Secret Malware in EU Attack Linked to US and British Intelligence

Oh snap!<p><pre><code> &quot;The archive also contains the output of ProcMon, Process Monitor, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis. This file identifies the infected system and provides a variety of interesting information about the network. For instance: USERDNSDOMAIN=BGC.NET USERDOMAIN=BELGACOM USERNAME=id051897a USERPROFILE=C:\Users\id051897a&quot; </code></pre> Also love the comment at the end:<p><i>&quot;Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ&#x2F;NSA has REPLACED THEIR TOOLKIT AND NO CURRENT OPERATIONS WILL BE AFFECTED by the publication of these samples.&quot;</i>

re-posting AlyssaRowan&#x27;s comment (<a href="https://news.ycombinator.com/item?id=8653692" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8653692</a>) here:<p>&quot;Got more payload chunks. Wow, they were sloppy with this - found plenty of symbol references still in them!<p>So far, that makes references to LEGSPIN, WILLISCHECK, HOPSCOTCH, STARBUCKS, FOGGYBOTTOM, SALVAGERABBIT.<p>I believe this may be NSA&#x27;s UNITEDRAKE implant architecture, specifically.&quot;

Interesting. What I don&#x27;t get from this analysis or the one by Symantec is how this rootkit is able to install kernel drivers on 64-bit Windows with driver signing enabled. Is this using a new vulnerability to do so? An existing one? Did the GCHQ&#x2F;NSA managed to get their hands on the keys necessary to sign Windows drivers? Each scenario has implications for code signing as a security technique...

So the UK attacked Ireland.<p>Nice one.

Stupid question.. is it not possible to identify the IP addresses this thing contacts?

it would be really good if the people reverse engineering malicious software knew how computers worked:<p><pre><code> &quot;This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.&quot; </code></pre> what does that even MEAN?!