SlideShare a Scribd company logo

FAWAD REPORT 2

Fawad Masood
Fawad Masood
1 of 20
Download to read offline
GINSU-BULLDOZER COMBO & HOWLERMONKEY REPORT Submitted to : DR Mohammad Amin Submitted by :Fawad Masood ID :1504-12017 Date : 5/18/2016
1
2 Table of content 1. Introduction……………………………………………………………………………...…...5 2. Ginsu…………………………………………………………………………….......…...…..6 3. Bulldozer…………………………………………………………………………………......6 3.1. Bulldozer based…………………………………………………………………………..6 4. Introduction to ginsu-bulldozer malware combo……………………………………….…...6 5. System support………………………………………………………………………......…..8 6. Ginsu (General points)…………………………………………………..……………….….8 7.Kongur…………………………………………………………………………................….9 8 PCI Add in Card……………………………………………………………..………….......9 9. Bulldozer Hardware Simulation with Sundance SMT 8096 SDR Development Kit……...10 10. PCI Wireless communication add in card Hardware and software Co Development…...12 10.1High Level Design………………………………………………………………..…....12 10.2.Software Device Driver Development ……………………………………………..…13 10.3 Chip Fabrication……………………………………………………………………….13 10.4 Compatibility Test on PCI Hardware Software Combo…………………………… .13 11.Simulating Bulldozer Hardware………………………………………………..…………13 12.Howler monkey ………………………………………………………………………..…15 13.Definition …………………………………………………………………………………15 14.Introduction………………………………………………………………….………....…15 15.Types of Howler monkey…………………………………………………………………16
3 15.1.Howler monkey yellow pin……………………………………………………,,,,,,.…17 15.2.Fire walk Howler monkey………………………………………………...……,,,,,,…17 References………………………………………………………………….……...……,,,,,19
4 LIST OF FIGURES Fig 1 Extended Concept of Operation…………………………………………….………,…7 Fig 2 PCI Add in Card……………………………………………………………………,,…9 Fig 3 Removing and Installing PCI Add in card………………………………………,,,,.....10 Fig 4 Entire Sundance SMT8096 SDR Development KIT Hardware………,,,,,…………,,.11 Fig 5 SMT 8096 Software defined Radio Development Kit………………………..,,,,,,…,,,11 Fig 6 Types of Howlermonker……………………………………………………………,,,,,16 Fig7 General Network of Howlermonkey………………………………,,,,,,,,,……………,,18
5 NSA ANT CATALOG GINSU BULLDOZER COMBO 1. INTRODUCTION Q: What is NSA ANT Catalog this is the 1st question arises in every individual mind? A: The answer is very simple that these are technologies used by NSA (National Security Agen- cy) Most Devices are available to USA national and members of five eyes alliance Now question arises why is five eyes alliance? Five eyes (FVEY) includes some powerful Countries namely Australia New Zealand Canada UK These all are bound by UKUSA agreement [1] The latest Snowden disclosure of the NSA's ANT exploitation catalog will be studied by every IT security professional in the world [1]The digital catalogue of NSA‘s tools of digital espio- nage, which was exposed in Der Spiegel, the German weekly reveal the amount of sophisticated digital tools used by the US to conduct its espionage operations around the world.1 The 49 tools which got exposed belong to the same family called ‗ANGRYNEIGHBOUR‘ and can be sorted into many categories according to their operating devices/ platforms (see Part I for the categori- zation). In these, both hardware and software tools serve their purpose in collecting data from inaccessible devices around the world through unconventional technological means. These tools are designed specifically to function on particular devices ranging from keyboards, USBs, VGAs (see Part 2) to a whole computer/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones and to even act as radars to transfer data to their local data collection centers[1] Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard- ware and software implants which make it more vulnerable to espionage. Therefore, the tools of espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of which 5 are software based implants and the remaining 4 are hardware implants. The software based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and TRINITY. ―The software implants hide themselves in the master boot record or even in the BI-
6 OS of the computer while the hardware implants are implanted by intercepting the computer dur- ing the delivery in a process called by the agency as NSA ‗Interdiction [2]. 2. GINSU GINSU is a type of Computer and it provide software application persistence on the target sys- tem with the PCI Bus hardware implant [2] It is use for restoring a software implant that has been removed during and operating system upgrade or re install. We have all focus on Bulldozer and Ginsu how it work? And how its architecture developed first we are focusing on Bulldozer the part of computer then we will come to GINSU [2] 3. BULLDOZER A hardware implant acting as malware dropper and wireless communication ―hub‖ .Despite that BULLDOZER is hardware, I still use the word ―malware‖ when referring to it because it‘s a ma- licious hardware perhaps the term ―malware‖ should refer to both malicious software and mali- cious hardware BULLDOZER as a GOD MODE: BULLDOZER provides capabilities similar to ―god mode‖ cheat in video games which make the player using it close to being invincible BULLDOZER is very hard to detect[3]. As for GINSU, we will look into GINSU in detail in the next installment of this series 3.1Bulldozer based on 1. BIOS 2. Hardware Technology 4. Introduction to ginsu-bulldozer malware combo BULLDOZER doesn‘t work in isolation. It has to be paired with the GINSU malware to be able to work. , GINSU is a malicious PCI expansion ROM. Therefore, at this point, let‘s just assume that GINSU is indeed a malicious PCI expansion ROM and BULLDOZER is the hardware where GINSU runs. This means that both work with each other while bulldozer is hardware malware and GINSU software malware so we can say now BULLDOZER is a PCI add-in card.
7 GINSU and BULLDOZER is a software and hardware combo that must be present at the same time to work. We need to look at the context where GINSU and BULLDOZER operate in order to understand their inner working. Figure 1 shows the deployment of GINSU and BULLDOZER in the target network [2]. Figure 1 (Extended Concept) BULLDOZER hardware implanted in one of the machines in the target network The NSA Remote Operation Center (ROC) communicates via OMNIGAT with the exploited machine through an unspecified wireless network This implies the GINSU-BULLDOZER malware combo targets machines in air-gapped net- works or machines located in a network that is hard but not impossible to penetrate.
8 The NSA ANT server product data document mentions GINSU provides software application persistence for the Computer Network Exploitation (CNE) (FACT TREATING UNFAIRLY) implant—codenamed KONGUR—on systems with the PCI bus hardware implant, BULLDOZER. 5. System support This technique supports any desktop PC system that contains at least one PCI connector (slot) and uses Microsoft Windows 9x, 2000, 2003 server, XP, or Vista. The PCI slot is required for the BULLDOZER hardware implant [2] BULLDOZER is installed in the target system as a PCI hardware implant through ―interdiction‖ (Destroying enemy Forces)—fancy words for installing additional hardware in the target system while being shipped to its destination. 4After fielding, if KONGUR is removed from the system as a result of operating system upgrade or reinstallation, GINSU can be set to trigger on the next reboot of the system to restore the software implant[2]. PCI add-in cards are installed on PCI expansion slots on the motherboard. Figure 2 shows a PCI add-in card sample. This PCI add-in card is a PCI WLAN card. Figure 2 highlights the PCI ―con- troller‖ chip from Relink—a WLAN controller—and the PCI slot connector in the add-in card. The term ―controller‖ is a generic name given to a chip that implements the core function in a PCI add-in card. PCI hardware development documentation typically uses this term, as do PCI- related So there are 3 components in the GINSU-BULLDOZER combo 6. GINSU (General points)  (1980‘S 1990‘S Very popular knife)  It is malicious PCI Expansion (Option) Rom  Ginsu Runs in PCI Add in card
9  Add in card codename (Bulldozer)  Ginsu Rom is higher than Diet bounce  So Ginsu Do a lot more functions the Dietybounce  NSA Control the size of Flash Rom on PCI Add in Card 1. Bulldozer chip very possibly uses a PCI wireless controller class code 2. Bulldozer hardware contain GINSU probably is not a PCI mass storage 3. Bulldozer provide wireless communication and it require Antenna 4. Large Antenna Boost wireless signal Strength 7. Kongur Is a Window Malware that target Windows 9x, 2000, XP, server, 2003, Vista[2] 8. PCI add in card It is installed in PCI expansion slot in Motherboard of Computer[2] Fig 2: Show Flash memory Rom
10 8.Pci card in desktop Fig 3: Removing and Installing 9. Bulldozer hardware “simulation” with sundance smt8096 sdr development kit There are usually more than one FPGA in a typical PCI SDR development board. We are going to look into one of Sundance products which were available in the market before 2008—the year the GINSU-BULLDOZER malware combo was operational. I picked Sundance SMT8096 SDR development kit as the example in this article. This kit was available in the market circa 2005. The kit consists of several connected boards with a ―PCI carrier‖ board acting as the host of all of the connected boards. The PCI carrier board connects the entire kit to the PCI slot in the de- velopment PC. Figure 4 shows the entire Sundance SMT8096 SDR development kit hardware[4]
11 Fig 4 entire Sundance SMT8096 SDR development kit hardware. Figure 5 shows the block diagram of the entire SDR development kit. It helps to understand in- teractions between the SDR development kit components.
12 Let‘s look into SMT310Q PCI carrier board, because this board is the visible one from the moth- erboard BIOS perspective. We‘ll focus on the technology required to communicate with the host PC instead of the technology required for the wireless communication, because we have no fur- ther clues on the latter. Moreover, I‘m not an expert in radio communication technology in any- way [4] The SMT310Q PCI carrier board has a QuickLogic V363EPC PCI bridge chip, which conforms to PCI 2.1 specifications. This chip was developed by V3 Semiconductor, before the company was bought by QuickLogic. The V363EPC PCI Bridge connects the devices on the SMT8096 development kit to the host PC motherboard—both logically and electrically—via the PCI slot connector. This PCI bridge chip is not a PCI-to-PCI bridge, rather it‘s a bridge between the cus- tom bus used in the SMT8096 development kit and the PCI bus in the host PC. The correct term is Local Bus to PCI Bridge. Local bus in this context refers to the custom bus in the SMT8096 development kit—used for communication between the chips in the development kit boards[2] 10. Pci wireless Communication add in card Hardware and software co De- velopment From a cost point of view, using a Commercial Off-The-Shelf (COTS) approach in creating BULLDOZER hardware would be more cost-effective, i.e. using tools already in the market cost much less than custom tools. COTS benefited from economic of scale and competition in the market compared to custom tools.[5] 10.1 High-level design This step involves the high-level decision on what kind of PCI controller chip would be created for the PCI add-in card and what features the chip would implement and what auxiliary support chip(s) are required. For example, in the case of a PCI wireless communi- cation add-in card, typically you will need a separate Digital Signal Processor (DSP) chip, or you need to buy the DSP logic design from a DSP vendor and incorporate that design into your PCI Field Programmable Gate-Array (FPGA)[5]
13 10.2 Software (device driver) development This step involves creating a prototype device driver for the PCI add-in card for the target Oper- ating System (OS). For example, if the device would be marketed for mostly Windows users, then creating a Windows device driver would take priority. As for other target OS, it would be developed later or probably not at all if market demands on the alternative OS don‘t justify the cost involved in developing the driver [5] 10.3 CHIP Fabrication In this step, the first design revision of the chip is finished and the de- sign is sent to chip fabrication plant for fabrication, 10.4 Compatibility test on the PCI hardware-software “combo‖. The chip vendor carries out the compatibility testing first. If the target OS is Windows, Microsoft also carries out additional compatibility testing [5] 11. “Simulating” BULLDOZER Hardware Now, let‘s look into the process of developing a specific PCI add-in card, i.e. a PCI add-in card with wireless communication as its primary function. We focus on this kind of PCI add-in card because BULLDOZER connects to the outside world—to OMNIGAT in Figure 1—via an un- specified wireless connection. For this purpose, we look into the hardware prototyping step in more detail. Let‘s start with some important design decisions in order to emulate BULLDOZER capabilities, as follows: The prototype must have the required hardware to develop a custom wireless communication protocol. The reason is because the wireless communication protocol used by BULLDOZER to communicate with OMNIGAT must be as stealthy as possible, despite probably using the same physical antenna as a PCI WLAN card [5] The prototype must have an implemented PCI expansion ROM hardware. The reason is because GINSU is a malicious PCI expansion ROM code that must be stored in a functional PCI expan- sion ROM chip to work. GINSU is configurable, or at the very least it can be optionally triggered—based on the NSA ANT server document. This means there must be some sort of non-volatile memory in the proto-
14 type to store GINSU parameters. It could be in the form of a Non-Volatile RAM (NVRAM) chip, like in the DEITYBOUNCE case. Storing the configuration data in a flash ROM or other kinds of ROM is quite unlikely, given the nature of flash ROM which requires a rather compli- cated procedure to rewrite [3]. 12. Closing Thoughts: BULLDOZER Evolution Given that BULLDOZER was fielded almost six years ago, the present day BULLDOZER cranking out of the NSA‘s fab must have evolved. Perhaps into a PCI Express add-in card. It‘s quite trivial to migrate the BULLDOZER design explained in this article into PCI Express (PCIe) though. Therefore, the NSA shouldn‘t have any difficulty to carry out the protocol con- version. PCIe is compatible to PCI in the logical level of the protocol. Therefore, most of the non-physical design can be carried over from the PCI version of BULLDOZER design explained here. We should look into the ―evolved‖ BULLDOZER in the future[2]
15 HOWLERMONKEY 13. DEFINITION HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in conjunction with a digital core to provide a complete implant[5]. 14. INTRODUCTION Listing hardware and software (called implants in NSA technology) which can penetrate sys- tems to monitor modify and extract information .these include modified cables allowing ‗tao per- sonal to see what is displayed on the targeted monitor[5]. The digital catalogue of NSA‘s tools of digital espionage, which was exposed in Der Spiegel, the German weekly reveal the amount of sophisticated digital tools used by the US to conduct its espionage operations around the world.1 The 49 tools which got exposed belong to the same family called ‗ANGRYNEIGHBOUR‘ and can be sorted into many categories according to their operating devices/ platforms (see Part I for the categorisation). In these, both hardware and soft- ware tools serve their purpose in collecting data from inaccessible devices around the world through unconventional technological means. These tools are designed specifically to function on particular devices ranging from keyboards, USBs, VGAs (see Part 2), to a whole comput- er/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones and to even act as radars to transfer data to their local data collection centers[5] Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard- ware and software implants which make it more vulnerable to espionage. Therefore, the tools of espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of which 5 are software based implants and the remaining 4 are hardware implants. The software based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and TRINITY. ―The software implants hide themselves in the master boot record or even in the BI- OS of the computer while the hardware implants are implanted by intercepting the computer dur-
16 ing the delivery in a process called by the agency as NSA ‗Interdiction‘.‖ 2 In order to under- stand the functions of these tools in dept, it is essential to study them individually[5]. 15. HOWLERMONKEY A Transceiver that makes it possible (in conjunction) with digital processors and various im- planting methods) to extract data from systems or allow them to be controlled remotely. It is Ex- traction Device [6] The Printed Circuit Board (PCB) layouts of the HOWLERMONKEY implants are tailored ac- cording to individual implant space requirements and differ in form factor. These PCBs are de- signed to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices that run on HOWLERMONKEY personality [6]. It Covert short to medium range RF Transceiver. Designed to be integrated with a larger device. Communicates over SPECULATION and CONJECTURE protocols. Known products that in- clude HOWLERMONKEY are: CM-I, CM-II, FIREWALK, SUTURESAILOR, and YEL- LOWPIN [6] FIG 6: Types of Howler monkey
17 15.1 HOWLERMONKEY-YELLOWPIN Yellow pin appears to have a printed circuit loop around it's periphery of a total length of around 110mm, so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would certainly have the best chance of escaping from a metal server case. Now this might just be an artifact of the layout or it might be a loop antenna. There‘s no easy way to tell, and as it does not appear on the other photos it would tend to suggest artifact not antenna, but it has a sep- arate product name which could be because it is different to the others with the difference being it has the antenna on board. So flip a coin and make your choice Now this is where I take a real leap in the dark and say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the mill watt or less range as there is no apparent "heat sinking", thus the working range unit to unit being in the low tens of meters. The top left photo also has two similar length thick tracks (albeit much shorter than YELLOWP- IN) so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would certainly have the best chance of escaping from a metal server case. Wifi devices may not be the best choice if all that is intended is CLI access or exfiltration of small files - people like Texas Instruments make low power transmitters for remote control (think wireless car keys) and in- strumentation applications [7] 15.2 FIREWALK-HOWLERMONKEY FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same target network FIREWALK is a bi-directional 10/100/1000bT (Gigabit) Ethernet network implant residing within a dual stacked RJ45 / USB connector FIREWALK is capable of filtering and egressing network traffic over a custom RF link and injecting traffic as commanded; this allows a Ethernet tunnel (VPN) to be created between target network and the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) FIREWALK allows active exploitation of a target network with a firewall or air gap protection. FIREWALK uses the HOWLERMONKEY trans- ceiver for back-end communications. It can communicate with an LP or other compati- ble.HOWLERMONKEY increase RF range through multiple hops [7].
18 FIG 7 General Network of Howler monkey
19 References: [1] Applebaum, Jacob and Stöcker, Christian (December 29, 2013). "Shopping for Spy Gear: Catalog Advertises NSA Toolbox". Der Spiegel. Retrieved January 1, 2014. [2] “Malware analysis‖ Meta on February14, 2014‖http://resources.infosecinstitute.com/nsa- bios-backdoor-aka-god-mode-malware-part-2-bulldozer/ [3]Darlene Storm, January 3, 2014 http://www.computerworld.com/article/2474275/cybercrime- hacking/17-exploits-the-nsa-uses-to-hack-pcs--routers-and-servers-for-surveillance.html [4] “5th February 2014 by greg ferro‖, http://etherealmind.com/snowden-nsa-exploit-kits-and- commercial-espionage/ [5]‖NSA Codename ―Wed 1st January 2014‖,http://cryptome.org/2014/01/nsa-codenames.htm [6] https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html [7] https://www.aclu.org/sites/default/files/assets/nsas_spy_catalogue_0.pdf [8] http://www.telefoniert-nach-hause.de/index.php/NSA/HOWLERMONKEY, accessed on June 04, 2014 [9] Appelbaum, Jacob. ―NSA ANT Rechner‖, Der Spiegel, 30C3, 30 December 2013.

Recommended

Changes
ChangesChanges
ChangesYhorledy Cardenas
 
Cidrri pv2
Cidrri pv2Cidrri pv2
Cidrri pv2abhiuim
 
MikroTik User Guide
MikroTik User GuideMikroTik User Guide
MikroTik User Guideseolangit4
 
22 945 gct-m 1333 (3.0)_low
22 945 gct-m 1333 (3.0)_low22 945 gct-m 1333 (3.0)_low
22 945 gct-m 1333 (3.0)_lowLidiafloresraya
 
Soyo syd6iba
Soyo syd6ibaSoyo syd6iba
Soyo syd6ibaRoberto Mantovani
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Linux admin
Linux adminLinux admin
Linux adminSatya Johnny
 

Recommended

Changes
ChangesChanges
ChangesYhorledy Cardenas
 
Cidrri pv2
Cidrri pv2Cidrri pv2
Cidrri pv2abhiuim
 
MikroTik User Guide
MikroTik User GuideMikroTik User Guide
MikroTik User Guideseolangit4
 
22 945 gct-m 1333 (3.0)_low
22 945 gct-m 1333 (3.0)_low22 945 gct-m 1333 (3.0)_low
22 945 gct-m 1333 (3.0)_lowLidiafloresraya
 
Soyo syd6iba
Soyo syd6ibaSoyo syd6iba
Soyo syd6ibaRoberto Mantovani
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Linux admin
Linux adminLinux admin
Linux adminSatya Johnny
 
finalfilanl
finalfilanlfinalfilanl
finalfilanlFawad Masood
 
maaaasss
maaaasssmaaaasss
maaaasssFawad Masood
 
Mars
MarsMars
Marsjuanfranpucelano
 
Media Technology
Media TechnologyMedia Technology
Media Technologyalexandroloso
 
Research
ResearchResearch
ResearchJumana Naqve
 
Tinnitivix helped me
Tinnitivix helped meTinnitivix helped me
Tinnitivix helped metestyreceptacle94
 
students
studentsstudents
students9236819061
 
Multimedia in the classroom
Multimedia in the classroomMultimedia in the classroom
Multimedia in the classroomkimpossible70
 
YouTube in the Classroom
YouTube in the ClassroomYouTube in the Classroom
YouTube in the Classroomlaurwininger
 
Facebook Groups and The Bottom Line
Facebook Groups and The Bottom LineFacebook Groups and The Bottom Line
Facebook Groups and The Bottom LinePenji
 
Jupiter
JupiterJupiter
Jupiterjuanfranpucelano
 
BIOTECNOLOGÍA
BIOTECNOLOGÍABIOTECNOLOGÍA
BIOTECNOLOGÍAJuan Pablo CR
 
Digipak
DigipakDigipak
DigipakJumana Naqve
 
Alamy interview questions and answers
Alamy interview questions and answersAlamy interview questions and answers
Alamy interview questions and answersvictoriamartin968
 
Intro to Dinosaur
Intro to DinosaurIntro to Dinosaur
Intro to DinosaurPenji
 
Jupiter 333
Jupiter 333Jupiter 333
Jupiter 333juanfranpucelano
 
Jd
JdJd
Jddavidmoun
 
movie review breakfast club
movie review breakfast clubmovie review breakfast club
movie review breakfast clubJumana Naqve
 
AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3 AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3Kate Crow
 
Venus (1)
Venus (1)Venus (1)
Venus (1)juanfranpucelano
 
lotos-framework
lotos-frameworklotos-framework
lotos-frameworkAlexander Smirnov
 
56_Implementation
56_Implementation56_Implementation
56_ImplementationPrerna Paliwal
 

More Related Content

Viewers also liked

Multimedia in the classroom
Multimedia in the classroomMultimedia in the classroom
Multimedia in the classroomkimpossible70
 
YouTube in the Classroom
YouTube in the ClassroomYouTube in the Classroom
YouTube in the Classroomlaurwininger
 
Facebook Groups and The Bottom Line
Facebook Groups and The Bottom LineFacebook Groups and The Bottom Line
Facebook Groups and The Bottom LinePenji
 
Alamy interview questions and answers
Alamy interview questions and answersAlamy interview questions and answers
Alamy interview questions and answersvictoriamartin968
 
Intro to Dinosaur
Intro to DinosaurIntro to Dinosaur
Intro to DinosaurPenji
 
movie review breakfast club
movie review breakfast clubmovie review breakfast club
movie review breakfast clubJumana Naqve
 
AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3 AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3Kate Crow
 

Viewers also liked (20)

finalfilanl
finalfilanlfinalfilanl
finalfilanl
 
maaaasss
maaaasssmaaaasss
maaaasss
 
Mars
MarsMars
Mars
 
Media Technology
Media TechnologyMedia Technology
Media Technology
 
Research
ResearchResearch
Research
 
Tinnitivix helped me
Tinnitivix helped meTinnitivix helped me
Tinnitivix helped me
 
students
studentsstudents
students
 
Multimedia in the classroom
Multimedia in the classroomMultimedia in the classroom
Multimedia in the classroom
 
YouTube in the Classroom
YouTube in the ClassroomYouTube in the Classroom
YouTube in the Classroom
 
Facebook Groups and The Bottom Line
Facebook Groups and The Bottom LineFacebook Groups and The Bottom Line
Facebook Groups and The Bottom Line
 
Jupiter
JupiterJupiter
Jupiter
 
BIOTECNOLOGÍA
BIOTECNOLOGÍABIOTECNOLOGÍA
BIOTECNOLOGÍA
 
Digipak
DigipakDigipak
Digipak
 
Alamy interview questions and answers
Alamy interview questions and answersAlamy interview questions and answers
Alamy interview questions and answers
 
Intro to Dinosaur
Intro to DinosaurIntro to Dinosaur
Intro to Dinosaur
 
Jupiter 333
Jupiter 333Jupiter 333
Jupiter 333
 
Jd
JdJd
Jd
 
movie review breakfast club
movie review breakfast clubmovie review breakfast club
movie review breakfast club
 
AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3 AIESEC Thailand NST Application Booklet | Round 3
AIESEC Thailand NST Application Booklet | Round 3
 
Venus (1)
Venus (1)Venus (1)
Venus (1)
 

Similar to FAWAD REPORT 2

Android porting-on-embedded-platform v2-0633850602027036930
Android porting-on-embedded-platform v2-0633850602027036930Android porting-on-embedded-platform v2-0633850602027036930
Android porting-on-embedded-platform v2-0633850602027036930weitulislide
 
IRJET - Development of Embedded Linux System from Bare Board
IRJET - Development of Embedded Linux System from Bare BoardIRJET - Development of Embedded Linux System from Bare Board
IRJET - Development of Embedded Linux System from Bare BoardIRJET Journal
 
IRJET- Design of a Remote Software Distribution for Business Units
IRJET- Design of a Remote Software Distribution for Business UnitsIRJET- Design of a Remote Software Distribution for Business Units
IRJET- Design of a Remote Software Distribution for Business UnitsIRJET Journal
 
Near Field Communication on Raspberry Pi
Near Field Communication on Raspberry PiNear Field Communication on Raspberry Pi
Near Field Communication on Raspberry PiIRJET Journal
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Black berry playbook security part one
Black berry playbook security part oneBlack berry playbook security part one
Black berry playbook security part oneYury Chemerkin
 
DeviceHub - First steps using Intel Edison
DeviceHub - First steps using Intel EdisonDeviceHub - First steps using Intel Edison
DeviceHub - First steps using Intel EdisonGabriel Arnautu
 
6839960.pdf
6839960.pdf6839960.pdf
6839960.pdffdlcruz
 
How to install vvdi 2 software and driver
How to install vvdi 2 software and driverHow to install vvdi 2 software and driver
How to install vvdi 2 software and driverBuyobdtoolShop
 
how-to-install-vvdi2-software-and-driver
how-to-install-vvdi2-software-and-driverhow-to-install-vvdi2-software-and-driver
how-to-install-vvdi2-software-and-driverOBD TOOLS
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcadotdc-globalcode
 
Client install
Client installClient install
Client installmrt Londeh
 
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)Flavio Falcinelli
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 

Similar to FAWAD REPORT 2 (20)

lotos-framework
lotos-frameworklotos-framework
lotos-framework
 
56_Implementation
56_Implementation56_Implementation
56_Implementation
 
Android porting-on-embedded-platform v2-0633850602027036930
Android porting-on-embedded-platform v2-0633850602027036930Android porting-on-embedded-platform v2-0633850602027036930
Android porting-on-embedded-platform v2-0633850602027036930
 
IRJET - Development of Embedded Linux System from Bare Board
IRJET - Development of Embedded Linux System from Bare BoardIRJET - Development of Embedded Linux System from Bare Board
IRJET - Development of Embedded Linux System from Bare Board
 
IRJET- Design of a Remote Software Distribution for Business Units
IRJET- Design of a Remote Software Distribution for Business UnitsIRJET- Design of a Remote Software Distribution for Business Units
IRJET- Design of a Remote Software Distribution for Business Units
 
Near Field Communication on Raspberry Pi
Near Field Communication on Raspberry PiNear Field Communication on Raspberry Pi
Near Field Communication on Raspberry Pi
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
Black berry playbook security part one
Black berry playbook security part oneBlack berry playbook security part one
Black berry playbook security part one
 
DeviceHub - First steps using Intel Edison
DeviceHub - First steps using Intel EdisonDeviceHub - First steps using Intel Edison
DeviceHub - First steps using Intel Edison
 
6839960.pdf
6839960.pdf6839960.pdf
6839960.pdf
 
How to install vvdi 2 software and driver
How to install vvdi 2 software and driverHow to install vvdi 2 software and driver
How to install vvdi 2 software and driver
 
how-to-install-vvdi2-software-and-driver
how-to-install-vvdi2-software-and-driverhow-to-install-vvdi2-software-and-driver
how-to-install-vvdi2-software-and-driver
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
 
Client install
Client installClient install
Client install
 
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)
ORION STARTER KIT….a real electronic laboratory (by FASAR ELETTRONICA)
 
Proposal
Proposal Proposal
Proposal
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
tssgi
tssgitssgi
tssgi
 

More from Fawad Masood

Solution modern digital-& analog-communications-systems-b-p-lathi
Solution modern digital-& analog-communications-systems-b-p-lathiSolution modern digital-& analog-communications-systems-b-p-lathi
Solution modern digital-& analog-communications-systems-b-p-lathiFawad Masood
 
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...Fawad Masood
 
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood Khattak
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood KhattakMicroprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood Khattak
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood KhattakFawad Masood
 

More from Fawad Masood (9)

Solution modern digital-& analog-communications-systems-b-p-lathi
Solution modern digital-& analog-communications-systems-b-p-lathiSolution modern digital-& analog-communications-systems-b-p-lathi
Solution modern digital-& analog-communications-systems-b-p-lathi
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
 
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...
Bp lathi book solution by Fawad Masood Khan khattak@CECOS University By Fawa...
 
Chapter 6
Chapter 6Chapter 6
Chapter 6
 
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood Khattak
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood KhattakMicroprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood Khattak
Microprocessor Use Of Emulator 8088/86 Thermometer By Fawad Masood Khattak
 

FAWAD REPORT 2

  • 1. GINSU-BULLDOZER COMBO & HOWLERMONKEY REPORT Submitted to : DR Mohammad Amin Submitted by :Fawad Masood ID :1504-12017 Date : 5/18/2016
  • 2. 1
  • 3. 2 Table of content 1. Introduction……………………………………………………………………………...…...5 2. Ginsu…………………………………………………………………………….......…...…..6 3. Bulldozer…………………………………………………………………………………......6 3.1. Bulldozer based…………………………………………………………………………..6 4. Introduction to ginsu-bulldozer malware combo……………………………………….…...6 5. System support………………………………………………………………………......…..8 6. Ginsu (General points)…………………………………………………..……………….….8 7.Kongur…………………………………………………………………………................….9 8 PCI Add in Card……………………………………………………………..………….......9 9. Bulldozer Hardware Simulation with Sundance SMT 8096 SDR Development Kit……...10 10. PCI Wireless communication add in card Hardware and software Co Development…...12 10.1High Level Design………………………………………………………………..…....12 10.2.Software Device Driver Development ……………………………………………..…13 10.3 Chip Fabrication……………………………………………………………………….13 10.4 Compatibility Test on PCI Hardware Software Combo…………………………… .13 11.Simulating Bulldozer Hardware………………………………………………..…………13 12.Howler monkey ………………………………………………………………………..…15 13.Definition …………………………………………………………………………………15 14.Introduction………………………………………………………………….………....…15 15.Types of Howler monkey…………………………………………………………………16
  • 4. 3 15.1.Howler monkey yellow pin……………………………………………………,,,,,,.…17 15.2.Fire walk Howler monkey………………………………………………...……,,,,,,…17 References………………………………………………………………….……...……,,,,,19
  • 5. 4 LIST OF FIGURES Fig 1 Extended Concept of Operation…………………………………………….………,…7 Fig 2 PCI Add in Card……………………………………………………………………,,…9 Fig 3 Removing and Installing PCI Add in card………………………………………,,,,.....10 Fig 4 Entire Sundance SMT8096 SDR Development KIT Hardware………,,,,,…………,,.11 Fig 5 SMT 8096 Software defined Radio Development Kit………………………..,,,,,,…,,,11 Fig 6 Types of Howlermonker……………………………………………………………,,,,,16 Fig7 General Network of Howlermonkey………………………………,,,,,,,,,……………,,18
  • 6. 5 NSA ANT CATALOG GINSU BULLDOZER COMBO 1. INTRODUCTION Q: What is NSA ANT Catalog this is the 1st question arises in every individual mind? A: The answer is very simple that these are technologies used by NSA (National Security Agen- cy) Most Devices are available to USA national and members of five eyes alliance Now question arises why is five eyes alliance? Five eyes (FVEY) includes some powerful Countries namely Australia New Zealand Canada UK These all are bound by UKUSA agreement [1] The latest Snowden disclosure of the NSA's ANT exploitation catalog will be studied by every IT security professional in the world [1]The digital catalogue of NSA‘s tools of digital espio- nage, which was exposed in Der Spiegel, the German weekly reveal the amount of sophisticated digital tools used by the US to conduct its espionage operations around the world.1 The 49 tools which got exposed belong to the same family called ‗ANGRYNEIGHBOUR‘ and can be sorted into many categories according to their operating devices/ platforms (see Part I for the categori- zation). In these, both hardware and software tools serve their purpose in collecting data from inaccessible devices around the world through unconventional technological means. These tools are designed specifically to function on particular devices ranging from keyboards, USBs, VGAs (see Part 2) to a whole computer/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones and to even act as radars to transfer data to their local data collection centers[1] Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard- ware and software implants which make it more vulnerable to espionage. Therefore, the tools of espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of which 5 are software based implants and the remaining 4 are hardware implants. The software based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and TRINITY. ―The software implants hide themselves in the master boot record or even in the BI-
  • 7. 6 OS of the computer while the hardware implants are implanted by intercepting the computer dur- ing the delivery in a process called by the agency as NSA ‗Interdiction [2]. 2. GINSU GINSU is a type of Computer and it provide software application persistence on the target sys- tem with the PCI Bus hardware implant [2] It is use for restoring a software implant that has been removed during and operating system upgrade or re install. We have all focus on Bulldozer and Ginsu how it work? And how its architecture developed first we are focusing on Bulldozer the part of computer then we will come to GINSU [2] 3. BULLDOZER A hardware implant acting as malware dropper and wireless communication ―hub‖ .Despite that BULLDOZER is hardware, I still use the word ―malware‖ when referring to it because it‘s a ma- licious hardware perhaps the term ―malware‖ should refer to both malicious software and mali- cious hardware BULLDOZER as a GOD MODE: BULLDOZER provides capabilities similar to ―god mode‖ cheat in video games which make the player using it close to being invincible BULLDOZER is very hard to detect[3]. As for GINSU, we will look into GINSU in detail in the next installment of this series 3.1Bulldozer based on 1. BIOS 2. Hardware Technology 4. Introduction to ginsu-bulldozer malware combo BULLDOZER doesn‘t work in isolation. It has to be paired with the GINSU malware to be able to work. , GINSU is a malicious PCI expansion ROM. Therefore, at this point, let‘s just assume that GINSU is indeed a malicious PCI expansion ROM and BULLDOZER is the hardware where GINSU runs. This means that both work with each other while bulldozer is hardware malware and GINSU software malware so we can say now BULLDOZER is a PCI add-in card.
  • 8. 7 GINSU and BULLDOZER is a software and hardware combo that must be present at the same time to work. We need to look at the context where GINSU and BULLDOZER operate in order to understand their inner working. Figure 1 shows the deployment of GINSU and BULLDOZER in the target network [2]. Figure 1 (Extended Concept) BULLDOZER hardware implanted in one of the machines in the target network The NSA Remote Operation Center (ROC) communicates via OMNIGAT with the exploited machine through an unspecified wireless network This implies the GINSU-BULLDOZER malware combo targets machines in air-gapped net- works or machines located in a network that is hard but not impossible to penetrate.
  • 9. 8 The NSA ANT server product data document mentions GINSU provides software application persistence for the Computer Network Exploitation (CNE) (FACT TREATING UNFAIRLY) implant—codenamed KONGUR—on systems with the PCI bus hardware implant, BULLDOZER. 5. System support This technique supports any desktop PC system that contains at least one PCI connector (slot) and uses Microsoft Windows 9x, 2000, 2003 server, XP, or Vista. The PCI slot is required for the BULLDOZER hardware implant [2] BULLDOZER is installed in the target system as a PCI hardware implant through ―interdiction‖ (Destroying enemy Forces)—fancy words for installing additional hardware in the target system while being shipped to its destination. 4After fielding, if KONGUR is removed from the system as a result of operating system upgrade or reinstallation, GINSU can be set to trigger on the next reboot of the system to restore the software implant[2]. PCI add-in cards are installed on PCI expansion slots on the motherboard. Figure 2 shows a PCI add-in card sample. This PCI add-in card is a PCI WLAN card. Figure 2 highlights the PCI ―con- troller‖ chip from Relink—a WLAN controller—and the PCI slot connector in the add-in card. The term ―controller‖ is a generic name given to a chip that implements the core function in a PCI add-in card. PCI hardware development documentation typically uses this term, as do PCI- related So there are 3 components in the GINSU-BULLDOZER combo 6. GINSU (General points)  (1980‘S 1990‘S Very popular knife)  It is malicious PCI Expansion (Option) Rom  Ginsu Runs in PCI Add in card
  • 10. 9  Add in card codename (Bulldozer)  Ginsu Rom is higher than Diet bounce  So Ginsu Do a lot more functions the Dietybounce  NSA Control the size of Flash Rom on PCI Add in Card 1. Bulldozer chip very possibly uses a PCI wireless controller class code 2. Bulldozer hardware contain GINSU probably is not a PCI mass storage 3. Bulldozer provide wireless communication and it require Antenna 4. Large Antenna Boost wireless signal Strength 7. Kongur Is a Window Malware that target Windows 9x, 2000, XP, server, 2003, Vista[2] 8. PCI add in card It is installed in PCI expansion slot in Motherboard of Computer[2] Fig 2: Show Flash memory Rom
  • 11. 10 8.Pci card in desktop Fig 3: Removing and Installing 9. Bulldozer hardware “simulation” with sundance smt8096 sdr development kit There are usually more than one FPGA in a typical PCI SDR development board. We are going to look into one of Sundance products which were available in the market before 2008—the year the GINSU-BULLDOZER malware combo was operational. I picked Sundance SMT8096 SDR development kit as the example in this article. This kit was available in the market circa 2005. The kit consists of several connected boards with a ―PCI carrier‖ board acting as the host of all of the connected boards. The PCI carrier board connects the entire kit to the PCI slot in the de- velopment PC. Figure 4 shows the entire Sundance SMT8096 SDR development kit hardware[4]
  • 12. 11 Fig 4 entire Sundance SMT8096 SDR development kit hardware. Figure 5 shows the block diagram of the entire SDR development kit. It helps to understand in- teractions between the SDR development kit components.
  • 13. 12 Let‘s look into SMT310Q PCI carrier board, because this board is the visible one from the moth- erboard BIOS perspective. We‘ll focus on the technology required to communicate with the host PC instead of the technology required for the wireless communication, because we have no fur- ther clues on the latter. Moreover, I‘m not an expert in radio communication technology in any- way [4] The SMT310Q PCI carrier board has a QuickLogic V363EPC PCI bridge chip, which conforms to PCI 2.1 specifications. This chip was developed by V3 Semiconductor, before the company was bought by QuickLogic. The V363EPC PCI Bridge connects the devices on the SMT8096 development kit to the host PC motherboard—both logically and electrically—via the PCI slot connector. This PCI bridge chip is not a PCI-to-PCI bridge, rather it‘s a bridge between the cus- tom bus used in the SMT8096 development kit and the PCI bus in the host PC. The correct term is Local Bus to PCI Bridge. Local bus in this context refers to the custom bus in the SMT8096 development kit—used for communication between the chips in the development kit boards[2] 10. Pci wireless Communication add in card Hardware and software co De- velopment From a cost point of view, using a Commercial Off-The-Shelf (COTS) approach in creating BULLDOZER hardware would be more cost-effective, i.e. using tools already in the market cost much less than custom tools. COTS benefited from economic of scale and competition in the market compared to custom tools.[5] 10.1 High-level design This step involves the high-level decision on what kind of PCI controller chip would be created for the PCI add-in card and what features the chip would implement and what auxiliary support chip(s) are required. For example, in the case of a PCI wireless communi- cation add-in card, typically you will need a separate Digital Signal Processor (DSP) chip, or you need to buy the DSP logic design from a DSP vendor and incorporate that design into your PCI Field Programmable Gate-Array (FPGA)[5]
  • 14. 13 10.2 Software (device driver) development This step involves creating a prototype device driver for the PCI add-in card for the target Oper- ating System (OS). For example, if the device would be marketed for mostly Windows users, then creating a Windows device driver would take priority. As for other target OS, it would be developed later or probably not at all if market demands on the alternative OS don‘t justify the cost involved in developing the driver [5] 10.3 CHIP Fabrication In this step, the first design revision of the chip is finished and the de- sign is sent to chip fabrication plant for fabrication, 10.4 Compatibility test on the PCI hardware-software “combo‖. The chip vendor carries out the compatibility testing first. If the target OS is Windows, Microsoft also carries out additional compatibility testing [5] 11. “Simulating” BULLDOZER Hardware Now, let‘s look into the process of developing a specific PCI add-in card, i.e. a PCI add-in card with wireless communication as its primary function. We focus on this kind of PCI add-in card because BULLDOZER connects to the outside world—to OMNIGAT in Figure 1—via an un- specified wireless connection. For this purpose, we look into the hardware prototyping step in more detail. Let‘s start with some important design decisions in order to emulate BULLDOZER capabilities, as follows: The prototype must have the required hardware to develop a custom wireless communication protocol. The reason is because the wireless communication protocol used by BULLDOZER to communicate with OMNIGAT must be as stealthy as possible, despite probably using the same physical antenna as a PCI WLAN card [5] The prototype must have an implemented PCI expansion ROM hardware. The reason is because GINSU is a malicious PCI expansion ROM code that must be stored in a functional PCI expan- sion ROM chip to work. GINSU is configurable, or at the very least it can be optionally triggered—based on the NSA ANT server document. This means there must be some sort of non-volatile memory in the proto-
  • 15. 14 type to store GINSU parameters. It could be in the form of a Non-Volatile RAM (NVRAM) chip, like in the DEITYBOUNCE case. Storing the configuration data in a flash ROM or other kinds of ROM is quite unlikely, given the nature of flash ROM which requires a rather compli- cated procedure to rewrite [3]. 12. Closing Thoughts: BULLDOZER Evolution Given that BULLDOZER was fielded almost six years ago, the present day BULLDOZER cranking out of the NSA‘s fab must have evolved. Perhaps into a PCI Express add-in card. It‘s quite trivial to migrate the BULLDOZER design explained in this article into PCI Express (PCIe) though. Therefore, the NSA shouldn‘t have any difficulty to carry out the protocol con- version. PCIe is compatible to PCI in the logical level of the protocol. Therefore, most of the non-physical design can be carried over from the PCI version of BULLDOZER design explained here. We should look into the ―evolved‖ BULLDOZER in the future[2]
  • 16. 15 HOWLERMONKEY 13. DEFINITION HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in conjunction with a digital core to provide a complete implant[5]. 14. INTRODUCTION Listing hardware and software (called implants in NSA technology) which can penetrate sys- tems to monitor modify and extract information .these include modified cables allowing ‗tao per- sonal to see what is displayed on the targeted monitor[5]. The digital catalogue of NSA‘s tools of digital espionage, which was exposed in Der Spiegel, the German weekly reveal the amount of sophisticated digital tools used by the US to conduct its espionage operations around the world.1 The 49 tools which got exposed belong to the same family called ‗ANGRYNEIGHBOUR‘ and can be sorted into many categories according to their operating devices/ platforms (see Part I for the categorisation). In these, both hardware and soft- ware tools serve their purpose in collecting data from inaccessible devices around the world through unconventional technological means. These tools are designed specifically to function on particular devices ranging from keyboards, USBs, VGAs (see Part 2), to a whole comput- er/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones and to even act as radars to transfer data to their local data collection centers[5] Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard- ware and software implants which make it more vulnerable to espionage. Therefore, the tools of espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of which 5 are software based implants and the remaining 4 are hardware implants. The software based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and TRINITY. ―The software implants hide themselves in the master boot record or even in the BI- OS of the computer while the hardware implants are implanted by intercepting the computer dur-
  • 17. 16 ing the delivery in a process called by the agency as NSA ‗Interdiction‘.‖ 2 In order to under- stand the functions of these tools in dept, it is essential to study them individually[5]. 15. HOWLERMONKEY A Transceiver that makes it possible (in conjunction) with digital processors and various im- planting methods) to extract data from systems or allow them to be controlled remotely. It is Ex- traction Device [6] The Printed Circuit Board (PCB) layouts of the HOWLERMONKEY implants are tailored ac- cording to individual implant space requirements and differ in form factor. These PCBs are de- signed to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices that run on HOWLERMONKEY personality [6]. It Covert short to medium range RF Transceiver. Designed to be integrated with a larger device. Communicates over SPECULATION and CONJECTURE protocols. Known products that in- clude HOWLERMONKEY are: CM-I, CM-II, FIREWALK, SUTURESAILOR, and YEL- LOWPIN [6] FIG 6: Types of Howler monkey
  • 18. 17 15.1 HOWLERMONKEY-YELLOWPIN Yellow pin appears to have a printed circuit loop around it's periphery of a total length of around 110mm, so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would certainly have the best chance of escaping from a metal server case. Now this might just be an artifact of the layout or it might be a loop antenna. There‘s no easy way to tell, and as it does not appear on the other photos it would tend to suggest artifact not antenna, but it has a sep- arate product name which could be because it is different to the others with the difference being it has the antenna on board. So flip a coin and make your choice Now this is where I take a real leap in the dark and say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the mill watt or less range as there is no apparent "heat sinking", thus the working range unit to unit being in the low tens of meters. The top left photo also has two similar length thick tracks (albeit much shorter than YELLOWP- IN) so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would certainly have the best chance of escaping from a metal server case. Wifi devices may not be the best choice if all that is intended is CLI access or exfiltration of small files - people like Texas Instruments make low power transmitters for remote control (think wireless car keys) and in- strumentation applications [7] 15.2 FIREWALK-HOWLERMONKEY FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same target network FIREWALK is a bi-directional 10/100/1000bT (Gigabit) Ethernet network implant residing within a dual stacked RJ45 / USB connector FIREWALK is capable of filtering and egressing network traffic over a custom RF link and injecting traffic as commanded; this allows a Ethernet tunnel (VPN) to be created between target network and the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) FIREWALK allows active exploitation of a target network with a firewall or air gap protection. FIREWALK uses the HOWLERMONKEY trans- ceiver for back-end communications. It can communicate with an LP or other compati- ble.HOWLERMONKEY increase RF range through multiple hops [7].
  • 19. 18 FIG 7 General Network of Howler monkey
  • 20. 19 References: [1] Applebaum, Jacob and Stöcker, Christian (December 29, 2013). "Shopping for Spy Gear: Catalog Advertises NSA Toolbox". Der Spiegel. Retrieved January 1, 2014. [2] “Malware analysis‖ Meta on February14, 2014‖http://resources.infosecinstitute.com/nsa- bios-backdoor-aka-god-mode-malware-part-2-bulldozer/ [3]Darlene Storm, January 3, 2014 http://www.computerworld.com/article/2474275/cybercrime- hacking/17-exploits-the-nsa-uses-to-hack-pcs--routers-and-servers-for-surveillance.html [4] “5th February 2014 by greg ferro‖, http://etherealmind.com/snowden-nsa-exploit-kits-and- commercial-espionage/ [5]‖NSA Codename ―Wed 1st January 2014‖,http://cryptome.org/2014/01/nsa-codenames.htm [6] https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html [7] https://www.aclu.org/sites/default/files/assets/nsas_spy_catalogue_0.pdf [8] http://www.telefoniert-nach-hause.de/index.php/NSA/HOWLERMONKEY, accessed on June 04, 2014 [9] Appelbaum, Jacob. ―NSA ANT Rechner‖, Der Spiegel, 30C3, 30 December 2013.