not that there is much information
it was because of an international operation against local police websites
but the attackers seems amateurs
not that there is much information
it was because of an international operation against local police websites
but the attackers seems amateurs
important the snort rule against Regin Snort Rules: 32621-32624
and the command and the control servers were .......
220.127.116.11 Taiwan, Province Of China Taichung Chwbn
18.104.22.168 India Chetput Chennai Network Operations (team-m.co)
22.214.171.124 India Thane Internet Service Provider
126.96.36.199 Belgium Brussels Perceval S.a.
because that won't be found suspicous, going to India or Taiwan for traffic going out in Belgacom could have been found suspicous
remember this is a spy operation so all the classical techniques and reflexes by spies are used - even covering up your tracks .....
this is the list 24/55 don't find the 64bits Belgacom Regin infection
AegisLab 20141125 Agnitum 20141124 Antiy-AVL 20141125 Avast 20141125 Avira 20141125 Baidu-International 20141125 Bkav 20141120 ByteHero 20141125 CMC 20141124 ClamAV 20141125 Cyren 20141125 DrWeb 20141125 ESET-NOD32 20141125 F-Prot 20141125 Fortinet 20141125 Jiangmin 20141124 Kingsoft 20141125 Malwarebytes 20141125 McAfee-GW-Edition 20141125 NANO-Antivirus 20141125 Panda 20141125 Qihoo-360 20141125 Rising 20141124 SUPERAntiSpyware 20141125 Tencent 20141125 TheHacker 20141124 TotalDefense 20141125 VBA32 20141125 ViRobot 20141125 Zillya 20141124 Zoner 20141125
this is also why it is interesting to write 64bits viruses, many antiviruses can't cope with them yet
so even if an upgrade to 64bits kills millions of 32bits viruses and secures access to your machine it makes it an absolute necessity to close your machine down, harden it and buy a really professional antivirus that works native in an 64bits environment
especially if you have found the following three or one of them
and don't forget the servers
and don't forget to go back into time
interesting so you can now how regin is known by your antivirus (or not if you use clamav for example) so you can start looking through the virusalerts to see if you were impacted or not
and you will find others here
this the race to backtrack the files and to claim the discovery
probably the package is based on all the older knowledge and all the new things that were tested out at the time or added over time so it is possible that you will find files or code dating long time back and others that are newer or seem more complex
"The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.
Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.
“The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”
1. From previously identified Regin samples, The Intercept developed unique signatures which could identify this toolkit. A zip archive with a sample identified as Regin/Prax was found in VirusTotal, a free, online website which allows people to submit files to be scanned by several anti-virus products. The zip archive was submitted on 2013-06-21 07:58:37 UTC from Belgium, the date identified by Clément. Sources familiar with the Belgacom intrusion told The Intercept that this sample was uploaded by a systems administrator at the company, who discovered the malware and uploaded it in an attempt to research what type of malware it was.
2. Along with other files The Intercept found the output of a forensic tool, GetThis, which is being run on target systems looking for malware. From the content of the GetThis.log file, we can see that a sample called “svcsstat.exe” and located in C:WindowsSystem32 was collected and a copy of it was stored.
The malware in question is “0001000000000C1C_svcsstat.exe_sample ”. This is a 64bit variant of the first stage Regin loader aforementioned.
The archive also contains the output of ProcMon, “Process Monitor”, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis.
This file identifies the infected system and provides a variety of interesting information about the network. For instance:
The following environment variable shows that the system was provided with a Microsoft SQL server and a Microsoft Exchange server, indicating that it might one of the compromised corporate mail server Fabrice Clément mentioned to Mondiaal News:
Path=C:Program FilesLegatonsrbin;C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesMicrosoft Network Monitor 3;C:Program FilesSystem Center Operations Manager 2007;c:Program Files (x86)Microsoft SQL Server90Toolsbinn;D:Program FilesMicrosoftExchange Serverbin
3. Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
the same article gives more information about the loaders and why they think it was this virus that attacked Belgacom it also seem that some sources in Belgacom are leaking again and have forgotten about their NDA except if it is a hidden policy.
the second thing is that it seems as if people during the discovery phase have used online tools which leaves traces to identity the problem. For a critical environment like Belgacom during an Espionage attack this is like hanging a banner outside : we have found you.
De Standaard will be publishing more information it seems in the coming weeks. Well, now I understand something......
We always said it was an intelligence operation and we always said that there were problems with the certificates of some files. We only have to wait to be proven right. And for that we didn't have contact with leakers.
Now that all that information is out in the open it is time for BIPT to make a real technical file.
That Intercept thinks that all the files have been replaced is wishful thinking except if they gave the intelligence services a head-start by informing some one that this information would be published at a certain date so they could go into overdrive. But even than there may be security and networkmanagment tools that will have a trace for the filenames and other events on the network or on the servers.
ze wensten de verwijdering van bepaalde postings en wilden in feite de totale verwijdering van deze blog
ze zeiden dat het opnemen van screenshots en links naar de datadumps illegaal is
de betrokken verwijzingen en screenshots op de genoemde postings zijn dan ook verwijderd en er is gemeld dat dit is door een klacht bij skynetblogs
deze klachten worden trouwens altijd opgevolgd
maar maak u zelf geen blaasjes wijs
deze data is slechts een peulschil van de data online
en er is niemand in België die deze dataleaks opvolgt op een systematische manier en de CERT die het zou moeten doen is zodanig onderbemand en overbelast dat ze deze datasets zelfs niet aankan
dit kost trouwens niet veel moeite om ze te vinden (ik gebruik een tweetal sites en een paar googledorks) en het gaat niet om duizenden .be mailadressen maar in het slechtste geval een paar tiental in een week (tenzij Rex Mundi weer bezig is)
Het zou slechts een paar duizend euro kosten om dit efficiënt te monitoren en een kleine applicatie om de slachtoffers onmiddellijk na de automatische ontdekking hiervan op de hoogte te brengen. Maar er is wel geld voor grote onderzoeken over wat al onderzocht is.
trouwens wat doet Mensura dan met de meer dan 400 downloads van de data die al hebben plaatsgevonden
ik zou zeggen, nice try Mensura maar er zijn belangrijker dingen om je mee bezig te houden
vb hoe verklaar je dat je certificaat nog altijd kreupel is en dat je formulier voor ziektecontrole nog altijd niet achter een beschermde inlogpagina zit en dat men nog altijd het Rijksregisternummer vraagt van de persoon die moet gecontroleerd worden (die dit dus NIET weet en daar ook zijn akkoord NIET voor heeft gegeven) en dat de 'meer info' rubriek (waar al die schandalige onuitwisbare commentaren in stonden) er ook nog altijd in staat
zelfs al wist u sinds het lek dat u NOOIT heb aangekondigd op uw blog (tenzij onderhoudswerken op zondag maar zonder te specifiëren) dat er drie grote problemen zijn met dat formulier
* het is niet beschermd door een inlogscherm
* het bevat persoonlijke info waarvan de eigenaar van die info de toelating niet toe heeft gegeven (rijksregister)
* het staat niet alleen op het internet maar het heeft een gebrekkige encryptie maar het had een sql injection (die niet getest was ondanks het feit dat ze in de OWASP 10 staan)
en indien dat de fout is van uw serviceproviders, dan bent u beter bezig met een andere te zoeken en met een klacht tegen hen in te dienen
btw there are numerous blogs, forums and twitterstream who do nothing else than to report and link to new datadumps on the internet - it is even by such a twitterstream that I have found the information on saturday that you were trying to hide.
Trouwens indien advokaten bezig zijn met een klacht voor te bereiden zullen ze deze informatie al lang hebben.
If the NSA hacks telecom infrastructure worldwide it is because it wants to get the information without having to go through court to get it and because it thinks this is more effective and faster. The latter is more evident than the first because you won't be able to present this information in court (although many of the presumed terrorists are now killed by Drones before they ever get to see a real court).
But this poses some big problems and can also create diplomatic and other difficulties even if the different intelligence agencies need information from the NSA to be able to re-act fast enough to dangers yet unknown to them. So they are like two scorpions in a bottle who will only get out if they help each other out.
This is only possible if there is an European agreement that a number of people or organisations can be tracked and monitored throughout the European Union without having to present an individual court order in each of these countries. We already have Europol that can coordinate this and it needs the necessary supervision.
The only problem here is mission creep and the only way to stop mission creep is that the list may for example be never bigger than 100. This means that there is no way this system can be turned into a global surveillance tool but that is fast and general only for the most important terrorist suspects or contacts that need to be followed anywhere. The terror watchlist of nearly half a million people is a perfect example of this.
It is by going after the real leaders and organizers one by one that one can limit the operational possibilities of a terrorist organisation because they can't be replaced as easily as another disgruntled fighter taking up the gun or bomb of his fallen comrade in arms. And to do that you need the top100 tracklist throughout the US, Europe and the partners.
Nobody seriously has a problem with tracking the most dangerous terrorists but many people have a problem with the fact that some want to watch everybody all the time as if they all can turn into a terrorist one day.
And if the intelligence agencies have an instrument by which they can concentrate their resources on immediate dangers and the biggest organizers they can submit court orders for all the rest if they still need it.
it is always the same song in Belgium. Once there is an attack or hack, they file a complaint with the FCCU as they should and than they can't say anything more. The justice department, the FCCU and the CERT will need to set up some technical information exchange to be sure that technical information about (identified) hacks gets distributed in time to other possible victims just to warn them that it can happen.
There is for the moment even no Federal Cybercrime or Cybersecurity Center under the prime minister who could organize that and take responsability.
The Belgacomvirus or #regin files - and it is not because some of the files are the same that the whole set is the same - were rumoured to be NATO secret level 3 and afterwards were said to be handed over with other information to the BIPT. Some people who should have known in Belgium tell me they didn't and were surprised to read in the newspaper that all critical infrastructure was informed about the technical details of the attack and which things to look out for in their firewalls and security appliances.
Belgacom does repeat the same thing today.
So this leaves two questions.
Or it are the same files and Belgacom has cleaned it up and found them and is sure that they didn't come back - even in their 2013 version. Than everything is fine for Belgacom and they just have to keep up the same vigilance and determination. But if Belgacom says that it are exactly the same files than it has to say this clearly so there is no doubt whatsoever. They will probably say that they can't say this because it would 'interfere' with the investigation which is stupid because we know a lot more technical details about any other criminal investigation before the trial starts (if there is going to be anyday a trial here).
SO BELGACOM - IS IT OR ISN'T IT. If it isn't you know you will have to go rechecking - although as a good securitypractice you will restart your checking anyway.
When are we going to have that information ? I know a lot of people who are responsable for enormous networks and enormous sets of data who have no data about what they are talking about when the BIPT says that everybody has received the necessary information ? Does this means that all the banks, all the international organisations in Belgium, all the energy networks, all the governmental agencies that handle secret or important information were informed ? All the ISP and telecom operators ?
SO BIPT as more and more information is in the open and some of the files are now being found online and will be assembled in the near time as now a whole community of people starts a hunt for them (for sure they are already at virustotal) when are you going to release more information. Or are there diplomatic or other reasons for which that information can't be published. By not publishing it you confirm this.
Some of the functions and protocols are explained in this earlier presentation at Hack.lu It is also important here to read how one gets information from an internetblocked computer (with probably highlevel information) to an internetconnected computer in a network. The extraction methods are also interesting because in Belgacom the extracted information was encrypted and went for that reason undetected as encrypted traffic was maybe just like in many network trusted - especially if they come from inside the network.
We know that the Regin files by Symantec are not complete and that they only have part of all the files.
Inside the Snowden files you find documentation about a bootkit that also works on Linux because it attacks the hardware and not the software on the machine. (This is why it is important to encrypt all the free room on your harddisk so you can't normally install nothing new on the machine - or not without alerting the securitystaff if you have installed those eventloggers).
So it is not clear at the moment if there are Linux files somewhere. We know by now that it is not hard to take total control over a the root and boot of a Linuxserver and several viruses doing exactly that (and through USB in Apple) have done the rights the last couple of months.
We know that the Microsoft Regin files had several urgent updates (2008 - 2011) and we know that there have been rumours about problems and infections and not being sure of the data of infection well before the official data that Microsoft officially said it was an infection when they came finally to examine the troubled mailserver. We know that the Regin files had a 32bits version and a 64bits version and that around that from 2011 onwards many organisations and industries were moving to 64bits only (to kill all the 32bits viruses in one upgrade). This change has also an impact on the access to the root and may explain the problems. The Snowden files talk about 2008 as the data of penetration (which is also the first set of files).
We know that the Reginfiles had falsified Microsoft certificates or signatures of some files and that for those for which that wasn't possible they posed as a help file of an official Microsoft file in the kernel-root and had access to the root through this helpfile who had access to the kernel-root file. We know that in Belgacom they were talking about Microsoft signed files. This poses in fact huge problems for Microsoft and the way in which it wants to certifiy the files that are written by Microsoft and that are certified by Microsoft.
We know that the Belgacom operation was an intelligence operation and that only very limited information was effectively transferred as the datafiles were small (which was astonishing) It could be that they had larger files at the start of the operation (to have a list of all the employees or of the infrastructure) but as nobody is sure about the data of the first infection there is no way to be sure. As the GRX routers for the GSM traffic throughout the BICS-Belgacom network were the target, we presume it was the metadata for certain high profile GSM numbers that were on the terrorist target list. It is so no wonder that the software that is used in such an operation is built by spies for spies to be able to.... spy.
well there is a site that collects viruses and has some of the files
this one b269894f434657db2b15949641a67532
couldn't they do a google search before searching for a name for the espionageware
it was re-analyzed yesterday as the news came out but the creation data is in march 2008
now look at this
probably this will be because there has been some problems with some files during a migration to windows7 or server windows8 (launched in 2009 but companies mostly wait 2 years before introducing a new system - and this shows why this is in fact a securityproblem).
and this is probably why it had to be replaced urgently by a newer version as Symantec writes in her report - it is an DOS executable and in windows7 the access to the kernel is rewritten and limited and so all those files that before had unchecked access to the kernel like in Linux :) lost it ..... and sometimes were analyzed. And this is also the reason that Belgacom started investigation its mailserver that after an upgrade was behaving strangely.
but not all the files
and in virustotal only 44 find them and some (even big ones) don't
I think that for such important espionageware antivirus companies that have some info but not all should work together. The whole is more than the sum of parts.
First it is said that this series of articles is based upon new documents. it would be interesting to know which kind of documents. Do they come from Snowden or from a part of his archive that is probably now in the hands of many more people than we can imagine ? Or is there another source in the UK ?
Secondly it builds upon something that we already know. The program the 'mastering the internet' and the role of gchq was already researched and written about a year ago.
this is one of the best articles if you want an overview and be sure that you take your time to read it because it is all legal according to British law and the new British laws on intelligence will even broaden these capabilities.
Now it seems that Cable and Wireless is one of the companies that was working closely with the gchq to give it all the possible means to filter and intercept as much information as was possible. We are talking about pentabytes of information.
Now Vodafone looks like to have inherited the program when it bought Cable and Wireless and it is not clear if they are fully informed about the topsecret programs. In such big companies such arrangements can also be made between people without the full knowledge of the hierarchy who sometimes just doesn't want to know.
and as this is probably the case everything you read in the article is a logical consequence of this. It is the same process when US firms work together with the NSA or other telecom companies with their respective intelligence companies
the fear to miss something and the absolute trust that is put into technology to give you that (false) assurance is sometimes much bigger than common sense and good intelligence strategies
There are for the moment two strategies that are confronting each other in the debate about the freewheeling seller of zeroday attacktools (that aren't covered yet by antivirus companies) VUPEN (in France)
The military say that VUPEN has crossed the red line and that that 'problem' should be revolved soon, meaning that the French state with all its power will come crushing down on them. Vupen understands that power and has announced that they will deplace their offices to Luxembourg and the US (probably because many of there biggest clients like the NSA are over there).
At the other side of the table are the spies and the cyberattackers/defenders who say that in a war of shadows like this you can't let this kind of knowledge and these kind of tools leave to nations that could be your attackers some day (or already are attacking you).
this article in french is a really good read (use google translate) http://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre
they were wise enough to organize elections and to have a real democracy a year later
meanwhile many of these #maidan defense units have now been fighting and dying in the donbass against the Russian invaders
but Ukraine has found back its unity, its history and its future
not all the people in the documentary are as 'nice' and democratic as we would like them to be - but in the face of death and violence you don't ask the political opinions of the person fighting next to you - that is for afterwards (and the elections have reduced the influence of the rightwing radicals to minimalist proportions)
even if Putin wanted it otherwise and hoped they would win a bigger margin or a majority because of his incursions and permanent bombardements
and another one