"The archive also contains the output of ProcMon,
Process Monitor, a system monitoring tool distributed
by Microsoft and commonly used in forensics and
intrusion analysis.
This file identifies the infected system and provides
a variety of interesting information about the network.
For instance:
USERDNSDOMAIN=BGC.NET
USERDOMAIN=BELGACOM
USERNAME=id051897a
USERPROFILE=C:\Users\id051897a"
Also love the comment at the end:
"Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has REPLACED THEIR TOOLKIT AND NO CURRENT OPERATIONS WILL BE AFFECTED by the publication of these samples."
Do you really have any doubt about who's behind this?
We can debate about motivations and who their target really was (Belgacom may have been collateral damage), but despite "proof", there's little doubt about who wrote it.
I simply pointed out that the person who uploaded to virustotal certainly didn't realize it also had Belgacom domain name, username, and a list of all the processes running on the machine.
> Yes, just like FBI assassinating Kennedy because Oh snap cuba!
I have no doubt where this came from, despite not having Gen. Keith Alexander's email in the logs.
Interesting. What I don't get from this analysis or the one by Symantec is how this rootkit is able to install kernel drivers on 64-bit Windows with driver signing enabled. Is this using a new vulnerability to do so? An existing one? Did the GCHQ/NSA managed to get their hands on the keys necessary to sign Windows drivers? Each scenario has implications for code signing as a security technique...
It's no surprise at all the UK has intelligence targets in Ireland: go read up on The Troubles. (I walked right past a live IRA bomb as a child. Spent half an hour longer shopping, and maybe I wouldn't be typing this.)
Of course, that situation just isn't today what it used to be.
As for the US, a lot of corps have operations and/or headquarters in Ireland for tax reasons. For example you might recall a story about Microsoft, the FBI, and email.
Given the centuries-long political problems between the two nations, what else would you expect? Ireland has an intelligence agency too which I'm sure does its share of covert information-gathering (at least I hope so, or it wouldn't be much good): http://en.wikipedia.org/wiki/Directorate_of_Intelligence_%28...
The IRA (et al.) do attack the Irish State, since they don't recognise it (e.g. https://en.wikipedia.org/wiki/Death_of_Jerry_McCabe ). However the UK police force & intelligence agency is much more advanced by the Irish one.
it would be really good if the people reverse engineering malicious software knew how computers worked:
"This Regin driver recurrently checks
that the current IRQL (Interrupt Request Level)
is set to PASSIVE_LEVEL using the KeGetCurrentIrql()
function in many parts of the code, probably in order
to operate as silently as possible and to prevent
possible IRQL confusion. This technique is another
example of the level of precaution the developers
took while designing this malware framework."
NTs driver model is a mixed model, many calls are chained from interrupts, others maybe are syscalls. Some driver functions like netfilters or filesystem filters may be called from both interrupts AND system calls.
Accessing some calls at the wrong irql is deadly. Similarly, if you are attached as a filter you can get tons of calls, most all of which are not relevant. You must be able to quickly filter those calls or the system can become unstable.
Admittedly, the efficiency of NT's design is pretty brilliant considering that we started with TSR interrupts in DOS, but it is also fraught with danger. For instance different locking calls can only be used at certain IRQLs, otherwise you can lock the entire system. Sometimes those calls only happen with certain configurations or kernel versions.
Being an NT driver developer is maddening. The Linux driver model is much better, as there are no mixed mode calls. Interrupts are chained but your function is always at the same or lower interrupt level. Most code is also explicitly kept out of interrupts, and instead operates as usermode syscalls. You can write an entire filesystem and likely never deal with interrupts.
"Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has REPLACED THEIR TOOLKIT AND NO CURRENT OPERATIONS WILL BE AFFECTED by the publication of these samples."