Documents
Kaspersky User-Agent Strings – NSA
June 22, 2015
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL
NATIONAL SECURITY AGENCY
CENTRAL SECURITY SERVICE
DRAFT
Kaspersky User-Agent
Strings
3?
September 2008
Derived ram: SAKCC SM 1-52
Dated: 3 anuary 2007
Declassify 0n: 20320103
101 STCRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL
NATIONAL SECURITY AGENCY
CENTRAL SECURITY SERVICE
DRAFT
Kaspersky User-Agent
Strings
3?
September 2008
Derived ram: SAKCC SM 1-52
Dated: 3 anuary 2007
Declassify 0n: 20320103
101 STCRETHCOMINTHREL TO USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L
(CHREL) K115 persky User?Agent Strings
September 2008
BY:
REVIEWED BY:
IDAICCS
RELEASED BY:
Chief, Sim
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L
(CHREL) K115 persky User?Agent Strings
September 2008
BY:
REVIEWED BY:
IDAICCS
RELEASED BY:
Chief, Sim
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L
PO FIT DO CU NTATI PAG
Public reporting burden for this collection of iniorn?ation is eetin?ated to a-.rerage1 hour per response. including the tinte tor re-.riewing instructions. searching existing data
sources. gathering and n?aintaining the data needed. and eon?pleting and reviewing the collection at iniorn?ation. Send eon?ntente regarding this burden eetin?ate or an}r
other aspect of this collection of iniorn?ation. including suggestions for reducing this burden. to Head-quarters Services. Directorate for Interntation Operations
and Reports. 1215 Jefferson Davis Highway. Suite1204.A.rlington. VA 22202-4302. and to the Otiice oi tuianagentent and Etudget. Paperwork Fteduetion Project [0?04-
0188]. DC 20503.
1. AGENCY USE ONLY {Leave blank] 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
September gang Technical SIGINT Report
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
{Ci-Fl Kaspersky ser-Agent Strings
e.
I PERFORMING ORGANIZATION AND 8. PERFORMING ORGANIZATION
REPORT NUMBER
National Security Agency
Ft. George G. Mead el MD 20155-5400
9. econeoniner'raoNnoniNe scenes earners; AND 1e.
neeacr FIEPOFIT
S-
11. SUPPLEMENTARY NOTES
I 123. STATEMENT 12b. DISTRIBUTION
THIS DOCUMENT MAY NOT BE RELEASED OR REPRODUCED IN WHOLE OR IN PART
WITHOUT PRIOR APPROVAL OF THE ISSUING OFFICE.
13. AB STRACT
(SHHSIHRELI We discovered that Kaspersk}: User?Agent strings contain encoded 1versions ol' the Kaspersk}:
serial numbers and that part of the User?Agent stringT can he used as a machine identifier.
14. SUBJECT TERM 15. NUMBER OF PAGES
Kaspersky, User-Agent, machine identi?er 3
18. PRICE COOE
A
SECURITY CLASSIFCATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT
OF REPORT OF THIS PAGE OF ABSTRACT
TOP EL USA. USA
PO FIT DO CU NTATI PAG
Public reporting burden for this collection of iniorn?ation is eetin?ated to a-.rerage1 hour per response. including the tinte tor re-.riewing instructions. searching existing data
sources. gathering and n?aintaining the data needed. and eon?pleting and reviewing the collection at iniorn?ation. Send eon?ntente regarding this burden eetin?ate or an}r
other aspect of this collection of iniorn?ation. including suggestions for reducing this burden. to Head-quarters Services. Directorate for Interntation Operations
and Reports. 1215 Jefferson Davis Highway. Suite1204.A.rlington. VA 22202-4302. and to the Otiice oi tuianagentent and Etudget. Paperwork Fteduetion Project [0?04-
0188]. DC 20503.
1. AGENCY USE ONLY {Leave blank] 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
September gang Technical SIGINT Report
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
{Ci-Fl Kaspersky ser-Agent Strings
e.
I PERFORMING ORGANIZATION AND 8. PERFORMING ORGANIZATION
REPORT NUMBER
National Security Agency
Ft. George G. Mead el MD 20155-5400
9. econeoniner'raoNnoniNe scenes earners; AND 1e.
neeacr FIEPOFIT
S-
11. SUPPLEMENTARY NOTES
I 123. STATEMENT 12b. DISTRIBUTION
THIS DOCUMENT MAY NOT BE RELEASED OR REPRODUCED IN WHOLE OR IN PART
WITHOUT PRIOR APPROVAL OF THE ISSUING OFFICE.
13. AB STRACT
(SHHSIHRELI We discovered that Kaspersk}: User?Agent strings contain encoded 1versions ol' the Kaspersk}:
serial numbers and that part of the User?Agent stringT can he used as a machine identifier.
14. SUBJECT TERM 15. NUMBER OF PAGES
Kaspersky, User-Agent, machine identi?er 3
18. PRICE COOE
A
SECURITY CLASSIFCATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT
OF REPORT OF THIS PAGE OF ABSTRACT
TOP EL USA. USA
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
SSTITECIIJXXIZUUS
Tahle 0f Contents
(LT) Imrmluctinn
(LT) USN?Agent Strings
Updams
Fields and EmailingT
Types User-Agent Strings
(1. Serial
(LT) Kc}: Files
8.
a]
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
SSTITECIIJXXIZUUS
Tahle 0f Contents
(LT) Imrmluctinn
(LT) USN?Agent Strings
Updams
Fields and EmailingT
Types User-Agent Strings
(1. Serial
(LT) Kc}: Files
8.
a]
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(CHREL) Kaspersky User?Agent Strings
(U)
(UHFOLKD Kaspersky Lah is a priyately held contpany with headquarters in
Moscow-r, with regional offices elsewhere. Kaspersky has {at least) three products
Kaspersky Internet Security Kaspersky Anti?Virus and Kaspersky Mohile
Security The Anti-Virus engine is used by other security yendors. Kaspersky
products are quite popular in some parts of the world.
This work was heguu with - at SCAMP 20th at Ins/cen?
Princeton..
(U) Data
We used YACIITSIIUP ntetat'lata records for our study of
Kaspersky User?Agent strings, as well as some information discoyered by using I?Liroogle
searches on the Internet.
(U) User-Agent Strings
The Kaspersky client sends its own User?Agent strings when
requesting updates. Sonte examples are
Host:
User?Agent:
GET
Host: dnl?us?.kaspersky?lahs.cont
User?Agent:
The Kaspersky User-Agent strings are ol" three types
1.
2.
unt 3093 um
The User?Agent strings use the characters which is the same alphahet as is
used in haseo4 encoding. Further, the last twelye characters of the third type are, in tact,
haseo4 encoding oi" the yersion nunther. These yersion nunthers range from 6.0.2.614 to
8.0.0.35? in our data.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(CHREL) Kaspersky User?Agent Strings
(U)
(UHFOLKD Kaspersky Lah is a priyately held contpany with headquarters in
Moscow-r, with regional offices elsewhere. Kaspersky has {at least) three products
Kaspersky Internet Security Kaspersky Anti?Virus and Kaspersky Mohile
Security The Anti-Virus engine is used by other security yendors. Kaspersky
products are quite popular in some parts of the world.
This work was heguu with - at SCAMP 20th at Ins/cen?
Princeton..
(U) Data
We used YACIITSIIUP ntetat'lata records for our study of
Kaspersky User?Agent strings, as well as some information discoyered by using I?Liroogle
searches on the Internet.
(U) User-Agent Strings
The Kaspersky client sends its own User?Agent strings when
requesting updates. Sonte examples are
Host:
User?Agent:
GET
Host: dnl?us?.kaspersky?lahs.cont
User?Agent:
The Kaspersky User-Agent strings are ol" three types
1.
2.
unt 3093 um
The User?Agent strings use the characters which is the same alphahet as is
used in haseo4 encoding. Further, the last twelye characters of the third type are, in tact,
haseo4 encoding oi" the yersion nunther. These yersion nunthers range from 6.0.2.614 to
8.0.0.35? in our data.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(U) Updates
The update requests we uhseryed ul?ten ueeurred en a regular basis,
ul'ten eyery 20, 40, 120 err 140 minutes when the Inaehine is urn?line. They began with a
GET request for an indes page, i.e. andinr
This was immediately l?ellnwed by a set pl" requests for update files:
first, a set pl" l'iles sueh as
{hlst hlaek list, ids intrusiun deteetiun systern, ay 2 antiyirus, upd 2 update},
then, a set pl" l?iles sueh as
and a set nl? files such as
.r?dil'l?sh?tutnPatehesr?kay 1 .32 lfaypgui.ppl.ryh.
We did not see any use pl" query strings ennkies in the update requests.
User-Agent Fields and Encoding
New we turn our attention tn the User-Agent strings thernselyes. Let
us take a typieal example, as ahnye:
1
The last 12 eharaeters are the hase?4 enended string
Ny4ijAuh-iTIl, which, in this ease, tn 10.0125 {the yersien number) and
leay es us with
uInB 098 IntIngy
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(U) Updates
The update requests we uhseryed ul?ten ueeurred en a regular basis,
ul'ten eyery 20, 40, 120 err 140 minutes when the Inaehine is urn?line. They began with a
GET request for an indes page, i.e. andinr
This was immediately l?ellnwed by a set pl" requests for update files:
first, a set pl" l'iles sueh as
{hlst hlaek list, ids intrusiun deteetiun systern, ay 2 antiyirus, upd 2 update},
then, a set pl" l?iles sueh as
and a set nl? files such as
.r?dil'l?sh?tutnPatehesr?kay 1 .32 lfaypgui.ppl.ryh.
We did not see any use pl" query strings ennkies in the update requests.
User-Agent Fields and Encoding
New we turn our attention tn the User-Agent strings thernselyes. Let
us take a typieal example, as ahnye:
1
The last 12 eharaeters are the hase?4 enended string
Ny4ijAuh-iTIl, which, in this ease, tn 10.0125 {the yersien number) and
leay es us with
uInB 098 IntIngy
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(SEISWREL) At first, it that thuru aru l?iult'ls suuaratucl hy characturs,
hut luuking nturu clusuly, it cart hu suun that thuru aru twu suts ul? characturs,
ancl i.u. twu suts ul?32 characters uach. It that uach l?iult'l is a sut ul?
characturs 1"runt thu sucuncl sut 1"ulluwut'l hy a charactur 1?runt thu 1"irst sut. Wu huliuyu that
thu characturs aru curnuusurl ul" a luarling l'lag hit 1"ulluwut'l hy 1"iyu intulliguncu hits, whuru
thu 1"lag hit inrlicatus thu unrl ul" a 1"iulcl. Thus wu uarsu thu ahuyu string intu 1"iulcls:
untB 0'98 untB A
Fiult'l unu ant'l 1"iult'l thruu aru nurntally thu santu ant'l thu l?irst thruu
l?iult'ls aru usually twu ur thruu lung. Fiult'l sis is always unu ur twu lung, ahuut hall" ul" thu
tintu twu lung. 11" it is twu lung, thu sucunt'l charactur is a Sincu is thu sucunt'l
charactur ul" thu first aluhahut sut, its natural yaluu is 1. That is, if wu ruyursu thu urclur ul"
thu characturs in this 1"iult'l, thu untiru l?iulcl takus un yaluus 0?63. Taking this as uur cuu,
wu cunclut'lut'l that thu urclur ul?thu characturs in uach 1"iult'l shuulcl hu ruyursct'l, ancl uach
l?iult'l ruurusunts a nunthur uncut'lucl hasu32, with uncI?uf?l?iulrl 1"lags.
(SHSIHREL) With this intururutatiun, l?iult'l 1"iyu au uars tu hu 1"lat uyur thu rangu
IH It
2 thu largust yaluu suun huing 261 142, whtlu 2 2262144.
(SHSIIREL) Thu l'irst liyu 1"iult'ls tu match with suucil?ic cliunts. Thu ntain
uscuutiun is Du Bk? Du l?j?nt Ku {anuthur uarsut'l Kasuursky LTsur?Agunt) which is scun
with a largu nunthur ul? cliunts. ?ts wu shall suu, l?iult'ls twu, thrcu, ancl 1"uur aru thu surial
nunthur, ancl this particular surial nunthur is unu ul? thusu huing uassucl aruunt'l un thu
Inturnut.
Stuclying thu 11th ul" GET rcquusts, wu uhsuryu that in many casus,
thuru is an uuclatu ruquust at rugular inturyals. Pruhahly such a rcquust is ntaclu in all casus
in which thu ntachinu is un-linu. Thusu ruquusts hugin with a ruquust 1"ur unu ur twu int'lus
uagus, 1"ullmyut'l hy 1"urthur rcquusts 1"ur uut'latu l?ilus, all with thu santu LTsur-r?kgunt. Latur,
un thu rugular huat, thu nust ruquust will hayu thu santu LTsur??tgunt string, uscuut that
l?iult'l sis will hayu changut'l:
Thu Jul 3 21 13:56 2008 Du Esi ll leUI?u A 6.0.2.618
Thu Jul 3 23:33:56 2008 Du Esi ll leUnt B: A 6.0.2.618
Thu huat at which thu ruquusts aru ntaclu tu hu currulatut'l
with thu tyuu ancl yursiun nunthur. Thu tyuu 2 ruquusts ul'tun cuntu uyury 21} ntinutus, ancl
ahuut 21 ?36 ul? thu tintu ticks uu with an incruntunt alturnating hutwcun 3i} and 34, ntucl 63.
Thu tyuu 3 ruquusts ul'tun cuntu at huats ul" 121} ur 141} ntinutus,
ticking uu hy 24 in thu 121} casu, ancl 39 in thu 141} casu, huth Inucl 64.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(SEISWREL) At first, it that thuru aru l?iult'ls suuaratucl hy characturs,
hut luuking nturu clusuly, it cart hu suun that thuru aru twu suts ul? characturs,
ancl i.u. twu suts ul?32 characters uach. It that uach l?iult'l is a sut ul?
characturs 1"runt thu sucuncl sut 1"ulluwut'l hy a charactur 1?runt thu 1"irst sut. Wu huliuyu that
thu characturs aru curnuusurl ul" a luarling l'lag hit 1"ulluwut'l hy 1"iyu intulliguncu hits, whuru
thu 1"lag hit inrlicatus thu unrl ul" a 1"iulcl. Thus wu uarsu thu ahuyu string intu 1"iulcls:
untB 0'98 untB A
Fiult'l unu ant'l 1"iult'l thruu aru nurntally thu santu ant'l thu l?irst thruu
l?iult'ls aru usually twu ur thruu lung. Fiult'l sis is always unu ur twu lung, ahuut hall" ul" thu
tintu twu lung. 11" it is twu lung, thu sucunt'l charactur is a Sincu is thu sucunt'l
charactur ul" thu first aluhahut sut, its natural yaluu is 1. That is, if wu ruyursu thu urclur ul"
thu characturs in this 1"iult'l, thu untiru l?iulcl takus un yaluus 0?63. Taking this as uur cuu,
wu cunclut'lut'l that thu urclur ul?thu characturs in uach 1"iult'l shuulcl hu ruyursct'l, ancl uach
l?iult'l ruurusunts a nunthur uncut'lucl hasu32, with uncI?uf?l?iulrl 1"lags.
(SHSIHREL) With this intururutatiun, l?iult'l 1"iyu au uars tu hu 1"lat uyur thu rangu
IH It
2 thu largust yaluu suun huing 261 142, whtlu 2 2262144.
(SHSIIREL) Thu l'irst liyu 1"iult'ls tu match with suucil?ic cliunts. Thu ntain
uscuutiun is Du Bk? Du l?j?nt Ku {anuthur uarsut'l Kasuursky LTsur?Agunt) which is scun
with a largu nunthur ul? cliunts. ?ts wu shall suu, l?iult'ls twu, thrcu, ancl 1"uur aru thu surial
nunthur, ancl this particular surial nunthur is unu ul? thusu huing uassucl aruunt'l un thu
Inturnut.
Stuclying thu 11th ul" GET rcquusts, wu uhsuryu that in many casus,
thuru is an uuclatu ruquust at rugular inturyals. Pruhahly such a rcquust is ntaclu in all casus
in which thu ntachinu is un-linu. Thusu ruquusts hugin with a ruquust 1"ur unu ur twu int'lus
uagus, 1"ullmyut'l hy 1"urthur rcquusts 1"ur uut'latu l?ilus, all with thu santu LTsur-r?kgunt. Latur,
un thu rugular huat, thu nust ruquust will hayu thu santu LTsur??tgunt string, uscuut that
l?iult'l sis will hayu changut'l:
Thu Jul 3 21 13:56 2008 Du Esi ll leUI?u A 6.0.2.618
Thu Jul 3 23:33:56 2008 Du Esi ll leUnt B: A 6.0.2.618
Thu huat at which thu ruquusts aru ntaclu tu hu currulatut'l
with thu tyuu ancl yursiun nunthur. Thu tyuu 2 ruquusts ul'tun cuntu uyury 21} ntinutus, ancl
ahuut 21 ?36 ul? thu tintu ticks uu with an incruntunt alturnating hutwcun 3i} and 34, ntucl 63.
Thu tyuu 3 ruquusts ul'tun cuntu at huats ul" 121} ur 141} ntinutus,
ticking uu hy 24 in thu 121} casu, ancl 39 in thu 141} casu, huth Inucl 64.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
Fielrl severt, il'present irt type 2 strirtgs, is art er irt tvpe 3 strirtgs
there is a field severt, anrl pessil'ilv a field eight, 1n eur rlata, the type 2
strirtgs, urtless there is a field seven with art the requests enlv ask l'er kle files, such
as finrles26/a0602g.sritl.klz. v?tlse irt eur data, the 3 strings witlt ne eighth l?ielrl, i.e.
rte value, were all l'rerit versien 6.0.2.614, while nene 61" the versien 6.0.2.614
strings harl a severtth field. We believe these inrlieate serviees anrlt?een1"iguratiens.
(U) 'l?ypes nf' User-Agent Strings
(SIISIHREL) There isn't much tn sav al'ieut the first tvpe el' LTser?r?tgent string,
1t pres urital'ilv represents serite lirititerl eapal'iilitv trial versien.
The tvpe is ritere interesting as it parses as rleseriherl al'ieve.
The parserl versien usually begins Dp Bk? Dp 1j5rit, 1"ellewerl a field l'ive ritestlv 61'
length three er l'eur, a sixth field which tieks tip as rliseusserl l'iel'ere, anrl pessil'ilv a
seventh l'ielrl eensisting 61' art
The ene eseeptien is the Dp Bk? Dp lj5rit Kn ritentienerl aheve, irt
whieh 1"ielt'l live is twe leng. Further, this ene rlnes net tiek up, hut alwavs appears the
same.
We have ritere inl'erritatien al'ieut the thirrl tvpe, irt which the last 12
eharaeters are the eneerlerl versien numbers. We el'iserverl:
Versien First Fielrl
6.0.2.614 Dp, Bkt, er
6.0.2.618 Dp, er Dr
6.0.2.621 Dp, Bks, er Brit2
6.0.3.832 Dt, er Dz
2.0.0.1 19 Britt
2.0.0.124 Britt
2.0.0.125 Bkt, er Britt
2.0.1.321 Britt, er Brit
2.0.1.323 Britu
2.0.1.325 Britt, er Brit u, er
8.0.0.352 an, er an
86 it seems that the first field is traeking aleng with the versien
rt urithers, se it eeulrl relate tn the rlate at which the prerluet is aetivaterl, but is net rlireetlv
equivalent tn the versien nuritl'ier.
Type 3 strings are all seven er eight l'ielt'ls leng.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
Fielrl severt, il'present irt type 2 strirtgs, is art er irt tvpe 3 strirtgs
there is a field severt, anrl pessil'ilv a field eight, 1n eur rlata, the type 2
strirtgs, urtless there is a field seven with art the requests enlv ask l'er kle files, such
as finrles26/a0602g.sritl.klz. v?tlse irt eur data, the 3 strings witlt ne eighth l?ielrl, i.e.
rte value, were all l'rerit versien 6.0.2.614, while nene 61" the versien 6.0.2.614
strings harl a severtth field. We believe these inrlieate serviees anrlt?een1"iguratiens.
(U) 'l?ypes nf' User-Agent Strings
(SIISIHREL) There isn't much tn sav al'ieut the first tvpe el' LTser?r?tgent string,
1t pres urital'ilv represents serite lirititerl eapal'iilitv trial versien.
The tvpe is ritere interesting as it parses as rleseriherl al'ieve.
The parserl versien usually begins Dp Bk? Dp 1j5rit, 1"ellewerl a field l'ive ritestlv 61'
length three er l'eur, a sixth field which tieks tip as rliseusserl l'iel'ere, anrl pessil'ilv a
seventh l'ielrl eensisting 61' art
The ene eseeptien is the Dp Bk? Dp lj5rit Kn ritentienerl aheve, irt
whieh 1"ielt'l live is twe leng. Further, this ene rlnes net tiek up, hut alwavs appears the
same.
We have ritere inl'erritatien al'ieut the thirrl tvpe, irt which the last 12
eharaeters are the eneerlerl versien numbers. We el'iserverl:
Versien First Fielrl
6.0.2.614 Dp, Bkt, er
6.0.2.618 Dp, er Dr
6.0.2.621 Dp, Bks, er Brit2
6.0.3.832 Dt, er Dz
2.0.0.1 19 Britt
2.0.0.124 Britt
2.0.0.125 Bkt, er Britt
2.0.1.321 Britt, er Brit
2.0.1.323 Britu
2.0.1.325 Britt, er Brit u, er
8.0.0.352 an, er an
86 it seems that the first field is traeking aleng with the versien
rt urithers, se it eeulrl relate tn the rlate at which the prerluet is aetivaterl, but is net rlireetlv
equivalent tn the versien nuritl'ier.
Type 3 strings are all seven er eight l'ielt'ls leng.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TEN iH?Hf) (101.
.13 ?1 11 1.111111. 11137311 1111111 .1113 111 113.113.111.13 3m 1131-1113
3111 1111 11311111311 113111.131 3111 31 113111131 31.1 31 11.111311111113111111111 311113311 3111 _13 111311137311 111133311
3111 ?113111133113 3113 1111111131311 111 31.1 31 11.111311111113111111111 311113311 3111 _13 1113111331: 111.111 3111
111113 31111111 ?11311 111 1113111113 31.13111111111 1111.131: 3111 111111 1111133311 11 31111; '31111111 3111 111.131.11111111
3111133113111 1.11111 1311111311 11111311 3111 _13 11131113311 111.111 31.11 111111 3311313 ("13111111131131
11311d 33113311
1111.11 111113111 1 1131111131]
?1 1131111131 [11331111133131
0'9 Slum-E1111? blimd-?SEH (1171701 I 81190?11101} 117173817171113171100111111}
?1
I I
?5 El ZEN
VEUBL ?178 LU
9171} 130?3
II
?3330
93 ?111
IE
8 I
Italy:
?8
{1311617111 '31 1:1
918031?8 I
3317353001)"13170004153111}
1131111 33113311 113111 11111113111
1; 11311111301 1131111131
111113111111131111 1111131113d 1111,1111
1131? EWEUI
1131111 33113311 115111 11111113111
1; 3311111391 1131111131
[11331111133131 111113111311
EUWWS [1133301 98171
r-Nr-x
J-
1 ll
{El-?Pl?rl? 9817001 Ell-?3}
173111
I 39101?018091}?th
13H PUld lI 13111111111 [13
'1311131111
3111 113 1.1311133 1.1111131 31.1 113111111 ?1113111111111 311113311 1.11111 1113111111111 1111131113 [11.111111 11333 _13
111111?3113 .13} 3.111111 1.131111 _13 1311 113.111 3.1311 ?333.1111111?331711011?331111 13111111111 1111.133 11111.1. 11.11311
3111 311113 311.11 111 ?.131.11111111311113311 11 111111 1311111311 11111311 11 1111111133 1131111111 1131133331} 11111133}
1111 113111: 1131111111 1111111. 113111 .1311 11111.1. 311133 111311113111 11111113111111} 1131111113113}
5111111111113 1111-11111 (1311111111111)
BHUEIXXKIDEIMLES
EHEN) 110.].
TEN iH?Hf) (101.
.13 ?1 11 1.111111. 11137311 1111111 .1113 111 113.113.111.13 3m 1131-1113
3111 1111 11311111311 113111.131 3111 31 113111131 31.1 31 11.111311111113111111111 311113311 3111 _13 111311137311 111133311
3111 ?113111133113 3113 1111111131311 111 31.1 31 11.111311111113111111111 311113311 3111 _13 1113111331: 111.111 3111
111113 31111111 ?11311 111 1113111113 31.13111111111 1111.131: 3111 111111 1111133311 11 31111; '31111111 3111 111.131.11111111
3111133113111 1.11111 1311111311 11111311 3111 _13 11131113311 111.111 31.11 111111 3311313 ("13111111131131
11311d 33113311
1111.11 111113111 1 1131111131]
?1 1131111131 [11331111133131
0'9 Slum-E1111? blimd-?SEH (1171701 I 81190?11101} 117173817171113171100111111}
?1
I I
?5 El ZEN
VEUBL ?178 LU
9171} 130?3
II
?3330
93 ?111
IE
8 I
Italy:
?8
{1311617111 '31 1:1
918031?8 I
3317353001)"13170004153111}
1131111 33113311 113111 11111113111
1; 11311111301 1131111131
111113111111131111 1111131113d 1111,1111
1131? EWEUI
1131111 33113311 115111 11111113111
1; 3311111391 1131111131
[11331111133131 111113111311
EUWWS [1133301 98171
r-Nr-x
J-
1 ll
{El-?Pl?rl? 9817001 Ell-?3}
173111
I 39101?018091}?th
13H PUld lI 13111111111 [13
'1311131111
3111 113 1.1311133 1.1111131 31.1 113111111 ?1113111111111 311113311 1.11111 1113111111111 1111131113 [11.111111 11333 _13
111111?3113 .13} 3.111111 1.131111 _13 1311 113.111 3.1311 ?333.1111111?331711011?331111 13111111111 1111.133 11111.1. 11.11311
3111 311113 311.11 111 ?.131.11111111311113311 11 111111 1311111311 11111311 11 1111111133 1131111111 1131133331} 11111133}
1111 113111: 1131111111 1111111. 113111 .1311 11111.1. 311133 111311113111 11111113111111} 1131111113113}
5111111111113 1111-11111 (1311111111111)
BHUEIXXKIDEIMLES
EHEN) 110.].
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L
One el' the User-Agent strings, when parsed,
{Dp Bk? Dp [jint [I42w). By een 1rertingT these strings inte hesadeeirnal
nurnhers, this
00000009 0000049e 00000009 000l'8l2? 0003e37?0.
New examine the lines ahere. We find serial nurnher 049e?0000fi9?
00018120.
We also have {an Brnu B248l? Ehl which equates te
000004l'1 0000092e 000004ee 03he20he 00020?al' 00000032, whiehrnatehes 092C-
0004CE-03BC20E5E, ahuve.
There are also close matches:
000004ee 000002134 000004ee 02l?17?80e0 00005d9e
with
and
000004ed 00000494 000004ed 02439hl2 000136213
with
0494-0004CD-02439E4C.
(U) Key Files
We leeated three key files and examined them. The first four hytes
til the key l'iles eentain the signature Kst. Alter an initial header, the key files can he
parsed intu with an algerithrn like In general, the
?elds til the reeurds are as l?ullews {in hes}:
Pesitien Content
Speci?c kind of in l'errnatien in the 1value field
2 00
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
(i
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZ-L
One el' the User-Agent strings, when parsed,
{Dp Bk? Dp [jint [I42w). By een 1rertingT these strings inte hesadeeirnal
nurnhers, this
00000009 0000049e 00000009 000l'8l2? 0003e37?0.
New examine the lines ahere. We find serial nurnher 049e?0000fi9?
00018120.
We also have {an Brnu B248l? Ehl which equates te
000004l'1 0000092e 000004ee 03he20he 00020?al' 00000032, whiehrnatehes 092C-
0004CE-03BC20E5E, ahuve.
There are also close matches:
000004ee 000002134 000004ee 02l?17?80e0 00005d9e
with
and
000004ed 00000494 000004ed 02439hl2 000136213
with
0494-0004CD-02439E4C.
(U) Key Files
We leeated three key files and examined them. The first four hytes
til the key l'iles eentain the signature Kst. Alter an initial header, the key files can he
parsed intu with an algerithrn like In general, the
?elds til the reeurds are as l?ullews {in hes}:
Pesitien Content
Speci?c kind of in l'errnatien in the 1value field
2 00
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
(i
TEN MESH 0J1 11011
PUB nElElzlS
?Hd ?Nd n1311]}1 1511] 3:111] ?2111?
11311133113 31.11 113111113 111311111 13 111 '31111 3111111 3111111113311 3111 113 1313111113 3111131111111 11311.3 .111
1131111113111 3113 113111111 33111 13 3311.11 3113111311 311311131 13113311 131 3113111111 ("1311111131131
5311.1 al?lld?
{112112-1110311-3311113-113331
:1131131311 113311 131311 3113111133 3111
31311133311 13 13.133 1131113311 3111 11133311131 3.133 333111 3311133311 1311113 ?1311131111 3111 1111 1111113113
3111311 Sim 11311131111313 31113.3 311 31 1133111113 1131111 11313113353111 3111-1 ("1311111131131
?3311111113113 1113131111113 111111.111 133111 33311113 1113 1131113111131111
313111 1313 31 3111113131111 311 11131111 11 ?13111111: .1311 1131133113 1711311131113 311 31 111133111113 11311111
111113 ?1]11111) 13 1131 ?1131113331 ?31111311 531135311 3111 1111311133 33111 .1311 3111 1131111113113)
1331111 3331111111 11113 1111
1113111 111533311 113111111 ?131113311 13 111 11311113 131 13111111111 1131133 3111 3331111113 11131113 1113 1111311133 11111111
1: 31.1111 11111.1 331111131113 3311311131] '81111112 1: 31.111 113111111 111 31113331 3111 111 113111113 3113111111111
33113311 111113 31111311 1311111113113 3111 111111 1: 31111 1131111111 111 1113331 3111 111 11311113 131 31111] 3111
1111111 31111 11311111 111 11111331 3111 111 11311113 13131.1 13111111111 11111131311 31111131111111.1113}
'113 113113111 31.11 133111 .1311 131113 111111}
3111 111 111 313113 13131.1 1: 31.13 3.3111 .1311 11131 13111311 131111111 3111 11111.1 ?33: 3111111111
1113113113 1131111111 131111111 111 5111311311 3111 113111111 111 1113331 13 131 131111 13131111113113)
39 (19 99
DE (111 E1) ?19113 19 39113 (11, 119 E1: EL E1) {111 EL 19 ?11? [11} 91 BE 11} {11} ?11111} [11}
10:] 113111118118}
3?1l?31?1 +111
?11131.1 31.111 31:61; ?111151131 1113111113 311111 31111?3 11111.1 13111111113311
?111113=gz ?11111111 311111?1121?) ?11131.1 31111?172131} ?111113111 2111} 1131111351 13
81} 1?3 {11} 8
81111311111111331/118
EH111) Ol JUL
TEN MESH 0J1 11011
PUB nElElzlS
?Hd ?Nd n1311]}1 1511] 3:111] ?2111?
11311133113 31.11 113111113 111311111 13 111 '31111 3111111 3111111113311 3111 113 1313111113 3111131111111 11311.3 .111
1131111113111 3113 113111111 33111 13 3311.11 3113111311 311311131 13113311 131 3113111111 ("1311111131131
5311.1 al?lld?
{112112-1110311-3311113-113331
:1131131311 113311 131311 3113111133 3111
31311133311 13 13.133 1131113311 3111 11133311131 3.133 333111 3311133311 1311113 ?1311131111 3111 1111 1111113113
3111311 Sim 11311131111313 31113.3 311 31 1133111113 1131111 11313113353111 3111-1 ("1311111131131
?3311111113113 1113131111113 111111.111 133111 33311113 1113 1131113111131111
313111 1313 31 3111113131111 311 11131111 11 ?13111111: .1311 1131133113 1711311131113 311 31 111133111113 11311111
111113 ?1]11111) 13 1131 ?1131113331 ?31111311 531135311 3111 1111311133 33111 .1311 3111 1131111113113)
1331111 3331111111 11113 1111
1113111 111533311 113111111 ?131113311 13 111 11311113 131 13111111111 1131133 3111 3331111113 11131113 1113 1111311133 11111111
1: 31.1111 11111.1 331111131113 3311311131] '81111112 1: 31.111 113111111 111 31113331 3111 111 113111113 3113111111111
33113311 111113 31111311 1311111113113 3111 111111 1: 31111 1131111111 111 1113331 3111 111 11311113 131 31111] 3111
1111111 31111 11311111 111 11111331 3111 111 11311113 13131.1 13111111111 11111131311 31111131111111.1113}
'113 113113111 31.11 133111 .1311 131113 111111}
3111 111 111 313113 13131.1 1: 31.13 3.3111 .1311 11131 13111311 131111111 3111 11111.1 ?33: 3111111111
1113113113 1131111111 131111111 111 5111311311 3111 113111111 111 1113331 13 131 131111 13131111113113)
39 (19 99
DE (111 E1) ?19113 19 39113 (11, 119 E1: EL E1) {111 EL 19 ?11? [11} 91 BE 11} {11} ?11111} [11}
10:] 113111118118}
3?1l?31?1 +111
?11131.1 31.111 31:61; ?111151131 1113111113 311111 31111?3 11111.1 13111111113311
?111113=gz ?11111111 311111?1121?) ?11131.1 31111?172131} ?111113111 2111} 1131111351 13
81} 1?3 {11} 8
81111311111111331/118
EH111) Ol JUL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(SEISWREL) things, l'ilcs cnntain hnsc?4 strings, such
?Elf-i
GMTAUNIHRONWE 1 1 5cllN4?tnt 1k
rcInJ EUUNPVR 1 5R1 1 IL Unt?2133VrSW't1?tc't?t?J
Phi
which tcr:
1(i4?rlN5n ijlq 10r?2
1rWEs 1 UK??ng
which to anything
(U)
It appcars that string tisch tn
is in nniquc clicnt, carrics for scrinl can
hc tisch l?crr Wc hclicvc Uscr?Agcnt stringT cnrrics
in formation scrviccs for or Study cl" :1 l?cw
strings, scrinl nctivntinn kcys,
kc}: l'ilcs this.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TOP SECRETHCONIINTHREL TO USA, AUS, CAN, GBR, NZL
(SEISWREL) things, l'ilcs cnntain hnsc?4 strings, such
?Elf-i
GMTAUNIHRONWE 1 1 5cllN4?tnt 1k
rcInJ EUUNPVR 1 5R1 1 IL Unt?2133VrSW't1?tc't?t?J
Phi
which tcr:
1(i4?rlN5n ijlq 10r?2
1rWEs 1 UK??ng
which to anything
(U)
It appcars that string tisch tn
is in nniquc clicnt, carrics for scrinl can
hc tisch l?crr Wc hclicvc Uscr?Agcnt stringT cnrrics
in formation scrviccs for or Study cl" :1 l?cw
strings, scrinl nctivntinn kcys,
kc}: l'ilcs this.
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZL
TGIF 0 USA, AUS, CAN, GER, MEL
DISTRIBUTION
Hatri?cupy
DC 324
distribute
GCHQ (B133
ll -
TGIF TD USA, AUS, CAN, GER, MEL
TGIF 0 USA, AUS, CAN, GER, MEL
DISTRIBUTION
Hatri?cupy
DC 324
distribute
GCHQ (B133
ll -
TGIF TD USA, AUS, CAN, GER, MEL
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L
TOP SECRETHCONIINTHREL T0 USA, AUS, CAN, GBR, NZ-L