
Rare implementation of RC5/RC6 in ShadowBrokers dump connects them to Equation - Jerry2
https://securelist.com/blog/incidents/75812/the-equation-giveaway/
======
pbsd
GNU confirmed as Equation Group:
[https://godbolt.org/g/EDvrn2](https://godbolt.org/g/EDvrn2). Wait, MSVC does
this too---they're all in cahoots!

    
    
        $LL8@f:
        ; Line 4
            mov ecx, DWORD PTR [edx+eax*4-4]
            sub ecx, 1640531527             ; 61c88647H
            mov DWORD PTR [edx+eax*4], ecx
            inc eax
            cmp eax, 44                 ; 0000002cH
            jl  SHORT $LL8@f
    

Flipping the sign of addends is a common compiler transformation, likely there
to optimize for code size in some cases. Unless that code looks weird enough
that it _had_ to be coded by hand, that constant switch doesn't mean much of
anything.

~~~
nkurz
I started writing a reply along the lines of "you may be misinterpreting the
authors", but looking more closely I agree that their logic is particularly
flimsy here. They explain their reasoning more fully in a 2015 piece, where
they concluded that two code bases were distinct because they used different
constants:

 _Searching for "0x61C88647 0xB7E15163" on Google results in barely two pages
of results, indicating this combination of constants is relatively rare. Most
of the hits are on Chinese forums. Searching for the 2-inverse constant
"0x9E3779B9 0xB7E15163" results in a whopping 2500 hits. ... This suggests
that the EQUATION group and the Regin group are two different entities._

[https://securelist.com/files/2015/02/Equation_group_question...](https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf),
page 28.

They seem to be totally ignoring the fact that Google is more likely to index
text files than binary executables and short lived assembly temp files. If you
search on Google, you do indeed find source files with the "0x9E3779B9
0xB7E15163" pair, which makes sense as these are used in the reference
implementation:
[https://tools.ietf.org/html/rfc2040](https://tools.ietf.org/html/rfc2040).

But as you say, if you compile the reference implementation, you are likely to
produce an executable which contains the negated form. If you then "decompile"
this executable, you get the "rare" pair, where "rare" just means that Google
is more likely to index the input source code than compiler generated assembly
or the output of 'objdump'.

I think you nailed it --- all the compilers are in cahoots, and the
perpetrators can assumed to be using one! But not Clang, which gamely tries to
vectorize. What's less clear is whether the authors of the exposé are
charlatans or just "logically challenged". Since they are obviously smart
enough to be working for the "goto source" for commentary on these issues, I'd
be inclined to guess "charlatan".

------
StavrosK
First of all, can we stop regurgitating the claim that they want 1m BTC? It's
an auction, they'll stop when they like the sum, but if they get 1m BTC they
will release a _different_ set of files to the public.

Second of all, the Shadow Brokers announcement reads like how a native English
speaker thinks a non-native English speaker writes. There's no consistency to
the mistakes, they just omit random articles from the text, whatever fits the
"Russian accent" stereotype.

~~~
rdtsc
Yap. Sale offer just reads as too comical, like say if South Park decided to
create an Ivan-The-Russian character.

------
rdtsc
Took a quick look at files:

> TOOLS/Apache/httpd-2.0.52-9.ent.i386.rpm

Heh RHEL4! Nothing points to a 3 letter US govt agency like an outdated RHEL
version. Even for 2013 (based on file date) RHEL4 was ancient. RHEL7 beta for
example, came out that year.

Also another striking thing about it, there are no swear or l33t-speak words
in there. I know if I had to write ASN.1-based SNMP firmware hacks for obscure
Juniper switches, that code would be drowning in curse words.

Seeing this kind of stuff is fun too:

    
    
         ar rules update filename `/tmp/.b` type ar url http://topsec.com.cn
    

Also a bit of whimsy perhaps, can't be too serious after all, even at the NSA:

    
    
        class ELCAExploit(HTTPSExploit):
          name = "ELIGIBLECANDIDATE"
          version = "v1.1.0.1"
          desc="What is the sound of a single thread blocking?"
          modes = ["nopen"]

------
wcummings
Could be Equation Group burning old exploits. A sorta curious way to do it but
it wouldn't be that surprising.

------
wyldfire
> This code similarity makes us believe with a high degree of confidence that
> the tools from the ShadowBrokers leak are related to the malware from the
> Equation group. While the ShadowBrokers claimed the data was related to the
> Equation group, they did not provide any technical evidence of these claims.
> The highly specific crypto implementation above confirms these allegations.

...or means that they're just extremely thorough, like you might expect a
state actor to be.

~~~
stouset
Some skepticism is always warranted with these things, but the prevailing
belief in the security community is that this is very, very real.

From Nicholas Weaver[1]:

> Because of the sheer volume and quality, it is overwhelmingly likely this
> data is authentic. And it does not appear to be information taken from
> comprised systems. Instead the exploits, binaries with help strings, server
> configuration scripts, 5 separate versions of one implant framework, and all
> sort of other features indicate that this is analyst-side code­ -- the kind
> that probably never leaves the NSA.

If you think for a minute about the motivations here, you can see that it
would be absolutely idiotic for a state actor to release this kind of volume
of their own exploits and malware frameworks. On the other hand, a state actor
would _love_ to release this information from their competitors' toolchest, as
it virtually guarantees the entire set of exploits will quickly be rendered
useless against high-profile targets.

[1]: [https://www.lawfareblog.com/very-bad-monday-
nsa-0](https://www.lawfareblog.com/very-bad-monday-nsa-0)

------
sklivvz1971
Snowden claims the Equation group is the NSA, Shadow Brokers the Kremlin. SB
is sending the message "careful about the DNC hacks, we can link you to bad
stuff".

True or not, this would also explain these news.

~~~
rdtsc
You're thinking Kaspersky has ties with Kremlin, and, after an apparent lack
of belief in authenticity (even after inserting commically bad Slavic-person-
speaks-bad-English phrases in their "ad") they worked together on writing an
"analysis" to bolster the authenticity. So the world believes that this a
bona-fide stuff?

~~~
PhantomGremlin
_You 're thinking Kaspersky has ties with Kremlin_

There's no need to "think" that; it's well established that Eugene Kaspersky
and Vlad Putin are BFFs, or if not that then at least Kaspersky is very
careful not to offend the Kremlin:
[http://www.bloomberg.com/news/articles/2015-03-19/cybersecur...](http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-
kaspersky-has-close-ties-to-russian-spies)

 _So the world believes that this a bona-fide stuff?_

I have no opinion on any of that.

------
justcommenting
Does anyone else recall Jacob Appelbaum discussing this publicly a while back?

