ShadowBrokers Releases NSA UNITEDRAKE Manual

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines:

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.

UNITEDRAKE, described as a "fully extensible remote collection system designed for Windows targets," also gives operators the opportunity to take complete control of a device.

The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

More news.

UNITEDRAKE was mentioned in several Snowden documents and also in the TAO catalog of implants.

And Kaspersky Labs has found evidence of these tools in the wild, associated with the Equation Group -- generally assumed to be the NSA:

The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don't appear in the components from the Equation Group, but Kaspersky did find "UR" in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren't in the NSA catalog but share the same naming conventions­they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

ShadowBrokers has only released the UNITEDRAKE manual, not the tool itself. Presumably they're trying to sell that.

Posted on September 8, 2017 at 6:54 AM • 13 Comments

Comments

Bruce SchneierSeptember 8, 2017 9:50 AM

"Are we sure it's not UNITE DRAKE? Or would that be Daffy?"

That is an excellent question.

Clive RobinsonSeptember 8, 2017 10:10 AM

Hmm,

The malware's modules -- including FOGGYBOTTOM

Funny I seem to remember "FoggyBottom" being an area in Washington DC adjacent to the White house with the Watergate complex and George Washington University. Thus much frequented by certain types includind those from a well known IC entity.

So much so that it's rumoured that it's where spooks leak to aids who inturn leak to congress critters who then leak to other aids who in turn leak to the likes of the WashPo and so the wheel turns getting greased by the largess of corporate interests.

ab praeceptisSeptember 8, 2017 10:21 AM

Clive Robinson

I'm not sure as my interest in details of the political washington is very limited but I seem to remember that "foggy bottom" is the informal name of the dep. of state.

YmSeptember 8, 2017 10:59 AM

"Are we sure it's not UNITE DRAKE? Or would that be Daffy?"

The manual makes it pretty clear, stylized in places as UnitedRake and also as (UR)

Douglas CoulterSeptember 8, 2017 12:32 PM

No wonder the gov is all about banning Kaspersky...
It finds their (likely used illegally even under their own bent interpretation) theft tools - can't have that!
Bad Russians! Bad Wikileaks! Bad Snowden!
And we'd have gotten away with it except for you meddling kids.

Except they already won and can get away with anything now that they control the government in fee simple.

Clive RobinsonSeptember 8, 2017 12:32 PM

@ ab praeceptis,

I seem to remember that "foggy bottom" is the informal name of the dep. of state.

Yup it's it's seventieth aniversary of it's move there this year.

My main interest in the area is it used to have the Naval Observatory there. Amongst it's other claims to infamy Washington had four different prime meridians rubibg through it. Foggy bottom had the prime meridian laid down by Thomas Jefferson in 1799. Which he used to try and usurp the "Prime Meridian" from the Royal Observatory at Greenwich East London. Apparently the French prefered to keep it with the "Perfidious Albion"[1] rather than ceed anything to America and thus in 1884 it was agreed internationaly that Greenwich would be the International Prime Meridian. As a consolation prize France gets to decide when we have "leap seconds" in colaboration with many Naval and administrative observatories and their respective time standards.

Hence the time in your PC can now be set for security reasons to wothin 1nS of UTC,

https://www.eecis.udel.edu/~mills/database/papers/nano/nano2.pdf

I was supprised to learn some years ago from a French colleague that the French were apparently more unhappy about the American Revolution than the English were. Thus had even less nice things to say about the nascent Americans. Apparently even Napoleon wanted a slice of them not so lightly grilled.

[1] The French have used the term from around the time of the French Revolution. Apparently because initially many in England favoured the reveloution but did "a reverse ferrit" when the heads of Royalty became basket cases. The term has since spread to many nations including Vietnam and even enemies of France. It was recently revived over Brexit, and some thing might well have changed the vote from remain to leave.

Clive RobinsonSeptember 8, 2017 1:03 PM

@ Doug Coulter,

And we'd have gotten away with it except for you meddling kids.

Ah huh, yup the plaintive cry of the scoundrel of limited ability, "Snot Fair, Snot Fair". Quickly followed by throwing the toys out of the play pen before stamping feet and pointing the finger at some one who has proved smarter, and just as the Red Queen did screaming "Off with their heads".

Even little Alice Pleasance Liddell knew to behave better than that, but then she did have friends even through the looking glass.

SimpleQSeptember 8, 2017 4:15 PM

In the System configuration paragraph it says that "... customers should be
able to choose...".
This means that it is a commercial tool sold/distributed to other "customers" too - not developed inernally by/for the nsa?

de La BoetieSeptember 10, 2017 8:07 AM

@SimpleQ - "customers" in this context (it also applies to GCHQ) - is the dreaded management-speak for "internal" within-government users in other departments (and potentially those in other allied governments).

This is supposed to give a customer service mentality, and is also associated with having them - to an extent - as a budge cost or even profit centre.

However, its primary objective is to have as many users as possible to justify the illegal, unconstitutional and clearly poorly justified t'rrist "requirement" for mass surveillance, and to enlarge their empire. By spreading the guilt around (there are at least 47 bodies consuming the Investigatory Powers Act data - ICRs - in the UK), and by nominally making the systems pay for themselves some more - at least on paper - you are making it far harder to unravel the panopticon.

yourmomSeptember 10, 2017 9:39 PM

Chrome Canary (*warning likely has bugs)

Command Line
enable MITM detection

--enable-features=MITMSoftwareInterstitial

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.