WISTFULTOLL: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

WISTFULTOLL

(TS//SI//REL) WISTFULTOLL is a UNITEDRAKE and STRAITBIZZARE plug-in used for harvesting and returning forensic information from a target using Windows Management Instrumentation (WMI) calls and Registry extractions.

(TS//SI//REL) This plug-in supports systems running Microsoft Windows 2000, 2003, and XP.

(TS//SI//REL) Through remote access or interdiction, WISTFULLTOLL is executed as either a UNITEDRAKE or STRAITBAZZARE plug-in or as a stand-alone executable. If used remotely, the extracted information is sent back to NSA through UNITEDRAKE or STRAITBAZZARE. Execution via interdiction may be accomplished by non-technical operator through use of a USB thumb drive, where extracted information will be saved to that thumb drive.

Status: Released / Deployed. Ready for Immediate Delivery

Unit Cost: $0

Note: Inconsistencies in spelling are all [sic].

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 10, 2014 at 2:58 PM • 22 Comments

Comments

DBFebruary 10, 2014 3:15 PM

The solution to all this secret subversion of morality and the rule of law is more openness. In the context of technology being subverted and used against us all, more openness means open source software, open standards, and open hardware systems. Whatever evil thrives in secret withers in the bright light of public scrutiny.

erjkeg33t8u3jofgjio3fFebruary 10, 2014 3:26 PM

Weak scraper that uses WMI and NT reg APIs. These delivery packages are probably where the cool exploits are. Are they published yet?

Clive RobinsonFebruary 10, 2014 5:40 PM

And todays quiz is one for the insiders,

Q : Is it "Unite-Drake" or "United-Rake"?

Answers on the back of your ID card to,

Quackers quizes, Rolling in it drive, Dogsvill MA.

BenniFebruary 10, 2014 6:48 PM

Do I not get it or is that perhaps the most stupid and less advanced of their tools? Since this could perhaps be written people. Or does it use some exploits in the windows API?

ScooterFebruary 10, 2014 8:21 PM

Doesn't sound like there's any "exploit" to this one. It's probably just used to gather data about a host (specific Windows version, applied patches, etc.) so that an appropriate exploit and payload can be selected for it.

65535February 10, 2014 9:05 PM

Great, a web based Windows Management (Instrument) Common Information Model being abused.

WMI can be turned off – but there probably are backdoors which allow it to be turned-on. It is in most modern Windows products from NT to current Windows 7 and Server 2008 R2.

https://en.wikipedia.org/wiki/Windows_Management_Instrumentation

From the slide it can be implanted by a memory stick. That would imply a pawned autorun. Oddly, the data is then exfiltrated back through the memory stick.

It also can be implanted via remote access. If this is SMM or iAMT then it will be hard to stop. If it is from RDP calls then remote desktop can be blocked.

I will note that some web calls should not be blocked. Those would be for Windows updates which can occur over port 135 - 139 [the endpoint mapper]. But, even if the endpoint mapper is blocked there is probably a way around it.

The slide is complex. It shows and “UniteDrake server apparently with one or two NICs. One NIC faces the internet. It then transverses the blue “internet” icon to reach and Internet Café server with an odd card [the odd card could be graphical mistake]. Then it targets select systems.

The second connection to the “UniteDrake” server apparently connects to an “UniteDrake” database [I assume fiber channel or SCSI disk stack, or iSCSI disk array which then connects to both the “internet” and a computer with a “CDR Diode [I assume this is a CD R laser diode for IR communication?] – Which connects to a computer box with “High/Low” written on it. Then connects to “SeagullFargo” and a SSG box, a Tuning Fork “Sustained Collection” box and a “OIM/JMSQ “WistfullToll” box… which connects to “ReturnSpring” box and then to a lone station and then to R&T Analyst and a ROC ticket system and finaly to a ROC GUI connected back to the original “UniteDrake” server.

I assume some of the boxes are for either the remote implant or the capture of data from the memory stick interdiction implant.

The interdiction requires a man on the inside or physical pawning of the target machines. This whole process seems overly complex – but if it is a “persistent” implant the extra boxes may be needed.

I believe the WMI service can be fully disabled. But, if you have a man on the inside who could “re-enable” WMI – or a clever SMM/iAMT hack, then all bets are off. All in all, a fairly complex setup.

65535February 11, 2014 5:23 AM

Not true Buck.

Actually I am working on a Client’s Server 2003 with AD and Exchange. Port 135 is important. I have blocked port 135 and various problems surface. I unblocked it and Exchange works correctly.

Key phrase:

“…for successful communication between two servers, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports…”

[Microsoft]

"Communication between Exchange Client computers and Exchange Server computers

"An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service.

"The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer.

"If security concerns for a network infrastructure require blocking of any ports other than the ones used, then the random assignment of ports for communication with the directory and the information store can become a roadblock. To avoid this, Exchange Server versions 4.0 and later allow you to statically allocate these ports.

"At this juncture, for successful communication between client and server, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports. If you need to monitor traffic for analysis, these are the ports to monitor.

"Communication between two Exchange Server computers in the same site

"All intrasite communication between Exchange Server computers uses RPC. Consequently, access to TCP port 135 becomes an important variable in the ability of Exchange Server computers to communicate if they are separated using routers and firewalls.

"Communication between two Exchange Server computers within a site is between the two message transfer agents (MTAs) and the two directory services. No other components of the Exchange Server computers communicate directly.

"As discussed above in client to server communication, an Exchange Server computer monitors port 135 for connections to the RPC endpoint mapper service. When an initiating Exchange Server computer connects to a socket, the receiving Exchange Server computer assigns two random ports to use to communicate with the directory and the MTA.

"Already discussed above was the possibility of static allocation of a TCP port for the directory to listen and communicate on a specific port number. With the release of Exchange Server 4.0 Service Pack 4 and all releases of Exchange Server 5.0, a similar adjustment can be made for the MTA. The endpoint mapper will then relay the appropriate port number, so that further communication can be achieved by going to the port number specified. For establishing a static allocation of port for the MTA, refer to the latter part of Knowledge Base article 161931, "XCON: Configuring MTA TCP/IP Port # for X.400 and RPC Listens." This explains the use of the registry value "TCP/IP port for RPC listens".

"Consequently, for successful communication between two servers, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports. If you need to monitor traffic for analysis, these are the ports to monitor."

http://support.microsoft.com/kb/176466

A. Non y MausFebruary 11, 2014 8:09 AM

I think that this continuing dribble of information about technologies and methods serves no valid purpose that outweighs the potential damage. Those that continue to publish the materials are serving voyeurism and possibly foreign intelligence services and criminals, and that deserves a certain level of approbation, but it is hardly at the level of "accomplice." If there is evidence of real criminal behavior in material as-yet unpublished, it should be disclosed to appropriate parties. We got confirmation of the data collection going on under 215, and it triggered responses, so there is no need for additional disclosures from the past. We need to see what is done next, and publishing more leaked material won't accomplish that.

Bruce SchneierFebruary 11, 2014 8:10 AM

@ A. Non y Maus

What are you objecting to? I pay attention, and I know no one that continues to publish new excerpts from the TAO catalog. The whole thing was published in late December by Der Spiegel. Not a single TAO document has been published by anyone since then.

I am blogging about a page of the already published catalog every day. I am doing this because while every national intelligence service, Internet organized crime syndicate, and clued terrorist organization has already pored over these pages, it's us in the open securty community who haven't really looked at, or talked about, these pages. That's the point of my daily posts.

Surely you're not objecting to that. And if you are, what additional damage do you see done by my blog posts that the initial Der Spiegel publication did not do?

A. Non y Maus February 11, 2014 8:13 AM

First, you have built up a certain reputation. Things you publish in your blog have a distinct level of endorsement and thus suasion to them. By publishing the material you are effectively endorsing the leaking and speculation about classified government programs that have legitimate national security and law enforcement goals. It doesn't matter that it has appeared elsewhere -- by repeating it, you are endorsing its theft and disclosure, with all that implies.

Second, it doesn't matter that it was published elsewhere. Lots of things have been published elsewhere. Some of the things in the leaked documents have been published elsewhere before, or speculated about in informed treatises. That doesn't mean everyone has seen the material or has ready access to it. You have a publication reach different than Der Spiegel, especially for people who normally wouldn't search outside US/English sources. A justification of "Klaus did it first" does not hold much moral sway.

Third, the continued dribble of information continues to maintain a level of paranoia, especially about US products. The methods that the US uses are likely little different than that of other countries. I am confident that Russia, China, France, and Israel (to name a few) have similar embedded technologies and methods, and have for years. But the continued portrayal of the US (and by implication, goods from US companies) as the sole or major purveyor of surveillance is a disservice to the general population and damaging to US firms.

Fourth, there really is nothing in the technology new for the informed. These methods have been taught in graduate schools for years. The technology is a surprise to the general public, novices, and dilettantes, certainly, but the discussion of the code names, costs, and other technical details do little to help those people more than it hurts others.

Fifth, it distracts from the argument about overbroad legal permissions under 215 and 703. No one in a policy position is going to tell the NSA or CIA to stop technological innovation when it helps to support valid, legal IC and LE goals. By putting this technology material out, it diminishes the impact of the information about the cell phone data collection and warrant processes.

Sixth, nothing in the bulk of Snowden's disclosures to date -- including the TAO catalog -- are about activities under questionable and overbroad execution against the laws. If anything, what we have seen given further probing is lack of the large abuses from earlier cases of government surveillance that worry and inspire many of us. Holding these other things up as if they are abuses muddies the perception of what the agencies are doing and should be doing. There is no deeper analysis -- simply "Look at this! This is what they didn't want you to know about and is related to those bad things you've been hearing about!

You -- and others -- have financial and possibly political and/or personal objectives that drive your actions and I am not addressing those. For instance, you may believe that the government shouldn't innovate to support intelligence or law enforcement, or that the government is somehow evil. If so, that's a whole different set of issues than the above. But in my opinion, given only the above, it is more overall harm from continued publication than there is any gain, especially as regards some privacy and public policy goals.

Bruce SchneierFebruary 11, 2014 8:16 AM

From my perspective, you are basically saying: the information is public, our intelligence adversaries have already studied it, but it would be better if you wouldn't publicize this among the academic community.

I don't believe that discussing publicly disclosed documents endorses their disclosure, and I believe that deliberately not discussing publicly disclosed documents is naive. Between you, me, and everyone who reads this blog, I would have not have published the TAO manual in all its detail. As terrifying as it is, it represents exactly what I want the NSA to be doing. But now that it has been published, it would be irresponsible to ignore it. It is precisely because I have a different audience than those who actively pour over every NSA word that I am writing about these pages. The bad guys have already seen the stuff; I want the good guys to study it too.

Marcos El MaloFebruary 11, 2014 9:43 AM

@Bruce

What troubles me about the TAO is that the government has redefined "targeted". Some of the technologies are clearly for true targeted use (true in the sense of the strict definition of the word).

Other technologies can be used more broadly, for dragnets. Depending on how widely the government casts its nets, the potential is there to move into mass surveillance territory.

However, if there are protocols in place to limit the breadth of the targeting, then the NSA is following its original charter and I have no problem with that.

I'm just a layman. I don't really understand how broadly some of these exploits might be implemented.

Marcos El MaloFebruary 11, 2014 9:47 AM

@Clive Robinson

I favor United Drake. Clearly there is a Duck faction in the NSA, probably organized to prevent a coup by the Pigeon faction. Coup! Coup!

Nick PFebruary 11, 2014 10:04 AM

@ A. Non y Maus

"Third, the continued dribble of information continues to maintain a level of paranoia, especially about US products. The methods that the US uses are likely little different than that of other countries. I am confident that Russia, China, France, and Israel (to name a few) have similar embedded technologies and methods, and have for years. But the continued portrayal of the US (and by implication, goods from US companies) as the sole or major purveyor of surveillance is a disservice to the general population and damaging to US firms. "

It's absurd that you think this is a justification for Bruce not publishing the leaks. If anything, the leaks themselves are justifying the paranoid. That Americans (and most of Congress) were repeatedly lied to about NSA capabilities, targets, compliance with law, etc. justifies strong distrust of that agency. Finding that most of our top tech vendors either cooperated for money or were coerced justifies distrust of them. That NSA tried to insert or maintian 0-days in our software that foreign attackers can find is even worse.

If a firm distrusts US TLA's/LEO's, then they have good reason to distrust American products. The solution is quite straightforward: the US can change their policy to only spy on potential threats to the United States and impose criminal penalties on violators. Their vast programs would be rolled back considerably. Without warrantless widespread spying, foreign buyers would worry less about warrantless widespread spying. Who'd have thought, eh?

The other side of the coin is NSA's second role: defending our networks from intrusion. They used to lead the way in promoting and evaluating highly secure systems. I've written about many here. However, they killed that market and started sponsoring known insecure solutions to non-government users. They still do this. Interesting that NSA knows how to attack/defend a system at every level, has the responsibility to protect critical US assets, and yet encourages the use of utterly insecure methods to protect those assets. On defence side, NSA can build positive US reputation by designing security improvements for every layer with reference implementations. So far, only academics, NSF, corporations and DARPA are doing these things. NSA's bad rep is deserved once again.

re other countries

I totally agree that main foreign governments known for spying will be trying the same thing. That's already proven, actually. There are also foreign governments that are unlikely to do this kind of thing. There's also open source BIOS's, OS's, and apps. First step in deciding what one's best risk minimizing strategy is involves knowing where the risk is. China, Russia, Japan, etc. were knowns for I.P. theft and subversion. Now America is on list of big subverters with even better capabilities far as anyone can tell. Extra paranoid types should avoid proprietary stuff from any of these countries if their corresponding TLA is a potential threat.

"Fourth, there really is nothing in the technology new for the informed. These methods have been taught in graduate schools for years. The technology is a surprise to the general public, novices, and dilettantes, certainly, but the discussion of the code names, costs, and other technical details do little to help those people more than it hurts others."

That's utterly wrong. Only the most paranoid, elite, or informed would be entirely unsurprised by what is in the TAO catalog. However, the majority was NOT taught about such things. Many times I brought up risks such as BIOS, code in peripherals, or emmission surveillance only to hear these were "speculative threats" with "no proven attacks." Google BIOS security you get almost nothing of substance. Google peripheral security you get IOMMU maybe, but still about nothing. Government EMSEC requirements are still classified so they intentionally leave us vulnerable to many things on TAO list. The TAO catalog and discussions on blogs like Schneier's led people to see what a real TLA is doing. A direct result of such discussions and publicity is an explosion of both high security product development and academic effort at layers below software. Unlike NSA activities, those will actually protect our individuals and companies.

"Sixth, nothing in the bulk of Snowden's disclosures to date -- including the TAO catalog -- are about activities under questionable and overbroad execution against the laws. If anything, what we have seen given further probing is lack of the large abuses from earlier cases of government surveillance that worry and inspire many of us. "

I like how you said "in the bulk" to leave you an exit on this one. Nothing has to be in the bulk as it's usually rather few in military at any time that would hurt America for selfish reasons. Further, internal documents about tools/capabilities that were sent to many in the intelligence community wouldn't contain an itemized list of how users applied it, much less uses that are anti-American. You're essentially implying that if anything bad was going on the tool developers would include confessions by tool users. What are you thinking?

"You -- and others -- have financial and possibly political and/or personal objectives that drive your actions and I am not addressing those."

You aren't addressing them because you'd have to include the NSA and defence contractors' conflicts of interest. Their multibillion dollar a piece motivation to keep their operations going. You might have to list the campaign contributions lawmakers took in as well. Finally, you'd have to do a character assessment where you look at each time they and Bruce have lied for money/job. For money issues, the military-industrial complex is famous for them (eg trillion+ unaccounted for). For character, Bruce will look more honest than NSA/DOD by such a wide margin they shouldn't even try to compete there.

So, if anything, you've shown...

1. A lack of understanding of why foreign companies should be concerned about pervasive, warrantless, easy spying in US-made tech.

2. A lack of understanding of difference between what tool makers and tool users talk about in Powerpoints.

3. A lack of understanding about either classroom or industrial INFOSEC practice before the leaks.

4. An unwillingness to consider how the NSA intentionally weakening US system security across the board is also "aiding and abetting the enemy."

5. An unwillingness to look at abuse and financial conflicts on US TLA side of things with the intensity that you look at bloggers' activities.

Maybe you should just start here and read it all from the beginning. Be sure to also re-read stories of corruption in Bush and Obama administration going back a decade. Then, come back and tell us that such politicians should have capabilities listed in NSA leaks with total secrecy and criminal immunity. Your answer will tell us whether you're sane or merely a zealot for US TLA's.

SkepticalFebruary 11, 2014 10:28 AM

@A. Non: Look at it this way: if a security vendor detected a type of malware, and published a detailed account of it, others with security interests shouldn't then refrain from discussion even if the malware happens to be a tool used by an intelligence agency working for the good guys. Once the vendor publishes, the idea behind the malware at the very least is now in the open, and the vendor's publication will be squeezed for every last drop of information by various bad actors.

So it would be pointless, perhaps even harmful, for a community not to discuss the vendor's publication, though I can see exceptions to this.

The problem here isn't the post-publication discussion. The problem is the initial publication.

By the way, in a neat example of "priming", I looked at this discussion after reading the Kaspersky report on "Careto" and my brain for a few moments tried to fit your name with a Spanish word. You may be experiencing something similar when reading the posts on this blog. That is, because much of the coverage of the NSA and Snowden elsewhere is rabidly opinionated, you may be "primed" to see any post relating to the subject as endorsing or repudiating what the NSA or Snowden has done.

Nick PFebruary 11, 2014 10:42 AM

@ Skeptical

" That is, because much of the coverage of the NSA and Snowden elsewhere is rabidly opinionated, you may be "primed" to see any post relating to the subject as endorsing or repudiating what the NSA or Snowden has done. "

Most accurate thing you've said in a while. Someone linked to an article here saying essentially the same thing. People must be for or against the situation, mostly as reported. Yet, there's so many alternatives in the middle it's strange that few discuss this. I'm thinking it has something to do with deep, emotional beliefs and attachments in the two main groups debating.

SkepticalFebruary 11, 2014 11:07 AM


@Nick P: Last inaccurate thing I said was that no one Schneier had met with was on Intel Oversight. Of course if you ask my wife, she'll likely have a more recent and lengthy list. :)

I agree that these things can tap into deep-seated beliefs, especially given the lack of background knowledge most people have with which to process all of this and the ambiguity of the actual information being presented.

But I also think that some of it is a function of how opinionated journalism is becoming once again. Media companies have discovered that getting an emotional reaction from the audience causes the audience to come back, to keep watching, to click on the link, etc., and so more of what we see reported comes to us soaked with loaded adjectives and hidden assumptions. I could point to Greenwald/Scahill's recent article as an example, but that's for another thread.

I don't think A. Non is alone in being "primed" by all of it. It affects everyone. Our expectations engineer our perceptions.

amoteFebruary 11, 2014 12:06 PM

@ skeptical and a non y mouse
The surveillance state is unconstitutional, democracies should not be ruled by liars and cheats like alexander and clapper etc. The so called GWOT is just a wedge to empower an unelected police state existing in the hollowed out part of the constitution where the bill of rights is trumped by the terror that is sold by media who believe every bernie kerik in the government

Snowden and Manning etc are american heros, they sacrifice to fight for our freedom from a criminal clique in the government.

No one is hurt by the revealations, they are hurt by the manipulation of the lawbreaking agencies that
sucked them in like doctor afridi in the OBL takedown.
law enforcement and intelligence agencies should not be above the law. but in this country they are not held to account for their crimes.
the terrorist threat is and always will be there, and if these agencies focused on it they might justify some of their obscene budgets, but they have decided that everyone is a suspect and they have permanently lost any legitimacy to democracy.

unknownFebruary 11, 2014 12:23 PM

@A. Non y Maus:

"Sixth, nothing in the bulk of Snowden's disclosures to date -- including the TAO catalog -- are about activities under questionable and overbroad execution against the laws. If anything, what we have seen given further probing is lack of the large abuses from earlier cases of government surveillance that worry and inspire many of us. Holding these other things up as if they are abuses muddies the perception of what the agencies are doing and should be doing. There is no deeper analysis -- simply "Look at this! This is what they didn't want you to know about and is related to those bad things you've been hearing about!"

Ah, indeed.

- spying billions of innocent citizens around the world without warranties is not against the laws... ok, I know, people outside the United States do not have human rights.

- stole of intellectual property to non-U.S. corporations is not against the laws. Sure.

Indeed. I am sure. NSA is spying on Angela Merkel because she is suspected of terrorism. I have no doubt on it. What else?

Oh, to be honest I really understand your point of view. It is the same attitude Eric Schmidt had. When PRISM program was uncovered his answer was "well, we are doing what we must do; it is just being patriotic and we would like to make public these requests to show the world how nice we are." When spying between Google datacenters was uncovered he called the practice "outrageous" and criticized the NSA's collection of data.

Bruce, and other forum members, are doing an academic exercise. Something highly valuable. They are not disclosing classified information, this information is public right now. Hopefully not anyone in the United States thinks as you.

By the way, Bruce is not damaging the U.S. industry. If anything at all, the U.S. industry has damaged itself by collaborating in these illegal practices. I am sure, however, the U.S. industry will have a new opportunity.

DBFebruary 11, 2014 2:07 PM

More openness is the first step toward fixing problems. We have to understand what the problems are (i.e. actually know about them) in order to begin to figure out how to fix them. Keep the discussion going, Bruce.

BenniFebruary 11, 2014 7:01 PM

Bruce Schneier wrote:
" Between you, me, and everyone who reads this blog, I would have not have published the TAO manual in all its detail. As terrifying as it is, it represents exactly what I want the NSA to be doing. "

What? Actually these things are used to spy on the german government in Berlin. The radar station https://www.eff.org/files/2013/11/15/20131027-spiegel-embassy.pdf with its heath signatures on the rooftop of the US embassy in Berlin, http://daserste.ndr.de/panorama/media/usbotschaft111_v-ardgalerie.jpg is listening for radar emissions that come from the bugs they have planted there.

One certainly can argue, that this activities are more closely related to what the NSA should be doing than the mass surveillance that the NSA is engaged in. The NSA spy on individual targets. On the enemy.
But the area of Berlin, with its civillians, and its government is not the enemy of the US that one should radiate on with radar waves.

In the latest Spiegel article,
http://www.spiegel.de/netzwelt/netzpolitik/kolumne-von-sascha-lobo-die-kriminellen-vom-geheimdienst-a-952675.html it is mentioned that there are slides that tell on how to ruin companies. I have, until now, not seen slides in which companies they have put their radar bugs. But the equipment on the US Berlin embassy lists, according to the slides above, for radar emissions and has corresponding heath signatures. Therefore, one can assume, that such radar bugs were planted in Berlin. The NSA certainly has not bugged only the embassy of north korea in Berlin that way.

As long, as the NSA selects such targets, like the governments of its own allies, the methods how they spy on their allies should certainly be revealed. And among these apparently are the radar bugs of the TAO.

I think it is a bit an ignorant position just to say, well on non US persons they can spy as they want. When they spy on allies, they cross the line, no matter if they are spying on individual targets or if the are doing mass surveillance.

And that is perhaps why the spiegel published the TAO catalogue.
Without that TAO catalogue, one would not really know or understand what this equipment on the rooftop of the Berlin embassy is for.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..