GINSU-BULLDOZER COMBO & HOWLERMONKEY

REPORT

Submitted to : DR Mohammad Amin

Submitted by :Fawad Masood

ID :1504-12017

Date : 5/18/2016

1

2

Table of content

1. Introduction……………………………………………………………………………...…...5

2. Ginsu…………………………………………………………………………….......…...…..6

3. Bulldozer…………………………………………………………………………………......6

3.1. Bulldozer based…………………………………………………………………………..6

4. Introduction to ginsu-bulldozer malware combo……………………………………….…...6

5. System support………………………………………………………………………......…..8

6. Ginsu (General points)…………………………………………………..……………….….8

7.Kongur…………………………………………………………………………................….9

8 PCI Add in Card……………………………………………………………..………….......9

9. Bulldozer Hardware Simulation with Sundance SMT 8096 SDR Development Kit……...10

10. PCI Wireless communication add in card Hardware and software Co Development…...12

10.1High Level Design………………………………………………………………..…....12

10.2.Software Device Driver Development ……………………………………………..…13

10.3 Chip Fabrication……………………………………………………………………….13

10.4 Compatibility Test on PCI Hardware Software Combo…………………………… .13

11.Simulating Bulldozer Hardware………………………………………………..…………13

12.Howler monkey ………………………………………………………………………..…15

13.Definition …………………………………………………………………………………15

14.Introduction………………………………………………………………….………....…15

15.Types of Howler monkey…………………………………………………………………16

3

15.1.Howler monkey yellow pin……………………………………………………,,,,,,.…17

15.2.Fire walk Howler monkey………………………………………………...……,,,,,,…17

References………………………………………………………………….……...……,,,,,19

4

LIST OF FIGURES

Fig 1 Extended Concept of Operation…………………………………………….………,…7

Fig 2 PCI Add in Card……………………………………………………………………,,…9

Fig 3 Removing and Installing PCI Add in card………………………………………,,,,.....10

Fig 4 Entire Sundance SMT8096 SDR Development KIT Hardware………,,,,,…………,,.11

Fig 5 SMT 8096 Software defined Radio Development Kit………………………..,,,,,,…,,,11

Fig 6 Types of Howlermonker……………………………………………………………,,,,,16

Fig7 General Network of Howlermonkey………………………………,,,,,,,,,……………,,18

5

NSA ANT CATALOG

GINSU BULLDOZER COMBO

1. INTRODUCTION

Q: What is NSA ANT Catalog this is the 1st question arises in every individual mind?

A: The answer is very simple that these are technologies used by NSA (National Security Agen-

cy) Most Devices are available to USA national and members of five eyes alliance Now question

arises why is five eyes alliance? Five eyes (FVEY) includes some powerful Countries namely

Australia New Zealand Canada UK These all are bound by UKUSA agreement [1]

The latest Snowden disclosure of the NSA's ANT exploitation catalog will be studied by every

IT security professional in the world [1]The digital catalogue of NSA‘s tools of digital espio-

nage, which was exposed in Der Spiegel, the German weekly reveal the amount of sophisticated

digital tools used by the US to conduct its espionage operations around the world.1 The 49 tools

which got exposed belong to the same family called ‗ANGRYNEIGHBOUR‘ and can be sorted

into many categories according to their operating devices/ platforms (see Part I for the categori-

zation). In these, both hardware and software tools serve their purpose in collecting data from

inaccessible devices around the world through unconventional technological means. These tools

are designed specifically to function on particular devices ranging from keyboards, USBs, VGAs

(see Part 2) to a whole computer/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones

and to even act as radars to transfer data to their local data collection centers[1]

Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard-

ware and software implants which make it more vulnerable to espionage. Therefore, the tools of

espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of

discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of

which 5 are software based implants and the remaining 4 are hardware implants. The software

based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE

and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and

TRINITY. ―The software implants hide themselves in the master boot record or even in the BI-

6

OS of the computer while the hardware implants are implanted by intercepting the computer dur-

ing the delivery in a process called by the agency as NSA ‗Interdiction [2].

2. GINSU

GINSU is a type of Computer and it provide software application persistence on the target sys-

tem with the PCI Bus hardware implant [2] It is use for restoring a software implant that has

been removed during and operating system upgrade or re install. We have all focus on Bulldozer

and Ginsu how it work? And how its architecture developed first we are focusing on Bulldozer

the part of computer then we will come to GINSU [2]

3. BULLDOZER

A hardware implant acting as malware dropper and wireless communication ―hub‖ .Despite that

BULLDOZER is hardware, I still use the word ―malware‖ when referring to it because it‘s a ma-

licious hardware perhaps the term ―malware‖ should refer to both malicious software and mali-

cious hardware BULLDOZER as a GOD MODE: BULLDOZER provides capabilities similar to

―god mode‖ cheat in video games which make the player using it close to being invincible

BULLDOZER is very hard to detect[3]. As for GINSU, we will look into GINSU in detail in the

next installment of this series

3.1Bulldozer based on

1. BIOS

2. Hardware Technology

4. Introduction to ginsu-bulldozer malware combo

BULLDOZER doesn‘t work in isolation. It has to be paired with the GINSU malware to be able

to work. , GINSU is a malicious PCI expansion ROM. Therefore, at this point, let‘s just assume

that GINSU is indeed a malicious PCI expansion ROM and BULLDOZER is the hardware

where GINSU runs. This means that both work with each other while bulldozer is hardware

malware and GINSU software malware so we can say now BULLDOZER is a PCI add-in card.

7

GINSU and BULLDOZER is a software and hardware combo that must be present at the same

time to work. We need to look at the context where GINSU and BULLDOZER operate in order

to understand their inner working. Figure 1 shows the deployment of GINSU and BULLDOZER

in the target network [2].

Figure 1 (Extended Concept)

BULLDOZER hardware implanted in one of the machines in the target network

The NSA Remote Operation Center (ROC) communicates via OMNIGAT with the exploited

machine through an unspecified wireless network

This implies the GINSU-BULLDOZER malware combo targets machines in air-gapped net-

works or machines located in a network that is hard but not impossible to penetrate.

8

The NSA ANT server product data document mentions

GINSU provides software application persistence for the Computer Network Exploitation (CNE)

(FACT TREATING UNFAIRLY) implant—codenamed KONGUR—on systems with the PCI

bus hardware implant, BULLDOZER.

5. System support

This technique supports any desktop PC system that contains at least one PCI connector (slot)

and uses Microsoft Windows 9x, 2000, 2003 server, XP, or Vista. The PCI slot is required for

the BULLDOZER hardware implant [2]

BULLDOZER is installed in the target system as a PCI hardware implant through ―interdiction‖

(Destroying enemy Forces)—fancy words for installing additional hardware in the target system

while being shipped to its destination.

4After fielding, if KONGUR is removed from the system as a result of operating system upgrade

or reinstallation, GINSU can be set to trigger on the next reboot of the system to restore the

software implant[2].

PCI add-in cards are installed on PCI expansion slots on the motherboard. Figure 2 shows a PCI

add-in card sample. This PCI add-in card is a PCI WLAN card. Figure 2 highlights the PCI ―con-

troller‖ chip from Relink—a WLAN controller—and the PCI slot connector in the add-in card.

The term ―controller‖ is a generic name given to a chip that implements the core function in a

PCI add-in card. PCI hardware development documentation typically uses this term, as do PCI-

related

So there are 3 components in the GINSU-BULLDOZER combo

6. GINSU (General points)

(1980‘S 1990‘S Very popular knife)

It is malicious PCI Expansion (Option) Rom

Ginsu Runs in PCI Add in card

9

Add in card codename (Bulldozer)

Ginsu Rom is higher than Diet bounce

So Ginsu Do a lot more functions the Dietybounce

NSA Control the size of Flash Rom on PCI Add in Card

1. Bulldozer chip very possibly uses a PCI wireless controller class code

2. Bulldozer hardware contain GINSU probably is not a PCI mass storage

3. Bulldozer provide wireless communication and it require Antenna

4. Large Antenna Boost wireless signal Strength

7. Kongur

Is a Window Malware that target Windows 9x, 2000, XP, server, 2003, Vista[2]

8. PCI add in card It is installed in PCI expansion slot in Motherboard of Computer[2]

Fig 2: Show Flash memory Rom

10

8.Pci card in desktop

Fig 3: Removing and Installing

9. Bulldozer hardware “simulation” with sundance smt8096 sdr development

kit

There are usually more than one FPGA in a typical PCI SDR development board. We are going

to look into one of Sundance products which were available in the market before 2008—the year

the GINSU-BULLDOZER malware combo was operational. I picked Sundance SMT8096 SDR

development kit as the example in this article. This kit was available in the market circa 2005.

The kit consists of several connected boards with a ―PCI carrier‖ board acting as the host of all

of the connected boards. The PCI carrier board connects the entire kit to the PCI slot in the de-

velopment PC. Figure 4 shows the entire Sundance SMT8096 SDR development kit hardware[4]

11

Fig 4 entire Sundance SMT8096 SDR development kit hardware.

Figure 5 shows the block diagram of the entire SDR development kit. It helps to understand in-

teractions between the SDR development kit components.

12

Let‘s look into SMT310Q PCI carrier board, because this board is the visible one from the moth-

erboard BIOS perspective. We‘ll focus on the technology required to communicate with the host

PC instead of the technology required for the wireless communication, because we have no fur-

ther clues on the latter. Moreover, I‘m not an expert in radio communication technology in any-

way [4]

The SMT310Q PCI carrier board has a QuickLogic V363EPC PCI bridge chip, which conforms

to PCI 2.1 specifications. This chip was developed by V3 Semiconductor, before the company

was bought by QuickLogic. The V363EPC PCI Bridge connects the devices on the SMT8096

development kit to the host PC motherboard—both logically and electrically—via the PCI slot

connector. This PCI bridge chip is not a PCI-to-PCI bridge, rather it‘s a bridge between the cus-

tom bus used in the SMT8096 development kit and the PCI bus in the host PC. The correct term

is Local Bus to PCI Bridge. Local bus in this context refers to the custom bus in the SMT8096

development kit—used for communication between the chips in the development kit boards[2]

10. Pci wireless Communication add in card Hardware and software co De-

velopment

From a cost point of view, using a Commercial Off-The-Shelf (COTS) approach in creating

BULLDOZER hardware would be more cost-effective, i.e. using tools already in the market cost

much less than custom tools. COTS benefited from economic of scale and competition in the

market compared to custom tools.[5]

10.1 High-level design This step involves the high-level decision on what kind of PCI controller

chip would be created for the PCI add-in card and what features the chip would implement and

what auxiliary support chip(s) are required. For example, in the case of a PCI wireless communi-

cation add-in card, typically you will need a separate Digital Signal Processor (DSP) chip, or you

need to buy the DSP logic design from a DSP vendor and incorporate that design into your PCI

Field Programmable Gate-Array (FPGA)[5]

13

10.2 Software (device driver) development

This step involves creating a prototype device driver for the PCI add-in card for the target Oper-

ating System (OS). For example, if the device would be marketed for mostly Windows users,

then creating a Windows device driver would take priority. As for other target OS, it would be

developed later or probably not at all if market demands on the alternative OS don‘t justify the

cost involved in developing the driver [5]

10.3 CHIP Fabrication In this step, the first design revision of the chip is finished and the de-

sign is sent to chip fabrication plant for fabrication,

10.4 Compatibility test on the PCI hardware-software “combo‖. The chip vendor carries out

the compatibility testing first. If the target OS is Windows, Microsoft also carries out additional

compatibility testing [5]

11. “Simulating” BULLDOZER Hardware

Now, let‘s look into the process of developing a specific PCI add-in card, i.e. a PCI add-in card

with wireless communication as its primary function. We focus on this kind of PCI add-in card

because BULLDOZER connects to the outside world—to OMNIGAT in Figure 1—via an un-

specified wireless connection. For this purpose, we look into the hardware prototyping step in

more detail. Let‘s start with some important design decisions in order to emulate BULLDOZER

capabilities, as follows:

The prototype must have the required hardware to develop a custom wireless communication

protocol. The reason is because the wireless communication protocol used by BULLDOZER to

communicate with OMNIGAT must be as stealthy as possible, despite probably using the same

physical antenna as a PCI WLAN card [5]

The prototype must have an implemented PCI expansion ROM hardware. The reason is because

GINSU is a malicious PCI expansion ROM code that must be stored in a functional PCI expan-

sion ROM chip to work.

GINSU is configurable, or at the very least it can be optionally triggered—based on the NSA

ANT server document. This means there must be some sort of non-volatile memory in the proto-

14

type to store GINSU parameters. It could be in the form of a Non-Volatile RAM (NVRAM)

chip, like in the DEITYBOUNCE case. Storing the configuration data in a flash ROM or other

kinds of ROM is quite unlikely, given the nature of flash ROM which requires a rather compli-

cated procedure to rewrite [3].

12. Closing Thoughts: BULLDOZER Evolution

Given that BULLDOZER was fielded almost six years ago, the present day BULLDOZER

cranking out of the NSA‘s fab must have evolved. Perhaps into a PCI Express add-in card. It‘s

quite trivial to migrate the BULLDOZER design explained in this article into PCI Express

(PCIe) though. Therefore, the NSA shouldn‘t have any difficulty to carry out the protocol con-

version. PCIe is compatible to PCI in the logical level of the protocol. Therefore, most of the

non-physical design can be carried over from the PCI version of BULLDOZER design explained

here. We should look into the ―evolved‖ BULLDOZER in the future[2]

15

HOWLERMONKEY

13. DEFINITION

HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in

conjunction with a digital core to provide a complete implant[5].

14. INTRODUCTION

Listing hardware and software (called implants in NSA technology) which can penetrate sys-

tems to monitor modify and extract information .these include modified cables allowing ‗tao per-

sonal to see what is displayed on the targeted monitor[5].

The digital catalogue of NSA‘s tools of digital espionage, which was exposed in Der Spiegel, the

German weekly reveal the amount of sophisticated digital tools used by the US to conduct its

espionage operations around the world.1 The 49 tools which got exposed belong to the same

family called ‗ANGRYNEIGHBOUR‘ and can be sorted into many categories according to their

operating devices/ platforms (see Part I for the categorisation). In these, both hardware and soft-

ware tools serve their purpose in collecting data from inaccessible devices around the world

through unconventional technological means. These tools are designed specifically to function

on particular devices ranging from keyboards, USBs, VGAs (see Part 2), to a whole comput-

er/CPU to firewalls, LANs, Servers, Routers, and Mobile Phones and to even act as radars to

transfer data to their local data collection centers[5]

Among the various NSA ANT tools, the specific tools for computers/CPU comprise both hard-

ware and software implants which make it more vulnerable to espionage. Therefore, the tools of

espionage on a computer or in other terms a CPU (Central Processing Unit) will be the topic of

discussion for this part. The exposed catalogue reveals 9 tools dedicated to computers out of

which 5 are software based implants and the remaining 4 are hardware implants. The software

based implants are GINSU, IRATEMONK, SWAP, WISTFULTOLL, and SOMBERKNAVE

and the hardware based implants are HOWLERMONKEY, JUNIORMINT, MAESTRO – II and

TRINITY. ―The software implants hide themselves in the master boot record or even in the BI-

OS of the computer while the hardware implants are implanted by intercepting the computer dur-

16

ing the delivery in a process called by the agency as NSA ‗Interdiction‘.‖ 2 In order to under-

stand the functions of these tools in dept, it is essential to study them individually[5].

15. HOWLERMONKEY

A Transceiver that makes it possible (in conjunction) with digital processors and various im-

planting methods) to extract data from systems or allow them to be controlled remotely. It is Ex-

traction Device [6]

The Printed Circuit Board (PCB) layouts of the HOWLERMONKEY implants are tailored ac-

cording to individual implant space requirements and differ in form factor. These PCBs are de-

signed to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE

devices that run on HOWLERMONKEY personality [6].

It Covert short to medium range RF Transceiver. Designed to be integrated with a larger device.

Communicates over SPECULATION and CONJECTURE protocols. Known products that in-

clude HOWLERMONKEY are: CM-I, CM-II, FIREWALK, SUTURESAILOR, and YEL-

LOWPIN [6]

FIG 6: Types of Howler monkey

17

15.1 HOWLERMONKEY-YELLOWPIN

Yellow pin appears to have a printed circuit loop around it's periphery of a total length of around

110mm, so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength

would certainly have the best chance of escaping from a metal server case. Now this might just

be an artifact of the layout or it might be a loop antenna. There‘s no easy way to tell, and as it

does not appear on the other photos it would tend to suggest artifact not antenna, but it has a sep-

arate product name which could be because it is different to the others with the difference being

it has the antenna on board. So flip a coin and make your choice Now this is where I take a real

leap in the dark and say this is more likely to be a CLI system for CC than a bulk data

ex/infiltrator. And that the RF power is going to be down in the mill watt or less range as there is

no apparent "heat sinking", thus the working range unit to unit being in the low tens of meters.

The top left photo also has two similar length thick tracks (albeit much shorter than YELLOWP-

IN) so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would

certainly have the best chance of escaping from a metal server case. Wifi devices may not be the

best choice if all that is intended is CLI access or exfiltration of small files - people like Texas

Instruments make low power transmitters for remote control (think wireless car keys) and in-

strumentation applications [7]

15.2 FIREWALK-HOWLERMONKEY

FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet

network traffic, and actively injecting Ethernet packets onto the same target network

FIREWALK is a bi-directional 10/100/1000bT (Gigabit) Ethernet network implant residing

within a dual stacked RJ45 / USB connector FIREWALK is capable of filtering and egressing

network traffic over a custom RF link and injecting traffic as commanded; this allows a Ethernet

tunnel (VPN) to be created between target network and the ROC (or an intermediate redirector

node such as DNT's DANDERSPRITZ tool.) FIREWALK allows active exploitation of a target

network with a firewall or air gap protection. FIREWALK uses the HOWLERMONKEY trans-

ceiver for back-end communications. It can communicate with an LP or other compati-

ble.HOWLERMONKEY increase RF range through multiple hops [7].

18

FIG 7 General Network of Howler monkey

19

References:

[1] Applebaum, Jacob and Stöcker, Christian (December 29, 2013). "Shopping for Spy Gear:

Catalog Advertises NSA Toolbox". Der Spiegel. Retrieved January 1, 2014.

[2] “Malware analysis‖ Meta on February14, 2014‖http://resources.infosecinstitute.com/nsa-

bios-backdoor-aka-god-mode-malware-part-2-bulldozer/

[3]Darlene Storm, January 3, 2014 http://www.computerworld.com/article/2474275/cybercrime-

hacking/17-exploits-the-nsa-uses-to-hack-pcs--routers-and-servers-for-surveillance.html

[4] “5th February 2014 by greg ferro‖, http://etherealmind.com/snowden-nsa-exploit-kits-and-

commercial-espionage/

[5]‖NSA Codename ―Wed 1st January 2014‖,http://cryptome.org/2014/01/nsa-codenames.htm

[6] https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html

[7] https://www.aclu.org/sites/default/files/assets/nsas_spy_catalogue_0.pdf

[8] http://www.telefoniert-nach-hause.de/index.php/NSA/HOWLERMONKEY, accessed on

June 04, 2014

[9] Appelbaum, Jacob. ―NSA ANT Rechner‖, Der Spiegel, 30C3, 30 December 2013.