Hacker News new | comments | show | ask | jobs | submit login

Got more payload chunks. Wow, they were sloppy with this - found plenty of symbol references still in them!

So far, that makes references to LEGSPIN, WILLISCHECK, HOPSCOTCH, STARBUCKS, FOGGYBOTTOM, SALVAGERABBIT.

I believe this may be NSA's UNITEDRAKE implant architecture, specifically.




Well then! Totally ready to believe that I am 0 for 2 on attributing state-sponsored malware. :)


It appears that GCHQ have used this too. Maybe they've shared some work (via BAE Systems Detica?) after all?

Who names this stuff?! ANGRYFERRET? (Probably no relation to FERRETCANNON; whoever named that one is clearly a Sluggy Freelance fan.) SQUEAKYTOY?


The Intercept have now reported on this: https://firstlook.org/theintercept/2014/11/24/secret-regin-m...

For the truly curious, interested and daring enough to want to analyse nation-state malware, here's an actual live sample they've published. (Obviously, don't just run this code! Trite, I know, but… - password: "infected") https://s3.amazonaws.com/tiregin/regin.zip

Your tax dollars at work! … and mine. Bah.


If I wanted to take that sample and actually run it inside a VM, what would I need to do? It looks like I need to know the file extension of each file and then rename the files?


Um… what you need to do is not do that. This is not incredibly technically sophisticated compared to some of the stuff I've seen, but it is still not a toy!

Analyse it cold (from what I've seen from this, IDA Pro will be safe), or use a suitable simulator.

Mainstream VMs are not designed for secure encapsulation and are very detectable: at least one of the loaders in one of the samples of this is specifically looking for VMs (and that's not unusual at all with any half-assed malware).


In the case of the GCHQ, I believe there's a system which picks two random words to concatenate. The intention is that the codename would not reaveal anything about the program to which it refers.


Yeah, that's what they should be doing, same with the NSA. Maybe 20 years ago.

Now? Someone reads Sluggy Freelance and thinks FERRETCANNON sounds funny.

They used to tell a story about this, the Germans in WW2, and their penchant for meaningful names allowing potentially meaningful guesswork. Of course, the new generation of brogrammer "cyber-specialists" in charge of Mastering The Internet never got the memo, on either side.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: