interesting so you can now how regin is known by your antivirus (or not if you use clamav for example) so you can start looking through the virusalerts to see if you were impacted or not
and you will find others here
this the race to backtrack the files and to claim the discovery
probably the package is based on all the older knowledge and all the new things that were tested out at the time or added over time so it is possible that you will find files or code dating long time back and others that are newer or seem more complex
"The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.
Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.
“The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”
1. From previously identified Regin samples, The Intercept developed unique signatures which could identify this toolkit. A zip archive with a sample identified as Regin/Prax was found in VirusTotal, a free, online website which allows people to submit files to be scanned by several anti-virus products. The zip archive was submitted on 2013-06-21 07:58:37 UTC from Belgium, the date identified by Clément. Sources familiar with the Belgacom intrusion told The Intercept that this sample was uploaded by a systems administrator at the company, who discovered the malware and uploaded it in an attempt to research what type of malware it was.
2. Along with other files The Intercept found the output of a forensic tool, GetThis, which is being run on target systems looking for malware. From the content of the GetThis.log file, we can see that a sample called “svcsstat.exe” and located in C:WindowsSystem32 was collected and a copy of it was stored.
The malware in question is “0001000000000C1C_svcsstat.exe_sample ”. This is a 64bit variant of the first stage Regin loader aforementioned.
The archive also contains the output of ProcMon, “Process Monitor”, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis.
This file identifies the infected system and provides a variety of interesting information about the network. For instance:
The following environment variable shows that the system was provided with a Microsoft SQL server and a Microsoft Exchange server, indicating that it might one of the compromised corporate mail server Fabrice Clément mentioned to Mondiaal News:
Path=C:Program FilesLegatonsrbin;C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesMicrosoft Network Monitor 3;C:Program FilesSystem Center Operations Manager 2007;c:Program Files (x86)Microsoft SQL Server90Toolsbinn;D:Program FilesMicrosoftExchange Serverbin
3. Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
the same article gives more information about the loaders and why they think it was this virus that attacked Belgacom it also seem that some sources in Belgacom are leaking again and have forgotten about their NDA except if it is a hidden policy.
the second thing is that it seems as if people during the discovery phase have used online tools which leaves traces to identity the problem. For a critical environment like Belgacom during an Espionage attack this is like hanging a banner outside : we have found you.
De Standaard will be publishing more information it seems in the coming weeks. Well, now I understand something......
We always said it was an intelligence operation and we always said that there were problems with the certificates of some files. We only have to wait to be proven right. And for that we didn't have contact with leakers.
Now that all that information is out in the open it is time for BIPT to make a real technical file.
That Intercept thinks that all the files have been replaced is wishful thinking except if they gave the intelligence services a head-start by informing some one that this information would be published at a certain date so they could go into overdrive. But even than there may be security and networkmanagment tools that will have a trace for the filenames and other events on the network or on the servers.
ze wensten de verwijdering van bepaalde postings en wilden in feite de totale verwijdering van deze blog
ze zeiden dat het opnemen van screenshots en links naar de datadumps illegaal is
de betrokken verwijzingen en screenshots op de genoemde postings zijn dan ook verwijderd en er is gemeld dat dit is door een klacht bij skynetblogs
deze klachten worden trouwens altijd opgevolgd
maar maak u zelf geen blaasjes wijs
deze data is slechts een peulschil van de data online
en er is niemand in België die deze dataleaks opvolgt op een systematische manier en de CERT die het zou moeten doen is zodanig onderbemand en overbelast dat ze deze datasets zelfs niet aankan
dit kost trouwens niet veel moeite om ze te vinden (ik gebruik een tweetal sites en een paar googledorks) en het gaat niet om duizenden .be mailadressen maar in het slechtste geval een paar tiental in een week (tenzij Rex Mundi weer bezig is)
Het zou slechts een paar duizend euro kosten om dit efficiënt te monitoren en een kleine applicatie om de slachtoffers onmiddellijk na de automatische ontdekking hiervan op de hoogte te brengen. Maar er is wel geld voor grote onderzoeken over wat al onderzocht is.
trouwens wat doet Mensura dan met de meer dan 400 downloads van de data die al hebben plaatsgevonden
ik zou zeggen, nice try Mensura maar er zijn belangrijker dingen om je mee bezig te houden
vb hoe verklaar je dat je certificaat nog altijd kreupel is en dat je formulier voor ziektecontrole nog altijd niet achter een beschermde inlogpagina zit en dat men nog altijd het Rijksregisternummer vraagt van de persoon die moet gecontroleerd worden (die dit dus NIET weet en daar ook zijn akkoord NIET voor heeft gegeven) en dat de 'meer info' rubriek (waar al die schandalige onuitwisbare commentaren in stonden) er ook nog altijd in staat
zelfs al wist u sinds het lek dat u NOOIT heb aangekondigd op uw blog (tenzij onderhoudswerken op zondag maar zonder te specifiëren) dat er drie grote problemen zijn met dat formulier
* het is niet beschermd door een inlogscherm
* het bevat persoonlijke info waarvan de eigenaar van die info de toelating niet toe heeft gegeven (rijksregister)
* het staat niet alleen op het internet maar het heeft een gebrekkige encryptie maar het had een sql injection (die niet getest was ondanks het feit dat ze in de OWASP 10 staan)
en indien dat de fout is van uw serviceproviders, dan bent u beter bezig met een andere te zoeken en met een klacht tegen hen in te dienen
btw there are numerous blogs, forums and twitterstream who do nothing else than to report and link to new datadumps on the internet - it is even by such a twitterstream that I have found the information on saturday that you were trying to hide.
Trouwens indien advokaten bezig zijn met een klacht voor te bereiden zullen ze deze informatie al lang hebben.
#NSA stop hacking our telecom infrastructure and get a global surveillance permission for REAL terrorists
If the NSA hacks telecom infrastructure worldwide it is because it wants to get the information without having to go through court to get it and because it thinks this is more effective and faster. The latter is more evident than the first because you won't be able to present this information in court (although many of the presumed terrorists are now killed by Drones before they ever get to see a real court).
But this poses some big problems and can also create diplomatic and other difficulties even if the different intelligence agencies need information from the NSA to be able to re-act fast enough to dangers yet unknown to them. So they are like two scorpions in a bottle who will only get out if they help each other out.
This is only possible if there is an European agreement that a number of people or organisations can be tracked and monitored throughout the European Union without having to present an individual court order in each of these countries. We already have Europol that can coordinate this and it needs the necessary supervision.
The only problem here is mission creep and the only way to stop mission creep is that the list may for example be never bigger than 100. This means that there is no way this system can be turned into a global surveillance tool but that is fast and general only for the most important terrorist suspects or contacts that need to be followed anywhere. The terror watchlist of nearly half a million people is a perfect example of this.
It is by going after the real leaders and organizers one by one that one can limit the operational possibilities of a terrorist organisation because they can't be replaced as easily as another disgruntled fighter taking up the gun or bomb of his fallen comrade in arms. And to do that you need the top100 tracklist throughout the US, Europe and the partners.
Nobody seriously has a problem with tracking the most dangerous terrorists but many people have a problem with the fact that some want to watch everybody all the time as if they all can turn into a terrorist one day.
And if the intelligence agencies have an instrument by which they can concentrate their resources on immediate dangers and the biggest organizers they can submit court orders for all the rest if they still need it.
it is always the same song in Belgium. Once there is an attack or hack, they file a complaint with the FCCU as they should and than they can't say anything more. The justice department, the FCCU and the CERT will need to set up some technical information exchange to be sure that technical information about (identified) hacks gets distributed in time to other possible victims just to warn them that it can happen.
There is for the moment even no Federal Cybercrime or Cybersecurity Center under the prime minister who could organize that and take responsability.
The Belgacomvirus or #regin files - and it is not because some of the files are the same that the whole set is the same - were rumoured to be NATO secret level 3 and afterwards were said to be handed over with other information to the BIPT. Some people who should have known in Belgium tell me they didn't and were surprised to read in the newspaper that all critical infrastructure was informed about the technical details of the attack and which things to look out for in their firewalls and security appliances.
Belgacom does repeat the same thing today.
So this leaves two questions.
Or it are the same files and Belgacom has cleaned it up and found them and is sure that they didn't come back - even in their 2013 version. Than everything is fine for Belgacom and they just have to keep up the same vigilance and determination. But if Belgacom says that it are exactly the same files than it has to say this clearly so there is no doubt whatsoever. They will probably say that they can't say this because it would 'interfere' with the investigation which is stupid because we know a lot more technical details about any other criminal investigation before the trial starts (if there is going to be anyday a trial here).
SO BELGACOM - IS IT OR ISN'T IT. If it isn't you know you will have to go rechecking - although as a good securitypractice you will restart your checking anyway.
When are we going to have that information ? I know a lot of people who are responsable for enormous networks and enormous sets of data who have no data about what they are talking about when the BIPT says that everybody has received the necessary information ? Does this means that all the banks, all the international organisations in Belgium, all the energy networks, all the governmental agencies that handle secret or important information were informed ? All the ISP and telecom operators ?
SO BIPT as more and more information is in the open and some of the files are now being found online and will be assembled in the near time as now a whole community of people starts a hunt for them (for sure they are already at virustotal) when are you going to release more information. Or are there diplomatic or other reasons for which that information can't be published. By not publishing it you confirm this.
Some of the functions and protocols are explained in this earlier presentation at Hack.lu It is also important here to read how one gets information from an internetblocked computer (with probably highlevel information) to an internetconnected computer in a network. The extraction methods are also interesting because in Belgacom the extracted information was encrypted and went for that reason undetected as encrypted traffic was maybe just like in many network trusted - especially if they come from inside the network.
We know that the Regin files by Symantec are not complete and that they only have part of all the files.
Inside the Snowden files you find documentation about a bootkit that also works on Linux because it attacks the hardware and not the software on the machine. (This is why it is important to encrypt all the free room on your harddisk so you can't normally install nothing new on the machine - or not without alerting the securitystaff if you have installed those eventloggers).
So it is not clear at the moment if there are Linux files somewhere. We know by now that it is not hard to take total control over a the root and boot of a Linuxserver and several viruses doing exactly that (and through USB in Apple) have done the rights the last couple of months.
We know that the Microsoft Regin files had several urgent updates (2008 - 2011) and we know that there have been rumours about problems and infections and not being sure of the data of infection well before the official data that Microsoft officially said it was an infection when they came finally to examine the troubled mailserver. We know that the Regin files had a 32bits version and a 64bits version and that around that from 2011 onwards many organisations and industries were moving to 64bits only (to kill all the 32bits viruses in one upgrade). This change has also an impact on the access to the root and may explain the problems. The Snowden files talk about 2008 as the data of penetration (which is also the first set of files).
We know that the Reginfiles had falsified Microsoft certificates or signatures of some files and that for those for which that wasn't possible they posed as a help file of an official Microsoft file in the kernel-root and had access to the root through this helpfile who had access to the kernel-root file. We know that in Belgacom they were talking about Microsoft signed files. This poses in fact huge problems for Microsoft and the way in which it wants to certifiy the files that are written by Microsoft and that are certified by Microsoft.
We know that the Belgacom operation was an intelligence operation and that only very limited information was effectively transferred as the datafiles were small (which was astonishing) It could be that they had larger files at the start of the operation (to have a list of all the employees or of the infrastructure) but as nobody is sure about the data of the first infection there is no way to be sure. As the GRX routers for the GSM traffic throughout the BICS-Belgacom network were the target, we presume it was the metadata for certain high profile GSM numbers that were on the terrorist target list. It is so no wonder that the software that is used in such an operation is built by spies for spies to be able to.... spy.
well there is a site that collects viruses and has some of the files
this one b269894f434657db2b15949641a67532
couldn't they do a google search before searching for a name for the espionageware
it was re-analyzed yesterday as the news came out but the creation data is in march 2008
now look at this
probably this will be because there has been some problems with some files during a migration to windows7 or server windows8 (launched in 2009 but companies mostly wait 2 years before introducing a new system - and this shows why this is in fact a securityproblem).
and this is probably why it had to be replaced urgently by a newer version as Symantec writes in her report - it is an DOS executable and in windows7 the access to the kernel is rewritten and limited and so all those files that before had unchecked access to the kernel like in Linux :) lost it ..... and sometimes were analyzed. And this is also the reason that Belgacom started investigation its mailserver that after an upgrade was behaving strangely.
but not all the files
and in virustotal only 44 find them and some (even big ones) don't
I think that for such important espionageware antivirus companies that have some info but not all should work together. The whole is more than the sum of parts.
year old story of massive tapping and filtering of the internet by gchq comes back with Cable and Wireless
First it is said that this series of articles is based upon new documents. it would be interesting to know which kind of documents. Do they come from Snowden or from a part of his archive that is probably now in the hands of many more people than we can imagine ? Or is there another source in the UK ?
Secondly it builds upon something that we already know. The program the 'mastering the internet' and the role of gchq was already researched and written about a year ago.
this is one of the best articles if you want an overview and be sure that you take your time to read it because it is all legal according to British law and the new British laws on intelligence will even broaden these capabilities.
Now it seems that Cable and Wireless is one of the companies that was working closely with the gchq to give it all the possible means to filter and intercept as much information as was possible. We are talking about pentabytes of information.
Now Vodafone looks like to have inherited the program when it bought Cable and Wireless and it is not clear if they are fully informed about the topsecret programs. In such big companies such arrangements can also be made between people without the full knowledge of the hierarchy who sometimes just doesn't want to know.
and as this is probably the case everything you read in the article is a logical consequence of this. It is the same process when US firms work together with the NSA or other telecom companies with their respective intelligence companies
the fear to miss something and the absolute trust that is put into technology to give you that (false) assurance is sometimes much bigger than common sense and good intelligence strategies
There are for the moment two strategies that are confronting each other in the debate about the freewheeling seller of zeroday attacktools (that aren't covered yet by antivirus companies) VUPEN (in France)
The military say that VUPEN has crossed the red line and that that 'problem' should be revolved soon, meaning that the French state with all its power will come crushing down on them. Vupen understands that power and has announced that they will deplace their offices to Luxembourg and the US (probably because many of there biggest clients like the NSA are over there).
At the other side of the table are the spies and the cyberattackers/defenders who say that in a war of shadows like this you can't let this kind of knowledge and these kind of tools leave to nations that could be your attackers some day (or already are attacking you).
this article in french is a really good read (use google translate) http://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre
they were wise enough to organize elections and to have a real democracy a year later
meanwhile many of these #maidan defense units have now been fighting and dying in the donbass against the Russian invaders
but Ukraine has found back its unity, its history and its future
not all the people in the documentary are as 'nice' and democratic as we would like them to be - but in the face of death and violence you don't ask the political opinions of the person fighting next to you - that is for afterwards (and the elections have reduced the influence of the rightwing radicals to minimalist proportions)
even if Putin wanted it otherwise and hoped they would win a bigger margin or a majority because of his incursions and permanent bombardements
and another one
First the riots during the first big demonstration in Brussels were the result of two unforseen factors
* the riots broke out at the beginning of the demonstration and not at the end of it, as each playbook will tell and has always been the case in Belgium. This made it extremely hard for the police to intervene 'en force'.
* as there were no big riots in Belgium for the last 20 years nor the police nor the organizers had planned for this because the probabllity of such riots was minimal. What both didn't really understand - like the media - is how angry people are over here and that some people want to show this in some particular (but unacceptable) way..... The last three weeks we have been daily bombarded with bad news for people who earn their wages from working.
This was the reason that there was also no real internal 'service d'ordre' that could isolate such elements, coordinate with the police and try to push back onwatchers and keep a distance between the demonstration and the riots.
so since than the governmental parties and the media have kept up the pressure - letting it sound as if we are going to some kind of civil war and rumours without any substance about Hooligans from Holland coming over and other hardened groups were coming to Antwerp. The NVA mayor has mobilized all possible police forces and is awaiting anxiously the first incident 'to intervene' as he has declared in the press.
and the media went with it as some socalled political analysts playing megaphone
and comments in other papers as everything is calm but for how long, when will the street battles begin
how sad they will be that the whole of the big industrialised Port of Antwerp and other industrial zones are going nearly totally down being blocked where they should have been blocked (at the entrance) and there will be no riots (if everything goes to plan) except if DeWever sends his troops to clear the streets and break the strike.
He has set a trap for the unions in Antwerp (demonstrate and I will intervene with all my forces after the first stone) but there is now a trap for him (you have all those forces and we are blocking everything that is economically important in Antwerp, so come and show that you want to break a strike).
at the end of the day we will know who won or if it is just remise (chess)
we will have another 4 days of strikes before the holidays
the media and the public officials should tone down their wartalk. There is no war, there is a show of force and determination. War is in Ukraine. That is war. Every day since a year.
"Pindrop Security today warned financial institutions and their customers about a telephone scam they've dubbed the "misdial trap."
Fraudsters buy phone numbers similar to legitimate businesses, and pose as that business's customer service line when customers misdial -- not unlike how some fraudsters buy domain names similar to legitimate online businesses and create sites that mimic them, according to Pindrop.
The numbers fraudsters typically choose will have the same first six digits as the legitimate business, with only the final digit changed, or they will have the same seven-digit number but a different area code -- a toll-free number area code, for example.When they hook a customer, they pretend they are customer service for the company in question and request sensitive data from customers -- sometimes offering a free gift card in exchange.
Some 103 of the 600 financial institutions examined by Pindrop Security were affected by the misdial trap
just as domainnames should be forbidden to include the household names of banks and other financial services if they aren't operated by them (like mastercard, dexia, etc....)
otherwise the problem of vishing will only increase (phishing by phone)
but don't forget with VOIP it is possible to hijack numbers or to impersonate numbers because the only thing it takes is a server online (which will disappear once the money is taken)
first look at the countries that are NOT in this table
than which countries are NOT in that list ?
and which countries are enormously interested in what passes through Mobile towers and phone companies ?
Belgacom and some other telephone companies may have some scanning to do just to be sure that they aren't impacted. Belgacom is very interesting for a spy because it has so many telephone firms and alliances in so many countries of which a few are very interesting for any espionage agency that follows presumed or real terrorists and their networks and supporters.
they are not the one in and out attack
they are deliberate operations that consist of different stages with as only goal to get information on a longterm basis with all the necessary rights and in which it is paramount not to be discovered too fast and to have enough backdoors to get the information without being discovered
it is just like an espionage operation, nothing more - nothing less
1. you drop a file on the computer and wait to see if it passes the defenses and virusanalyses and if the user has enough rights to install it (that is why installing files should be the exception for users, not the rule)
2. than you load the files that are in the dropper and you start loading them with the next startup after which it drops its files in the kernel so that they won't be seen by the antivirus (or very rarely)
3. you start looking at the files of the user, his passwords, his connections and routines and you start working
The definition of the process by Symantec is a perfect description of an espionage operation
"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
this is why I personally think that securitypeople in highly confidential and strategic networks should read and learn more about espionage and espionage operations
this is no different
probably it is even made by an espionage agency and by people who are programmers but who are trained as spies and think like spies and have the same goals and strategies and reflexes like spies
and thus my last quote just proofs my case, it is espionageware written by spies for spies
"What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.
“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”http://fortune.com/2014/11/23/regin-malware-surveillance/...
this is nothing other but an operation - an intelligence operation
and this explains why some were not discovered anyway on 52 security tools analyzed 3 hours ago
https://www.virustotal.com/nl/file/7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926/analysis/ 30 discovery
https://www.virustotal.com/nl/file/40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b/analysis/ 37 discovery
https://www.virustotal.com/nl/file/a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe/analysis/ 28/43 3 years 4 months (2011)
https://www.virustotal.com/nl/file/f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e/analysis/ 4/42 2 years
https://www.virustotal.com/nl/file/9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f/analysis/ 23/48 1 year ago
and there are more of them but we can conclude the following
because the antivirus and security industry doesn't work together and because they give different names to the same viruses and don't exchange technical information it takes years to get the full picture and so even if some of the files of the virus were found to be malicious not all the files were found to be malicious especially not by all the securityprograms at the same time
it also means that we have to change the general perception of an antivirus. People just install an antivirus and than look if it finds viruses (normally it does) and than make sometimes some general report about it but don't analyse what it is and what the consequences are that the file or virus has been found on a server or a pc and if there are other files that or traffic or behaviour for that machine that have to be researched and that have to be integrated in the report
it is intelligent analysis that will make the difference in high value environments, not putting just machine after machine after machine hoping that that will do the trick