11/26/2014

#regin two important things we are looking in now - while everybody is feeling secure

this based upon analysis of the NSA documents and of information that was leaked during the Belgacom investigation

* we are not sure that there is no more recent version of Regin than the one of 2008 - 2011 and we still have to be sure that the version 2013 was installed before or after discovery and what are the differences between them

* we are not sure either that there is only a windows Regin and that there is no version or no files for the other OS - as you remember the NSA was talking in her slides about a virtual component that was placed on the harddisk BEFORE the OS whatever the OS and that also unix machines were attacked 

there is no clear proof of both things but we are searching 

so don't feel too safe now

because that may have been the intention

remember it is a spyoperation by spies for spies

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin the md5 names of the files according to the phase of the attack and infection

"Stage 1 files, 32 bit:

06665b96e293b23acc80451abb413e50

187044596bc1328efa0ed636d8aa4a5c

1c024e599ac055312a4ab75b3950040a

2c8b9d2885543d7ade3cae98225e263b

4b6b86c7fec1c574706cecedf44abded

6662c390b2bbbd291ec7987388fc75d7

b269894f434657db2b15949641a67532

b29ca4f22ae7b7b25f79c1d4a421139d

b505d65721bb2453d5039a389113b566

26297dc3cd0b688de3b846983c5385e5

ba7bb65634ce1e30c1e5415be3d1db1d

bfbe8c3ee78750c3a520480700e440f8

d240f06e98c8d3e647cbf4d442d79475

ffb0b9b5b610191051a7bdf0806e1e47

Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc

Stage 1, 64-bit system infection:

bddf5afbea2d0eed77f2ad4e9a4f044d

c053a0a3f1edcbbfc9b51bc640e808ce

e63422e458afdfe111bd0b87c1e9772c

Stage 2, 32 bit:

18d4898d82fcb290dfed2a9f70d66833

b9e4f9d32ce59e7c4daf6b237c330e25

Stage 2, 64 bit:

d446b1ed24dad48311f287f3c65aeb80

Stage 3, 32 bit:

8486ec3112e322f9f468bdea3005d7b5

da03648948475b2d0e3e2345d7a9bbbb

Stage 4, 32 bit:

1e4076caa08e41a5befc52efd74819ea

68297fde98e9c0c29cecc0ebf38bde95

6cf5dc32e1f6959e7354e85101ec219a

885dcd517faf9fac655b8da66315462d

a1d727340158ec0af81a845abd3963c1

Stage 4, 64 bit:

de3547375fbf5f4cb4b14d53f413c503

Note: Stages 2, 3, and 4 do not appear on infected machines

http://www.spinics.net/lists/security/msg02793.html

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin the samples are coming online but attention

THis is one of the places where samples are being uploaded (I know several people (not me) have a sample of the BGC infection) 

http://malwaretips.com/threads/regin-malware-34-samples.38054/

https://malwr.com/analysis/OTlmYTk1MzA2NjE5NDIxYTgzMWQxOWNhODFmNmRmNDQ/

Just to be sure that you understand what you are up to if you download this 

* there is no clear definition of what a Regin package is, there are several different packages with different plugins and different timestamps so many antiviruses don't see it 

  this means that if you download it your securitydefenses may not discover it or some of the new or additional code and functions. You should therefore only place it in a sandbox and handle it on a nonconnected computer (don't use USB use a CDROM and throw it away or place it somewhere else (absolutely not safe)

* it is not because it is called Regin that it is Regin 

* some of the samples have personal information about their victims and their employees in the logfiles (if you are a legal expert you will have to destroy these files or inform the local police that you seem to have proof of an infection). 

* As the discovery for the latest samples is quite low, antivirus firms will have to go hunting for real and imaginary Regin samples 

* if you don't have the knowledge and tools to handle this atombomb of code, stay far away - you will have seen nothing like this

In my view it is urgent for the big antivirus-securityfirms to set up a working group to collect all the different samples and information to get a whole picture and to be sure that all companies and networks have sufficient protections independent of their antivirus-securitytool. 

Permalink | |  Print |  Facebook | | | | Pin it! |

11/25/2014

suzuki.be hacked by Syrian opposition

Permalink | |  Print |  Facebook | | | | Pin it! |

#Regin Kaspersky publishes the Control Command centers and one is Belgian

https://securelist.com/files/201 ... in_platform_eng.pdf

important the snort rule against Regin  Snort Rules: 32621-32624 

and the command and the control servers were ....... 

C&C IPs:

61.67.114.73 Taiwan, Province Of China Taichung Chwbn

202.71.144.113 India Chetput Chennai Network Operations (team-m.co)

203.199.89.80 India Thane Internet Service Provider

194.183.237.145 Belgium Brussels Perceval S.a.

 

why

because that won't be found suspicous, going to India or Taiwan for traffic going out in Belgacom could have been found suspicous 

remember this is a spy operation so all the classical techniques and reflexes by spies are used - even covering up your tracks ..... 

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin half of the antivirus checkers don't find the 64bits Belgacom variant today

this is the list 24/55 don't find the 64bits Belgacom Regin infection 

AegisLab 20141125 Agnitum 20141124 Antiy-AVL 20141125 Avast 20141125 Avira 20141125 Baidu-International 20141125 Bkav 20141120 ByteHero 20141125 CMC 20141124 ClamAV 20141125 Cyren 20141125 DrWeb 20141125 ESET-NOD32 20141125 F-Prot 20141125 Fortinet 20141125 Jiangmin 20141124 Kingsoft 20141125 Malwarebytes 20141125 McAfee-GW-Edition 20141125 NANO-Antivirus 20141125 Panda 20141125 Qihoo-360 20141125 Rising 20141124 SUPERAntiSpyware 20141125 Tencent 20141125 TheHacker 20141124 TotalDefense 20141125 VBA32 20141125 ViRobot 20141125 Zillya 20141124 Zoner 20141125
https://www.virustotal.com/en/file/4d6cebe37861ace885aa00...

this is also why it is interesting to write 64bits viruses, many antiviruses can't cope with them yet 

so even if an upgrade to 64bits kills millions of 32bits viruses and secures access to your machine it makes it an absolute necessity to close your machine down, harden it and buy a really professional antivirus that works native in an 64bits environment 

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin if you don't have any money for specialists look at FREEno ex Windows defender

especially if you have found the following three or one of them 

and don't forget the servers 

and don't forget to go back into time

http://www.microsoft.com/security/portal/threat/encyclope...

http://www.microsoft.com/security/portal/threat/encyclope...

http://www.microsoft.com/security/portal/threat/encyclope...

http://www.microsoft.com/security/portal/threat/encyclope...

http://www.microsoft.com/security/portal/threat/encyclope...

 

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin everybody is uploading packages to virustotal and some aren't discovered

interesting so you can now how regin is known by your antivirus (or not if you use clamav for example) so you can start looking through the virusalerts to see if you were impacted or not 

https://www.virustotal.com/en/file/f9cfae78e6a79b2136d966...   37/55

https://www.virustotal.com/en/file/9051b74568aae847739ccc...  5/55

https://www.virustotal.com/en/file/87a5329f85e675de4f8c4c...  3/55

and you will find others here 

https://www.virustotal.com/en/file/b12c7d57507286bbbe36d7...

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin everybody knew it now - even some as far as 2003

this the race to backtrack the files and to claim the discovery

probably the package is based on all the older knowledge and all the new things that were tested out at the time or added over time so it is possible that you will find files or code dating long time back and others that are newer or seem more complex 

"The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.

 

Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.

 

The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”

http://www.telecoms.com/306132/industry-downplays-regin-a...

Permalink | |  Print |  Facebook | | | | Pin it! |

#Regin the examples that was found at Belgacom

1. From previously identified Regin samples, The Intercept developed unique signatures which could identify this toolkit. A zip archive with a sample identified as Regin/Prax was found in VirusTotal, a free, online website which allows people to submit files to be scanned by several anti-virus products. The zip archive was submitted on 2013-06-21 07:58:37 UTC from Belgium, the date identified by Clément. Sources familiar with the Belgacom intrusion told The Intercept that this sample was uploaded by a systems administrator at the company, who discovered the malware and uploaded it in an attempt to research what type of malware it was.

2. Along with other files The Intercept found the output of a forensic tool, GetThis, which is being run on target systems looking for malware. From the content of the GetThis.log file, we can see that a sample called “svcsstat.exe” and located in C:WindowsSystem32 was collected and a copy of it was stored.

The malware in question is “0001000000000C1C_svcsstat.exe_sample ”. This is a 64bit variant of the first stage Regin loader aforementioned.

The archive also contains the output of ProcMon, “Process Monitor”, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis.

This file identifies the infected system and provides a variety of interesting information about the network. For instance:

USERDNSDOMAIN=BGC.NET

USERDOMAIN=BELGACOM

USERNAME=id051897a

USERPROFILE=C:Usersid051897a

The following environment variable shows that the system was provided with a Microsoft SQL server and a Microsoft Exchange server, indicating that it might one of the compromised corporate mail server Fabrice Clément mentioned to Mondiaal News:

Path=C:Program FilesLegatonsrbin;C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesMicrosoft Network Monitor 3;C:Program FilesSystem Center Operations Manager 2007;c:Program Files (x86)Microsoft SQL Server90Toolsbinn;D:Program FilesMicrosoftExchange Serverbin

3. Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

https://firstlook.org/theintercept/2014/11/24/secret-regi...

the same article gives more information about the loaders and why they think it was this virus that attacked Belgacom it also seem that some sources in Belgacom are leaking again and have forgotten about their NDA except if it is a hidden policy. 

the second thing is that it seems as if people during the discovery phase have used online tools which leaves traces to identity the problem. For a critical environment like Belgacom during an Espionage attack this is like hanging a banner outside : we have found you. 

De Standaard will be publishing more information it seems in the coming weeks. Well, now I understand something...... 

We always said it was an intelligence operation and we always said that there were problems with the certificates of some files. We only have to wait to be proven right. And for that we didn't have contact with leakers. 

Now that all that information is out in the open it is time for BIPT to make a real technical file.

That Intercept thinks that all the files have been replaced is wishful thinking except if they gave the intelligence services a head-start by informing some one that this information would be published at a certain date so they could go into overdrive. But even than there may be security and networkmanagment tools that will have a trace for the filenames and other events on the network or on the servers.

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin, Belgacom and the #nsa and what we should know

it is always the same song in Belgium. Once there is an attack or hack, they file a complaint with the FCCU as they should and than they can't say anything more. The justice department, the FCCU and the CERT will need to set up some technical information exchange to be sure that technical information about (identified) hacks gets distributed in time to other possible victims just to warn them that it can happen. 

There is for the moment even no Federal Cybercrime or Cybersecurity Center under the prime minister who could organize that and take responsability. 

The Belgacomvirus or #regin files - and it is not because some of the files are the same that the whole set is the same - were rumoured to be NATO secret level 3 and afterwards were said to be handed over with other information to the BIPT. Some people who should have known in Belgium tell me they didn't and were surprised to read in the newspaper that all critical infrastructure was informed about the technical details of the attack and which things to look out for in their firewalls and security appliances. 

Belgacom does repeat the same thing today.

So this leaves two questions. 

Or it are the same files and Belgacom has cleaned it up and found them and is sure that they didn't come back - even in their 2013 version. Than everything is fine for Belgacom and they just have to keep up the same vigilance and determination. But if Belgacom says that it are exactly the same files than it has to say this clearly so there is no doubt whatsoever. They will probably say that they can't say this because it would 'interfere' with the investigation which is stupid because we know a lot more technical details about any other criminal investigation before the trial starts (if there is going to be anyday a trial here). 

SO BELGACOM - IS IT OR ISN'T IT.  If it isn't you know you will have to go rechecking - although as a good securitypractice you will restart your checking anyway. 

When are we going to have that information ? I know a lot of people who are responsable for enormous networks and enormous sets of data who have no data about what they are talking about when the BIPT says that everybody has received the necessary information ? Does this means that all the banks, all the international organisations in Belgium, all the energy networks, all the governmental agencies that handle secret or important information were informed ? All the ISP and telecom operators ? 

SO BIPT as more and more information is in the open and some of the files are now being found online and will be assembled in the near time as now a whole community of people starts a hunt for them (for sure they are already at virustotal) when are you going to release more information. Or are there diplomatic or other reasons for which that information can't be published. By not publishing it you confirm this. 

Permalink | |  Print |  Facebook | | | | Pin it! |

#Regin and Belgacom what we know and what we don't

Some of the functions and protocols are explained in this earlier presentation at Hack.lu It is also important here to read how one gets information from an internetblocked computer (with probably highlevel information) to an internetconnected computer in a network. The extraction methods are also interesting because in Belgacom the extracted information was encrypted and went for that reason undetected as encrypted traffic was maybe just like in many network trusted - especially if they come from inside the network.

We know that the Regin files by Symantec are not complete and that they only have part of all the files.   

   Inside the Snowden files you find documentation about a bootkit that also works on Linux because it attacks the hardware and not the software on the machine. (This is why it is important to encrypt all the free room on your harddisk so you can't normally install nothing new on the machine - or not without alerting the securitystaff if you have installed those eventloggers). 

So it is not clear at the moment if there are Linux files somewhere. We know by now that it is not hard to take total control over a the root and boot of a Linuxserver and several viruses doing exactly that (and through USB in Apple) have done the rights the last couple of months. 

We know that the Microsoft Regin files had several urgent updates (2008 - 2011) and we know that there have been rumours about problems and infections and not being sure of the data of infection well before the official data that Microsoft officially said it was an infection when they came finally to examine the troubled mailserver.  We know that the Regin files had a 32bits version and a 64bits version and that around that from 2011 onwards many organisations and industries were moving to 64bits only (to kill all the 32bits viruses in one upgrade). This change has also an impact on the access to the root and may explain the problems. The Snowden files talk about 2008 as the data of penetration (which is also the first set of files). 

We know that the Reginfiles had falsified Microsoft certificates or signatures of some files and that for those for which that wasn't possible they posed as a help file of an official Microsoft file in the kernel-root and had access to the root through this helpfile who had access to the kernel-root file. We know that in Belgacom they were talking about Microsoft signed files.  This poses in fact huge problems for Microsoft and the way in which it wants to certifiy the files that are written by Microsoft and that are certified by Microsoft. 

We know that the Belgacom operation was an intelligence operation and that only very limited information was effectively transferred as the datafiles were small (which was astonishing) It could be that they had larger files at the start of the operation (to have a list of all the employees or of the infrastructure) but as nobody is sure about the data of the first infection there is no way to be sure. As the GRX routers for the GSM traffic throughout the BICS-Belgacom network were the target, we presume it was the metadata for certain high profile GSM numbers that were on the terrorist target list. It is so no wonder that the software that is used in such an operation is built by spies for spies to be able to.... spy.

Permalink | |  Print |  Facebook | | | | Pin it! |

11/24/2014

#regin if you are looking for the files to analyze

well there is a site that collects viruses and has some of the files

http://virusshare.com/hashes/VirusShare_00018.md5

this one b269894f434657db2b15949641a67532

 

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin some companies have a problem now with their name

couldn't they do a google search before searching for a name for the espionageware

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin it took 3 years to discover first versions (2008 - 2011)

https://www.virustotal.com/nl/file/e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902/analysis/

it was re-analyzed yesterday as the news came out but the creation data is in march 2008

now look at this

probably this will be because there has been some problems with some files during a migration to windows7 or server windows8 (launched in 2009 but companies mostly wait 2 years before introducing a new system - and this shows why this is in fact a securityproblem).

and this is probably why it had to be replaced urgently by a newer version as Symantec writes in her report - it is an DOS executable and in windows7 the access to the kernel is rewritten and limited and so all those files that before had unchecked access to the kernel like in Linux :) lost it ..... and sometimes were analyzed.  And this is also the reason that Belgacom started investigation its mailserver that after an upgrade was behaving strangely.

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin Sophos saw some versions already in 2011

but not all the files

and in virustotal only 44 find them and some (even big ones) don't

https://www.virustotal.com/nl/file/e1ba03a10a40aab909b2ba...

I think that for such important espionageware antivirus companies that have some info but not all should work together. The whole is more than the sum of parts.

Permalink | |  Print |  Facebook | | | | Pin it! |

war of words in France about VUPEN

There are for the moment two strategies that are confronting each other in the debate about the freewheeling seller of zeroday attacktools (that aren't covered yet by antivirus companies) VUPEN (in France)

The military say that VUPEN has crossed the red line and that that 'problem' should be revolved soon, meaning that the French state with all its power will come crushing down on them. Vupen understands that power and has announced that they will deplace their offices to Luxembourg and the US (probably because many of there biggest clients like the NSA are over there).

At the other side of the table are the spies and the cyberattackers/defenders who say that in a war of shadows like this you can't let this kind of knowledge and these kind of tools leave to nations that could be your attackers some day (or already are attacking you).

this article in french is a really good read (use google translate) http://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre

Permalink | |  Print |  Facebook | | | | Pin it! |

the most beautiful attack-art of digital attacks against the US (you couldn't make it up)

Embedded image permalink

and another one

Permalink | |  Print |  Facebook | | | | Pin it! |

11/23/2014

this is why financial and governmental institutions need a protected range of phonenumbers

"Pindrop Security today warned financial institutions and their customers about a telephone scam they've dubbed the "misdial trap."

 

Fraudsters buy phone numbers similar to legitimate businesses, and pose as that business's customer service line when customers misdial -- not unlike how some fraudsters buy domain names similar to legitimate online businesses and create sites that mimic them, according to Pindrop.

 

The numbers fraudsters typically choose will have the same first six digits as the legitimate business, with only the final digit changed, or they will have the same seven-digit number but a different area code -- a toll-free number area code, for example.When they hook a customer, they pretend they are customer service for the company in question and request sensitive data from customers -- sometimes offering a free gift card in exchange.

 

Some 103 of the 600 financial institutions examined by Pindrop Security were affected by the misdial trap
http://www.darkreading.com/attacks-breaches/misdial-trap-...

just as domainnames should be forbidden to include the household names of banks and other financial services if they aren't operated by them (like mastercard, dexia, etc....)

otherwise the problem of vishing will only increase (phishing by phone)

but don't forget with VOIP it is possible to hijack numbers or to impersonate numbers because the only thing it takes is a server online (which will disappear once the money is taken)

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin is a perfect example of why espionageware attacks are 'OPERATIONS'

they are not the one in and out attack

they are deliberate operations that consist of different stages with as only goal to get information on a longterm basis with all the necessary rights and in which it is paramount not to be discovered too fast and to have enough backdoors to get the information without being discovered

it is just like an espionage operation, nothing more - nothing less

1. you drop a file on the computer and wait to see if it passes the defenses and virusanalyses and if the user has enough rights to install it (that is why installing files should be the exception for users, not the rule)

2. than you load the files that are in the dropper and you start loading them with the next startup after which it drops its files in the kernel so that they won't be seen by the antivirus (or very rarely)

3. you start looking at the files of the user, his passwords, his connections and routines and you start working

The definition of the process by Symantec is a perfect description of an espionage operation

"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage.  Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
http://www.symantec.com/connect/blogs/regin-top-tier-espi...

 

this is why I personally think that securitypeople in highly confidential and strategic networks should read and learn more about espionage and espionage operations

this is no different

probably it is even made by an espionage agency and by people who are programmers but who are trained as spies and think like spies and have the same goals and strategies and reflexes like spies

and thus my last quote just proofs my case, it is espionageware written by spies for spies

"What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.

“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”http://fortune.com/2014/11/23/regin-malware-surveillance/...

this is nothing other but an operation - an intelligence operation

Permalink | |  Print |  Facebook | | | | Pin it! |