this based upon analysis of the NSA documents and of information that was leaked during the Belgacom investigation
* we are not sure that there is no more recent version of Regin than the one of 2008 - 2011 and we still have to be sure that the version 2013 was installed before or after discovery and what are the differences between them
* we are not sure either that there is only a windows Regin and that there is no version or no files for the other OS - as you remember the NSA was talking in her slides about a virtual component that was placed on the harddisk BEFORE the OS whatever the OS and that also unix machines were attacked
there is no clear proof of both things but we are searching
so don't feel too safe now
because that may have been the intention
remember it is a spyoperation by spies for spies
"Stage 1 files, 32 bit:
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:
Stage 1, 64-bit system infection:
Stage 2, 32 bit:
Stage 2, 64 bit:
Stage 3, 32 bit:
Stage 4, 32 bit:
Stage 4, 64 bit:
Note: Stages 2, 3, and 4 do not appear on infected machines
THis is one of the places where samples are being uploaded (I know several people (not me) have a sample of the BGC infection)
Just to be sure that you understand what you are up to if you download this
* there is no clear definition of what a Regin package is, there are several different packages with different plugins and different timestamps so many antiviruses don't see it
this means that if you download it your securitydefenses may not discover it or some of the new or additional code and functions. You should therefore only place it in a sandbox and handle it on a nonconnected computer (don't use USB use a CDROM and throw it away or place it somewhere else (absolutely not safe)
* it is not because it is called Regin that it is Regin
* some of the samples have personal information about their victims and their employees in the logfiles (if you are a legal expert you will have to destroy these files or inform the local police that you seem to have proof of an infection).
* As the discovery for the latest samples is quite low, antivirus firms will have to go hunting for real and imaginary Regin samples
* if you don't have the knowledge and tools to handle this atombomb of code, stay far away - you will have seen nothing like this
In my view it is urgent for the big antivirus-securityfirms to set up a working group to collect all the different samples and information to get a whole picture and to be sure that all companies and networks have sufficient protections independent of their antivirus-securitytool.
important the snort rule against Regin Snort Rules: 32621-32624
and the command and the control servers were .......
18.104.22.168 Taiwan, Province Of China Taichung Chwbn
22.214.171.124 India Chetput Chennai Network Operations (team-m.co)
126.96.36.199 India Thane Internet Service Provider
188.8.131.52 Belgium Brussels Perceval S.a.
because that won't be found suspicous, going to India or Taiwan for traffic going out in Belgacom could have been found suspicous
remember this is a spy operation so all the classical techniques and reflexes by spies are used - even covering up your tracks .....
this is the list 24/55 don't find the 64bits Belgacom Regin infection
AegisLab 20141125 Agnitum 20141124 Antiy-AVL 20141125 Avast 20141125 Avira 20141125 Baidu-International 20141125 Bkav 20141120 ByteHero 20141125 CMC 20141124 ClamAV 20141125 Cyren 20141125 DrWeb 20141125 ESET-NOD32 20141125 F-Prot 20141125 Fortinet 20141125 Jiangmin 20141124 Kingsoft 20141125 Malwarebytes 20141125 McAfee-GW-Edition 20141125 NANO-Antivirus 20141125 Panda 20141125 Qihoo-360 20141125 Rising 20141124 SUPERAntiSpyware 20141125 Tencent 20141125 TheHacker 20141124 TotalDefense 20141125 VBA32 20141125 ViRobot 20141125 Zillya 20141124 Zoner 20141125
this is also why it is interesting to write 64bits viruses, many antiviruses can't cope with them yet
so even if an upgrade to 64bits kills millions of 32bits viruses and secures access to your machine it makes it an absolute necessity to close your machine down, harden it and buy a really professional antivirus that works native in an 64bits environment
especially if you have found the following three or one of them
and don't forget the servers
and don't forget to go back into time
interesting so you can now how regin is known by your antivirus (or not if you use clamav for example) so you can start looking through the virusalerts to see if you were impacted or not
and you will find others here
this the race to backtrack the files and to claim the discovery
probably the package is based on all the older knowledge and all the new things that were tested out at the time or added over time so it is possible that you will find files or code dating long time back and others that are newer or seem more complex
"The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.
Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.
“The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”
1. From previously identified Regin samples, The Intercept developed unique signatures which could identify this toolkit. A zip archive with a sample identified as Regin/Prax was found in VirusTotal, a free, online website which allows people to submit files to be scanned by several anti-virus products. The zip archive was submitted on 2013-06-21 07:58:37 UTC from Belgium, the date identified by Clément. Sources familiar with the Belgacom intrusion told The Intercept that this sample was uploaded by a systems administrator at the company, who discovered the malware and uploaded it in an attempt to research what type of malware it was.
2. Along with other files The Intercept found the output of a forensic tool, GetThis, which is being run on target systems looking for malware. From the content of the GetThis.log file, we can see that a sample called “svcsstat.exe” and located in C:WindowsSystem32 was collected and a copy of it was stored.
The malware in question is “0001000000000C1C_svcsstat.exe_sample ”. This is a 64bit variant of the first stage Regin loader aforementioned.
The archive also contains the output of ProcMon, “Process Monitor”, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis.
This file identifies the infected system and provides a variety of interesting information about the network. For instance:
The following environment variable shows that the system was provided with a Microsoft SQL server and a Microsoft Exchange server, indicating that it might one of the compromised corporate mail server Fabrice Clément mentioned to Mondiaal News:
Path=C:Program FilesLegatonsrbin;C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesMicrosoft Network Monitor 3;C:Program FilesSystem Center Operations Manager 2007;c:Program Files (x86)Microsoft SQL Server90Toolsbinn;D:Program FilesMicrosoftExchange Serverbin
3. Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
the same article gives more information about the loaders and why they think it was this virus that attacked Belgacom it also seem that some sources in Belgacom are leaking again and have forgotten about their NDA except if it is a hidden policy.
the second thing is that it seems as if people during the discovery phase have used online tools which leaves traces to identity the problem. For a critical environment like Belgacom during an Espionage attack this is like hanging a banner outside : we have found you.
De Standaard will be publishing more information it seems in the coming weeks. Well, now I understand something......
We always said it was an intelligence operation and we always said that there were problems with the certificates of some files. We only have to wait to be proven right. And for that we didn't have contact with leakers.
Now that all that information is out in the open it is time for BIPT to make a real technical file.
That Intercept thinks that all the files have been replaced is wishful thinking except if they gave the intelligence services a head-start by informing some one that this information would be published at a certain date so they could go into overdrive. But even than there may be security and networkmanagment tools that will have a trace for the filenames and other events on the network or on the servers.
it is always the same song in Belgium. Once there is an attack or hack, they file a complaint with the FCCU as they should and than they can't say anything more. The justice department, the FCCU and the CERT will need to set up some technical information exchange to be sure that technical information about (identified) hacks gets distributed in time to other possible victims just to warn them that it can happen.
There is for the moment even no Federal Cybercrime or Cybersecurity Center under the prime minister who could organize that and take responsability.
The Belgacomvirus or #regin files - and it is not because some of the files are the same that the whole set is the same - were rumoured to be NATO secret level 3 and afterwards were said to be handed over with other information to the BIPT. Some people who should have known in Belgium tell me they didn't and were surprised to read in the newspaper that all critical infrastructure was informed about the technical details of the attack and which things to look out for in their firewalls and security appliances.
Belgacom does repeat the same thing today.
So this leaves two questions.
Or it are the same files and Belgacom has cleaned it up and found them and is sure that they didn't come back - even in their 2013 version. Than everything is fine for Belgacom and they just have to keep up the same vigilance and determination. But if Belgacom says that it are exactly the same files than it has to say this clearly so there is no doubt whatsoever. They will probably say that they can't say this because it would 'interfere' with the investigation which is stupid because we know a lot more technical details about any other criminal investigation before the trial starts (if there is going to be anyday a trial here).
SO BELGACOM - IS IT OR ISN'T IT. If it isn't you know you will have to go rechecking - although as a good securitypractice you will restart your checking anyway.
When are we going to have that information ? I know a lot of people who are responsable for enormous networks and enormous sets of data who have no data about what they are talking about when the BIPT says that everybody has received the necessary information ? Does this means that all the banks, all the international organisations in Belgium, all the energy networks, all the governmental agencies that handle secret or important information were informed ? All the ISP and telecom operators ?
SO BIPT as more and more information is in the open and some of the files are now being found online and will be assembled in the near time as now a whole community of people starts a hunt for them (for sure they are already at virustotal) when are you going to release more information. Or are there diplomatic or other reasons for which that information can't be published. By not publishing it you confirm this.
Some of the functions and protocols are explained in this earlier presentation at Hack.lu It is also important here to read how one gets information from an internetblocked computer (with probably highlevel information) to an internetconnected computer in a network. The extraction methods are also interesting because in Belgacom the extracted information was encrypted and went for that reason undetected as encrypted traffic was maybe just like in many network trusted - especially if they come from inside the network.
We know that the Regin files by Symantec are not complete and that they only have part of all the files.
Inside the Snowden files you find documentation about a bootkit that also works on Linux because it attacks the hardware and not the software on the machine. (This is why it is important to encrypt all the free room on your harddisk so you can't normally install nothing new on the machine - or not without alerting the securitystaff if you have installed those eventloggers).
So it is not clear at the moment if there are Linux files somewhere. We know by now that it is not hard to take total control over a the root and boot of a Linuxserver and several viruses doing exactly that (and through USB in Apple) have done the rights the last couple of months.
We know that the Microsoft Regin files had several urgent updates (2008 - 2011) and we know that there have been rumours about problems and infections and not being sure of the data of infection well before the official data that Microsoft officially said it was an infection when they came finally to examine the troubled mailserver. We know that the Regin files had a 32bits version and a 64bits version and that around that from 2011 onwards many organisations and industries were moving to 64bits only (to kill all the 32bits viruses in one upgrade). This change has also an impact on the access to the root and may explain the problems. The Snowden files talk about 2008 as the data of penetration (which is also the first set of files).
We know that the Reginfiles had falsified Microsoft certificates or signatures of some files and that for those for which that wasn't possible they posed as a help file of an official Microsoft file in the kernel-root and had access to the root through this helpfile who had access to the kernel-root file. We know that in Belgacom they were talking about Microsoft signed files. This poses in fact huge problems for Microsoft and the way in which it wants to certifiy the files that are written by Microsoft and that are certified by Microsoft.
We know that the Belgacom operation was an intelligence operation and that only very limited information was effectively transferred as the datafiles were small (which was astonishing) It could be that they had larger files at the start of the operation (to have a list of all the employees or of the infrastructure) but as nobody is sure about the data of the first infection there is no way to be sure. As the GRX routers for the GSM traffic throughout the BICS-Belgacom network were the target, we presume it was the metadata for certain high profile GSM numbers that were on the terrorist target list. It is so no wonder that the software that is used in such an operation is built by spies for spies to be able to.... spy.
well there is a site that collects viruses and has some of the files
this one b269894f434657db2b15949641a67532
couldn't they do a google search before searching for a name for the espionageware
it was re-analyzed yesterday as the news came out but the creation data is in march 2008
now look at this
probably this will be because there has been some problems with some files during a migration to windows7 or server windows8 (launched in 2009 but companies mostly wait 2 years before introducing a new system - and this shows why this is in fact a securityproblem).
and this is probably why it had to be replaced urgently by a newer version as Symantec writes in her report - it is an DOS executable and in windows7 the access to the kernel is rewritten and limited and so all those files that before had unchecked access to the kernel like in Linux :) lost it ..... and sometimes were analyzed. And this is also the reason that Belgacom started investigation its mailserver that after an upgrade was behaving strangely.
but not all the files
and in virustotal only 44 find them and some (even big ones) don't
I think that for such important espionageware antivirus companies that have some info but not all should work together. The whole is more than the sum of parts.
There are for the moment two strategies that are confronting each other in the debate about the freewheeling seller of zeroday attacktools (that aren't covered yet by antivirus companies) VUPEN (in France)
The military say that VUPEN has crossed the red line and that that 'problem' should be revolved soon, meaning that the French state with all its power will come crushing down on them. Vupen understands that power and has announced that they will deplace their offices to Luxembourg and the US (probably because many of there biggest clients like the NSA are over there).
At the other side of the table are the spies and the cyberattackers/defenders who say that in a war of shadows like this you can't let this kind of knowledge and these kind of tools leave to nations that could be your attackers some day (or already are attacking you).
this article in french is a really good read (use google translate) http://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre
and another one
"Pindrop Security today warned financial institutions and their customers about a telephone scam they've dubbed the "misdial trap."
Fraudsters buy phone numbers similar to legitimate businesses, and pose as that business's customer service line when customers misdial -- not unlike how some fraudsters buy domain names similar to legitimate online businesses and create sites that mimic them, according to Pindrop.
The numbers fraudsters typically choose will have the same first six digits as the legitimate business, with only the final digit changed, or they will have the same seven-digit number but a different area code -- a toll-free number area code, for example.When they hook a customer, they pretend they are customer service for the company in question and request sensitive data from customers -- sometimes offering a free gift card in exchange.
Some 103 of the 600 financial institutions examined by Pindrop Security were affected by the misdial trap
just as domainnames should be forbidden to include the household names of banks and other financial services if they aren't operated by them (like mastercard, dexia, etc....)
otherwise the problem of vishing will only increase (phishing by phone)
but don't forget with VOIP it is possible to hijack numbers or to impersonate numbers because the only thing it takes is a server online (which will disappear once the money is taken)
they are not the one in and out attack
they are deliberate operations that consist of different stages with as only goal to get information on a longterm basis with all the necessary rights and in which it is paramount not to be discovered too fast and to have enough backdoors to get the information without being discovered
it is just like an espionage operation, nothing more - nothing less
1. you drop a file on the computer and wait to see if it passes the defenses and virusanalyses and if the user has enough rights to install it (that is why installing files should be the exception for users, not the rule)
2. than you load the files that are in the dropper and you start loading them with the next startup after which it drops its files in the kernel so that they won't be seen by the antivirus (or very rarely)
3. you start looking at the files of the user, his passwords, his connections and routines and you start working
The definition of the process by Symantec is a perfect description of an espionage operation
"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
this is why I personally think that securitypeople in highly confidential and strategic networks should read and learn more about espionage and espionage operations
this is no different
probably it is even made by an espionage agency and by people who are programmers but who are trained as spies and think like spies and have the same goals and strategies and reflexes like spies
and thus my last quote just proofs my case, it is espionageware written by spies for spies
"What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.
“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”http://fortune.com/2014/11/23/regin-malware-surveillance/...
this is nothing other but an operation - an intelligence operation