ANTI-MALWARE.info | The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in

Posts Tagged ‘cyber espionage’

Regin, an old but sophisticated cyber espionage toolkit platform

Malware can be named in one breath with Stuxnet & Co.

Regin is one of the latest cyber espionage toolkits targeting a range or organizations, companies and individuals around the world. This malware is very sophisticated and it can mentioned in the same breath with other cyberespionage campaigns like Duqu, Stuxnet, Flame, Uroburos (aka Snake/Turla). First reported about by Symantec[1], Regin kept itself under the radar for years.

As G DATA experts worked on this rootkit for quite a while we also gathered some data. The first Regin version we identified was used in March 2009 and the compilation date is July 2008:

paul@gdata:~/regin$ ./pescanner.py b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Meta-data
================================================================================
File:    b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Size:    12608 bytes
Type:    PE32 executable (native) Intel 80386, for MS Windows
MD5:     ffb0b9b5b610191051a7bdf0806e1e47
SHA1:    75a9af1e34dc0bb2f7fcde9d56b2503072ac35dd
ssdeep:
Date:    0x486CBA19 [Thu Jul  3 11:38:01 2008 UTC]
EP:      0x103d4 .text 0/4

Some sources go even back to 2003 but this in unclear at this moment however we can confirm that this campaign appeared at least early 2009.

An Open Source detection tool provided by G DATA

We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:

typedef struct _HEADER {
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;
}

During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
Download the python script by going to the original G DATA article (link see below).

regin-detect.py SHA256: 98ac51088b7d8e3c3bb8fbca112290279a4d226b3609a583a735ecdbcd0d7045
regin-detect.py MD5: 743c7e4c6577df3d7e4391f1f5af4d65

And here is the output when a virtual file system is scanned:
paul@gdata:~regin$ ./tool.py security.evt
SectorSize:  1000
MaxSectorCount:  0500
MaxFileCount:  0500
FileTagLength:  10
CRC32custom:  df979328
CRC of the file: df979328
Regin detected

Victims:

So far, victims of Regin were identified in 14 countries:

  • Algeria
  • Afghanistan
  • Belgium
  • Brazil
  • Fiji
  • Germany
  • Iran
  • India
  • Indonesia
  • Kiribati
  • Malaysia
  • Pakistan
  • Russia
  • Syria

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater, a well-known Belgian cryptographer. Kaspersky Lab stated this in their report which you can find at
securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/ .

Even more interesting is the fact that Regin seems to be the spyware behind the Belgacom case, a big Belgian Telecom provider hacked in 2013. Belgacom acknowledged the hack, but never provided details about the breach. Ronald Prins from Fox-IT, which helped with the forensics and investigation of the Belgacom case, confirmed on his Twitter page that Regin could possibly be the malware behind the Belgacom case.

The Intercept, a publication of First Look Media, not only connects Regin to Belgacom, but also names the European Union as potential victim in an article published on November 24th.
(more…)


Book Launch ‘Cybergevaar’

IT security Information for everybody

I finally did it. In the beginning of October 2013, I and the Belgian publisher Lannoo (www.lannoo.be ) officially launched ‘Cybergevaar’ in Belgium and the Netherlands. It was not an easy job, I can tell you but I always wanted to do this. It took me about 8 to 9 months to write and finalize it. That’s also part of the reason why I didn’t blog that often anymore during that period.

“Writing a book about cyber threats in a comprehensible and comprehensive way is not an easy task, but the book ‘Cybergevaar ‘ succeeds in this”, certifies the book’s first review, conducted by a well-known Belgian IT magazine, Datanews. The book “Cybergevaar” tries to provide a very readable and very accessible overview of almost every information security related problem and malware. It reaches out to the general audience and does not only target the technically savvy reader but provides information for everybody.

cybergevaarcover

“Cybergevaar” starts with an overview of the history of malware and looks into the many profiles of malware writers and hackers. One of the chapters touches the topic underground economy and is using a lot of examples to explain the involvements. It is based on a whitepaper written by G Data SecurityLabs. Furthermore, new developments in the fields of cyber attacks, sabotage and espionage are discussed and looked into from different angles. The daily threats and the myths about malware are described in a detailed way. Among this, the chapter about general security tips and tricks is interesting for everybody. The book also provides a special chapter with thorough advice for companies.

While exploring the book, the reader can find several exciting security anecdotes and entertaining situations one possibly has never heard of before. Additional clarifications are provided throughout the entire book by use of attractive illustrations and easy-to-understand graphs. High-level opinions of people with experience and interest in the ICT security industry are included: Professionals such as Natalya Kasperskaya (InfoWatch), Ralf Benzmüller (G Data), Peter Kruse (CSIS Security Group), Bob Burls (Independent IT Security Consultant) are amongst the contributors.  The book also seeks to elaborate on how governments and the media can play a role in the ‘education’ of users. Moreover, it gives an inside look into the computer security industry and organizations like AMTSO and EICAR. And, of course, ‘Cybergevaar’ does not miss the opportunity to highlight how the problem and its solutions may develop in the future, with a special chapter in the form of a short story – ‘Radical Ransom’ – set in the year 2033.

“Cybergevaar” by Eddy Willems, Lannoo, 213 pages, is now available in Belgian and Dutch bookstores and online shops.  Plans to publish this book in other languages, such as German and English, are currently being discussed.

Official Website (Dutch): www.cybergevaar.be and www.cybergevaar.nl

You can also order your version of the book via this webpage: www.lannooshop.com/gdata

 


Cold Cyber War

About the abuse of sensational catchwords

The last few months there has been an astounding increase in media attention around the theme ‘cyber war’. From blogs via newspapers on to TV, everywhere we can hear statements about how a cyber war is on the verge of breaking out. But is that true?

When I think of the word ‘war’, I think of a situation where two or more sides attack one another. And the attacks lead to casualties. This should also be the case in a so called cyber war. And something like that, has not yet been seen. And quite frankly, I don’t think we will see one materializing soon.

(more…)


The lack of basic security and good consultancy in a world dominated by an economical crisis

Why basic antivirus is not failing.

 A lot has been written and said about antivirus products seemingly failing these days to protect users against advanced persistent threats or specific targeted attacks. The anti-virus industry seems not to be able to detect threats like Stuxnet, Duqu, Flame or even recently Dorifel in time. Media and press called some of those attacks acts of cyberwarfare. Richard A. Clarke, an internationally-recognized expert on security, defines cyberwarfare as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” But there are loads of other definitions. However, it is clear that cyberwarfare consists of many different threats ranging from sabotage to espionage and national security breaches to attacks related to the critical infrastructure of a region or country. The malware used is most likely developed at least by an organization with a lot of money and is related to the first signs of what could be called cyberwarfare.

So, several companies and the general public were claiming that we all were too late in stopping these threats. Looking at the case of Flame the AV industry found out that we already had some samples of it when the news became public, but we were not aware of it. The samples have never been verified as being malicious before. Also Stuxnet went undetected for over a year after it was found.

So, the question might be the following: Is the anti-virus industry ready for the next battle? Can we all, with our tight consumer antivirus industry related budgets, be up against targeted malware or APT’s created by organizations with a lot of money?

(more…)


This website is 17 years old!

Back in 1995 at the end of August I started this website as one of the first anti-virus and security sites in the world.  Today I nearly forgot this anniversary. The reason for this is that the speed of news and amounts of malware related problems has been growing like hell. The amounts of data and malware we see these days are excessive. I am personally involved with all this stuff much more (24/24  7 days a week) these days compared to 1989 when it all started for me.  The hacks we see these days are worrying. The mentality of people seems to be changed dramatically and hacking (read ‘cracking’) seems to be as normal as having dinner these days. Cyberwarfare, cybersabotage and cyberespionage are now also part of the problem. I wish I could say over 17 years: ‘Yes we’ve done it, we (the AV and security industry) solved the malware problem’ but I’m now sure that this is probably wishful thinking and never will be the case. However this battle isn’t over yet. Malware writers, hackers and other cybercriminals be prepared that also the laws are changing, maybe you could start thinking about finally turning you’re skills into the good direction. I hope nations will think twice when writing nation-state driven malware or even thinking of hacking back the hackers. An eye for an eye makes the whole world blind (Mahatma Gandhi).

 


Bug bounty initiatives: a summer approach against cyberthreats?

(This blog article has been published at the G Data Security Blog over here.)

The summer season has always been a mixture of holidays and launching new intiatives against cyberthreats if you look back at the past months. One of the new initiatives is brought to us by Microsoft with what they call the Blue Hat Prize. It is a contest that wants to generate new defensive approaches in the field of computer security. By launching this initiative, MS wants to develop new solutions to resolve security threats. And there are interesting prizes for the participants, ranging from $10,000 to $200,000.
It is known that MS also has some internal research conferences, but this new program will focus on new technology and defense against memory safety vulnerabilities especially. Microsoft clearly wants to encourage researchers to think about new ways of defeating entire classes of bugs instead of MS paying for individual bugs only, like some other companies are doing.

(more…)


The Rise of the Targattacks*: Cyber espionage and sabotage: the new way

*Abbr.: targeted attacks

During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:

  • The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
  • German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
  • Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA  software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
  • G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
  • RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
  • EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
  • Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.

 And this list is still not complete.

(more…)