

Secret Malware in EU Attack Linked to US and British Intelligence - FredericJ
https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

======
guiambros
Oh snap!

    
    
      "The archive also contains the output of ProcMon,
      Process Monitor, a system monitoring tool distributed
      by Microsoft and commonly used in forensics and
      intrusion analysis.
    
      This file identifies the infected system and provides
      a variety of interesting information about the network.
      For instance:
    
      USERDNSDOMAIN=BGC.NET
      USERDOMAIN=BELGACOM
      USERNAME=id051897a
      USERPROFILE=C:\Users\id051897a"
    

Also love the comment at the end:

 _" Below is a list of hashes for the files The Intercept is making available
for download. Given that that it has been over a year since the Belgacom
operation was publicly outed, The Intercept considers it likely that the
GCHQ/NSA has REPLACED THEIR TOOLKIT AND NO CURRENT OPERATIONS WILL BE AFFECTED
by the publication of these samples."_

~~~
rasz_pl
oh snap what? This is a file uploaded by BELGACOM admin to VirusTotal
database. It is NOT a file NSA published somewhere.

Currently we only know this malware was used in belgacom hack, there is still
no proof it is nsa code.

~~~
guiambros
Do you really have any doubt about who's behind this?

We can debate about motivations and who their target really was (Belgacom may
have been collateral damage), but despite "proof", there's little doubt about
who wrote it.

~~~
rasz_pl
Yes, just like FBI assassinating Kennedy because Oh snap cuba!

You act like its some sort of proof, like this totalvirus upload came from
Langley IP.

~~~
guiambros
I simply pointed out that the person who uploaded to virustotal certainly
didn't realize it also had Belgacom domain name, username, and a list of _all_
the processes running on the machine.

 _> Yes, just like FBI assassinating Kennedy because Oh snap cuba!_

I have no doubt where this came from, despite not having Gen. Keith
Alexander's email in the logs.

------
justcommenting
re-posting AlyssaRowan's comment
([https://news.ycombinator.com/item?id=8653692](https://news.ycombinator.com/item?id=8653692))
here:

"Got more payload chunks. Wow, they were sloppy with this - found plenty of
symbol references still in them!

So far, that makes references to LEGSPIN, WILLISCHECK, HOPSCOTCH, STARBUCKS,
FOGGYBOTTOM, SALVAGERABBIT.

I believe this may be NSA's UNITEDRAKE implant architecture, specifically."

~~~
waterlesscloud
FOGGYBOTTOM is so particularly US Govt that it almost feels like misdirection.
Or a programmer mad he has to do the task. Heh.

("Foggy Bottom" is an oblique reference to the US State Dept, after the DC
district where it's located)

~~~
mikecb
Also the location of the Office of Strategic Services, the WWII precursor to
CIA.

------
lazaroclapp
Interesting. What I don't get from this analysis or the one by Symantec is how
this rootkit is able to install kernel drivers on 64-bit Windows with driver
signing enabled. Is this using a new vulnerability to do so? An existing one?
Did the GCHQ/NSA managed to get their hands on the keys necessary to sign
Windows drivers? Each scenario has implications for code signing as a security
technique...

~~~
dmix
With DUQU and Stuxnet, the agencies had stolen the signing cert from Taiwanese
businesses.

Duqu = stolen from
[https://en.wikipedia.org/wiki/C-Media](https://en.wikipedia.org/wiki/C-Media)
Stuxnet = stolen from
[https://en.wikipedia.org/wiki/Realtek](https://en.wikipedia.org/wiki/Realtek)

Not hard to find a valid cert when you're a nation state.

Source:
[https://firstlook.org/theintercept/2014/11/12/stuxnet/](https://firstlook.org/theintercept/2014/11/12/stuxnet/)

~~~
nullc
"stolen"

~~~
dmix
Are you suggesting they were acquired by other means?

------
iresa
So the UK attacked Ireland.

Nice one.

~~~
anigbrowl
Given the centuries-long political problems between the two nations, what else
would you expect? Ireland has an intelligence agency too which I'm sure does
its share of covert information-gathering (at least I hope so, or it wouldn't
be much good):
[http://en.wikipedia.org/wiki/Directorate_of_Intelligence_%28...](http://en.wikipedia.org/wiki/Directorate_of_Intelligence_%28Ireland%29)

~~~
rmc
The IRA (et al.) do attack the Irish State, since they don't recognise it
(e.g.
[https://en.wikipedia.org/wiki/Death_of_Jerry_McCabe](https://en.wikipedia.org/wiki/Death_of_Jerry_McCabe)
). However the UK police force & intelligence agency is much more advanced by
the Irish one.

~~~
anigbrowl
I know. I'm from Limerick although I live in the USA now.

~~~
rmc
Shit, sorry

~~~
anigbrowl
No worries ;)

------
zodiakzz
Stupid question.. is it not possible to identify the IP addresses this thing
contacts?

------
munin
it would be really good if the people reverse engineering malicious software
knew how computers worked:

    
    
        "This Regin driver recurrently checks 
        that the current IRQL (Interrupt Request Level) 
        is set to PASSIVE_LEVEL using the KeGetCurrentIrql()
        function in many parts of the code, probably in order 
        to operate as silently as possible and to prevent
        possible IRQL confusion. This technique is another 
        example of the level of precaution the developers 
        took while designing this malware framework."
    

what does that even MEAN?!

~~~
userbinator
They do.

[http://blogs.msdn.com/b/doronh/archive/2010/02/02/what-is-
ir...](http://blogs.msdn.com/b/doronh/archive/2010/02/02/what-is-irql.aspx)

~~~
munin
no they don't, checking IRQL has nothing to do with "operating as silently as
possible".

~~~
kybernetyk
Well, if the system performance degrades because "sorry, we can't service the
HDD because the malware driver comes first" then it's not really silent.

A low handler priority makes sure that everything critical gets handled first
and no one will get suspicious.

~~~
yuhong
I don't think that is the purpose of NT's IRQL though.

~~~
convivialdingo
NTs driver model is a mixed model, many calls are chained from interrupts,
others maybe are syscalls. Some driver functions like netfilters or filesystem
filters may be called from both interrupts AND system calls.

Accessing some calls at the wrong irql is deadly. Similarly, if you are
attached as a filter you can get tons of calls, most all of which are not
relevant. You must be able to quickly filter those calls or the system can
become unstable.

Admittedly, the efficiency of NT's design is pretty brilliant considering that
we started with TSR interrupts in DOS, but it is also fraught with danger. For
instance different locking calls can only be used at certain IRQLs, otherwise
you can lock the entire system. Sometimes those calls only happen with certain
configurations or kernel versions.

Being an NT driver developer is maddening. The Linux driver model is much
better, as there are no mixed mode calls. Interrupts are chained but your
function is always at the same or lower interrupt level. Most code is also
explicitly kept out of interrupts, and instead operates as usermode syscalls.
You can write an entire filesystem and likely never deal with interrupts.

