
6.2 Operational prototypes
7 Interested Parties
8 Notes for SEBACIUM Admins
8.1 Logging
8.2 Running
8.3 Hashing and Topic Files
8.4 File Hash Monitoring
[edit] Overview
SEBACIUM is the codename for the suite of tools developed as part of ICTR-NE's active P2P exploitation
research. These tools fall into 3 categories; monitoring, information operations and effects.
[edit] Monitoring – DIRTY RAT
this tool is aimed at identifying users sharing, downloading or searching for specific content as identified by
its customers. P2P traffic represents a large proportion of Internet traffic, the advantages of the SEBACIUM
architecture is that it provides a targeted mechanism of obtaining relevant data, regardless of accesses and
geographical location.
DIRTY RAT currently has the capability to identify users sharing/downloading files of interest on the eMule
(Kademlia) and Bittorrent networks. On eMule it also has the ability to monitor the sharing/downloading of
files related to particular keywords. For example, we can report who (IP address and user ID) is sharing files
with "jihad" in the filename on eMule. If there is a new publication of an extremist magazine then we can
report who is sharing that unique file on the eMule and Bittorrent networks
The capability has proven highly successful and is being used extensively by JTRIG who are in the process of
fully integrating it into their systems. DIRTY RAT will soon be delivered to the Metropolitan Police and we
are in the early stages of relationships with CEOP and the FBI.
[edit] Information Operations – PLAGUE RAT
This tool has the capability to alter the search results of eMule and deliver tailored content to a target. This
capability has been tested successfully on the Internet against ourselves and testing against a real target is
being pursued.
[edit] Effects – ROBO RAT
Operationally referred to as ROLLING THUNDER, the details of this tool are UKEO, please contact ICTRNE
(NE distro) for details.
[edit] Future work
Research is continuing to extend the capability to cover the following P2P networks:
Gnutella currently in prototyping evaluation
Bittorrent currently in prototyping evaluation. You can help us by identifying torrent files of interest
(e.g. extremist material).
We would also like to exploit further a number of opportunities for SEBACIUM to deliver Effects e.g.
content delivery attacks, information operations, denial of service and botnet disruption. We are currently
pursuing these.
[edit] Tasking
The SEBACIUM system is tasked by keyword(s) that are used to match search/sharing requests on the
network.
Although the SEBACIUM system is deployed within JTRIG it is currently still a research prototype,
therefore please contact ICTR-NE with any requests that may provide benefit to your business area.
[edit] Classification policy
[edit] Data
The details of how SEBACIUM works are classified as UK SECRET STRAP2.
Raw SEBACIUM logs may be distributed at RESTRICTED level, as long as the source of the
information and nature of access is not disclosed. The raw logs will contain an IP address of the
machine sharing or requesting files of interest, together with a timestamp. Clearly, if this information is
used in a subscriber check, the identity of the actual owner of the IP address is of a higher classification
and should be protected appropriately.
Results returned by DIRTY RAT are classified as SECRET. The higher classification is given due to the
volumes of data and the search criteria used.
Some filenames, particularly those related to paedophile material, may be particularly offensive.
SEBACIUM logs should therefore be distributed to customer departments through secure channels, or
the results of analysing those logs incorporated into EPRs.
[edit] Operational prototypes
Although the SEBACIUM techniques are classified, the systems that implement those techniques are
considered to be UNCLASSIFIED. This is because they are deployed using covert Internet access, and no
targeting or other information is present on the hosting machines that indicate either GCHQ involvement or
its interests.
[edit] Interested Parties
(Please feel free to add your team and/or name here)
JTRIG
CBRN
NDIST – Effects
[edit] Notes for SEBACIUM Admins
[edit] Logging
Make sure that log4j has been set to use UTF8 encoding in the properties file for each of the appenders. For
example:
log4j.appender.A1.encoding=UTF-8
[edit] Running
SEBACIUM should be scheduled to run once a day for 24 hours, if run for longer the machine can start to
slow down and logging will be affected. This issue is being looked into by QinetiQ and is thought to be a
memory related. Make sure you reserve enough memory for the JVM, this amount depends on how much is
available and how many hashes are on cover, the minimum is about 400MB, something like 2GB would be
preferable.
[edit] Hashing and Topic Files
Please ensure that all topic files are given UNCLASSIFIED names and NO KEYWORDS are placed
anywhere on the SEBACIUM box.
When hashing unicode keywords please make sure that unicode has been set up properly on the box and the
input/output for all scripts has been explicitly set to use UlF-8 . This should be done in DIRTY RAT and there
are also some tips on the ICTR-NE code snip_~ts page
When hashing files, be sure that you are using the correct algorithm for eMule MD4 file hashing. This works
by hashing "'9MB chunk s of the file and then hashing the concatenated result , which is not how the normal
MD4 hashing algorithm work s. We have a tool provided by QinetiQ to do this and there are also freeware
program s available on the Internet , such as:
http://slavasoft.com/zip/fsurn.zip
[mil ] File Hash Monitoring
When monitoring file hashes with SEBACIUM you should expect to see logs for
KADEMLIA2_PUBLISH_SOURCE_REQ , KAS_ID_LOOKUP and
KADEMLIA2_SEARCH_SOURCE_REQ . The KADEMLIA2_SEARCH_SOURCE_REQ packet indicate s
that the user is downloading the file, if this is not followed by a KADEMLIA2_PUBLISH_SOURCE_REQ
for the user then this may indicate that the user is not sharin g the files they download from the network.
IMPORTANT: The user hash given by the KAD_ID_LOOKUP is the KADEMLIA hash for a client ,
wherea s the user hash given by the KADEMLIA2_PUBLISH_SOURCE_REQ is the client 's eDonkey hash
which we are not currently concerned with .
POC:
Retrieved from "htt s:/
Categories : A1212lied Research Protot:x~s I Amilied Research I 816 1 Peer-to-12eer I P2Q I Protot:x12es I
SEBACIUM I File Transfer
Views
• Pag~
• Discussion
• Edit
• Risto!)'.
• Delete
• Move
• Watch
• Additional Statistics
Personal tools
•
• MY-talk
• My_12references
• MY-watchlist
• MY-contributions
Navigation
• MainPa~
• Hel12Paw
• Wiki12edia Mirror
• Ask Me About …
• Random 12ag~
• Recent chan~
• Re12ort a Problem
• Contacts
• GCWeb
Search
…_ ________ _, ~ [ Search J
Toolbox
• What links here
• Related changes
• Upload file
• Special pag~
• Printable version
• Permanent link
• J)isclaixuers
SECRET STRAPl COMINT
The maximum classification allowed on GCWiki is TOP SECRET STRAPl CO MINT . Click to report
ina12pmpriate content. ↩NSA/R4
GRIMPLATE
UNCLASSIFIED//FOR OFFICIAL USE ONLY
The overall briefing is classified
TOP SECRET//COMINT//REL FVEY
First Steps Toward Identifying
Adversarial Use of BitTorrent
Network Operations Center
Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20370117
Agenda
• Motivation
• BitTorrent’s TCP and UDP layers
• DHT overview
• What does it mean to crawl DHT?
• Pilot implementation
• Collaboration
CONFIDENTIAL
CONFIDENTIAL
GRIMPLATE Motivation
TOP SECRET//COMINT//REL FVEY
TOP SECRET//COMINT//REL FVEY
• BitTorrent sessions are seen on a daily basis between NIPRnet
hosts and adversary space (PRC, RU, etc.)
• NTOC has no way of knowing if this is innocuous file sharing or
malicious activity.
• Peer-to-Peer (P2P) is not allowed on NIPRnet, but most commands
do not see it as harmful.
• If we can glean some indication of the type of data
that's leaving NIPRnet, we can build a case for
shutting this activity down.
• Interest is not limited to NIPRnet scenario
BitTorrent’s TCP and UDP Layers
• TCP
– Used to exchange pieces of files amongst
peers
• UDP
– Used to exchange routing messages
• Who should I ask for file pieces?
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
BitTorrent DHT
• Nodes: clients participating in DHT
• Peers: clients participating in piece exchange to share file
• DHT: distributed key, value store
• Nodes have 160 bit pseudo-random node ID
• Keys are 160 bit hash of .torrent file metadata – info_hash
• Values are list of IP addresses and ports of peers mapped to
info_hash
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Mainline DHT Messages
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ping Query = {“t”:”aa”, “y”:”q”, “q”:”ping”, “a”:{“id”:”abcdefghij0123456789”}}
ping Response = {“t”:”aa”, “y”:”r”, “r”:” {“id”:”mnopqrstuvwxyz123456”}}
find_node Query = {“t”:”aa”, “y”:”q”, “q”:”find_node”,
“a”:{“id”:”abcdefghij0123456789”, “target”:”mnopqrstuvwxyz123456”}}
find_node Response = {“t”:”aa”, “y”:”r”, “r”: {“id”:”0123456789abcdefghij”, “nodes”:”def456…”}}
get_peers Query = {“t”:”aa”, “y”:”q”, “q”:”get_peers”,
“a”:{“id”:”abcdefghij0123456789”, “info_hash”:”mnopqrstuvwxyz123456”}}
get_peers Response, with peers = {“t”:”aa”, “y”:”r”, “r”: {“id”:”0123456789abcdefghij”,
“token”:”aoeusnth”, “values”: [”axje.u”, “idhtnm”]}}
get_peers Response, with closest nodes = {“t”:”aa”, “y”:”r”, “r”: {“id”:”0123456789abcdefghij”,
“token”:”aoeusnth”, “nodes”:”def456…”}}
Announce peer = {“t”:”aa”, “y”:”q”, “q”:”announce_peer”,
“a”:{“id”:”abcdefghij0123456789”, “info_hash”:”mnopqrstuvwxyz123456”, “port” : 6881,
“token” : “aoeusnth”}}
Response = {“t”:”aa”, “y”:”r”, “r”: {“id”:”0123456789abcdefghij”}}
What’s it mean to crawl DHT?
• Goal: Harvest complete node list for entire DHT and peer list for
info_hashes found in NIPRNET defensive tools or SIGINT
• Regular client node lookup is iterative process
– O (log n) search
– routing table is starting point
• Approach:
– spray find_node messages across DHT and store responses
– query for peers of info_hashes of interest
SECRET //REL FVEY
SECRET //REL FVEY
What does DHT crawler collect?
• For each node in the DHT:
– 160 bit node ID
– IP address
– Port
• For targeted info_hashes:
– List of the node ID, IP address, and port
of nodes sharing targeted file
– Entries may be stale
SECRET //REL FVEY
SECRET //REL FVEY
What value is the data?
• Use “community detection” algorithms to identify swarms that are
likely to be malicious
• Download files being shared by likely malicious swarms
• Build BitTorrent mitigation case for NIPRnet
• General SIGINT reporting
• File download without identification of likely malicious
swarms impractical
SECRET //REL FVEY
SECRET //REL FVEY
Pilot on PACKAGEGOODS Server
• Deploy modification of existing crawler – dedicated PG server
• Run analytics on “swarm” metadata to determine malicious activity
• Experiment with subnet range and ID space and message interval to
determine server processing and bandwidth requirements
• Test if crawler catches info_hashes we see from target in XKS
• Must we proactively collect peers to address “SIGINT lag”?
TOP SECRET//COMINT//REL FVEY
TOP SECRET//COMINT//REL FVEY
SIGINT Lag
• BitTorrent “swarm” may be inactive by the time target info_hash
reported by SIGINT system
• May require preemptive collection of peers
– DHT has on the order of 8 active million nodes
– info_hash/DHT address space: 2^160
TOP SECRET//COMINT//REL FVEY
TOP SECRET//COMINT//REL FVEY
Next Steps
•Enhanced analytics
– Community discovery
•Distributed crawler
•Peer pre-fetch
•Target file download
– avoid lending “utility”
SECRET //REL FVEY
SECRET//REL FVEY
Prior Work
TOP SECRET//COMINT//REL FVEY
TOP SECRET//COMINT//REL FVEY
GCHQ – SEBACIUM
POC:
CES – XKS schema/micro-plugin
Prototype analytics
POC:
TAO-ROC – OGC approval for operational tests
PACKAGEGOODS connection
POC:
GRIMPLATE Collaboration
TOP SECRET//COMINT//REL FVEY
TOP SECRET//COMINT//REL FVEY
CES – Digital Network Exploitation Applications
NTOC
V25 – Malicious Activity Discovery-Characterization
V45/47 – Technology Development
V46 – Technology Planning and Assessment
S2B – Office of China and Korea, CNE Access Development Branch
S2H – AP Russia Production Center, Russia SIGINT Development Division
TAO-ROC – Production Operations Division
“go grimplate”
CONFIDENTIAL
CONFIDENTIAL
Questions
UNCLASSIFIED
UNCLASSIFIED
Why am I
grim? ↩