本帖最后由 欧阳宣 于 2014-12-4 10:11 编辑
https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html
Regin is one of the latest cyber espionage toolkits targeting a range or organizations, companies and individuals around the world. This malware is very sophisticated and it can mentioned in the same breath with other cyberespionage campaigns like Duqu, Stuxnet, Flame, Uroburos (aka Snake/Turla). First reported about by Symantec[1], Regin kept itself under the radar for years.
As G DATA experts worked on this rootkit for quite a while we also gathered some data. The first Regin version we identified was used in March 2009 and the compilation date is July 2008:-regin是最新出现的针对组织,企业和个人的网络情报刺探工具。这种恶意软件十分复杂,与其他例如Duqu, Stuxnet, Flame, Uroburos等刺探工具有相似之处。它最早由symantec发现,但也已经躲避了多年的检测。gdata的专家在这个rootkit上研究了一阵子之后也收集了一些数据。regin的第一个版本在09年三月投入使用,编译时间是08年九月。
paul@gdata:~/regin$ ./pescanner.py b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Meta-data
================================================================================
File: b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Size: 12608 bytes
Type: PE32 executable (native) Intel 80386, for MS Windows
MD5: ffb0b9b5b610191051a7bdf0806e1e47
SHA1: 75a9af1e34dc0bb2f7fcde9d56b2503072ac35dd
ssdeep:
Date: 0x486CBA19 [Thu Jul 3 11:38:01 2008 UTC]
EP: 0x103d4 .text 0/4
Some sources go even back to 2003 but this in unclear at this moment however we can confirm that this campaign appeared at least early 2009. -有些源代码甚至能追溯到03年,虽然这并不是完全确凿,但是我们能认定至少在09年初这个项目已经出现。
An Open Source detection tool provided by G DATA-GData发布的开源检测工具
We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:-我们识别出了一种加密的虚拟文件系统的使用,由%System%\config下的一个虚假evt文件组成。文件的开头都是这样的:
typedef struct _HEADER {
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;
}
During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.-在分析过程中,checksum是一个CRC32值。检测这种虚拟文件系统造成的感染的通用方法是检查文件系统开头部分的CRC32值
Download the python script by simply clicking the link below this article.下面是检测用的Python脚本
regin-detect.py SHA256: 98ac51088b7d8e3c3bb8fbca112290279a4d226b3609a583a735ecdbcd0d7045
regin-detect.py MD5: 743c7e4c6577df3d7e4391f1f5af4d65
And here is the output when a virtual file system is scanned:-一个受感染的文件系统的执行结果如下
paul@gdata:~regin$ ./tool.py security.evt
SectorSize: 1000
MaxSectorCount: 0500
MaxFileCount: 0500
FileTagLength: 10
CRC32custom: df979328
CRC of the file: df979328
Regin detected
Victims:-受害者
So far, victims of Regin were identified in 14 countries:-目前受regin影响的国家包括以下14个
Algeria
Afghanistan
Belgium
Brazil
Fiji
Germany
Iran
India
Indonesia
Kiribati
Malaysia
Pakistan
Russia
Syria
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater, a well-known Belgian cryptographer. Kaspersky Lab stated this in their report which you can find at
securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/ .
可能最广为所知的regin受害者是一位比利时的加密人员Jean Jacques Quisquater,点击上面的链接可以看到卡巴斯基对此的报告。
Even more interesting is the fact that Regin seems to be the spyware behind the Belgacom case, a big Belgian Telecom provider hacked in 2013. Belgacom acknowledged the hack, but never provided details about the breach. Ronald Prins from Fox-IT, which helped with the forensics and investigation of the Belgacom case, confirmed on his Twitter page that Regin could possibly be the malware behind the Belgacom case. -更有意思的是regin的背后发起者似乎是比利时电信,其在2013年受到了黑客攻击。官方承认了那次攻击但并未透露更多细节。来自Fox-IT的Ronald Prins曾经参与了分析调查比利时电信被黑事件,他在自己的twi上也证实了regin可能就来自攻击事件背后的恶意软件。https://twitter.com/cryptoron/status/536906587655667713
The Intercept, a publication of First Look Media, not only connects Regin to Belgacom, but also names the European Union as potential victim in an article published on November 24th-来自First Look Media的出版物The Intercept不仅将regin与比利时电信联系起来,还在11月24日的一篇文章中认为欧盟国家也是潜在的受害者。
Conclusion:结论
Regin can be best described as a full cyber espionage platform where the goal was to reach complete remote control and monitoring on all possible levels. Attribution is difficult in cases like this however considering the complexity of development, we suspect that this operation is supported by a nation-state. From the information we have, we assume that it is not originating from Russia and not from China.-regin最贴切的描述是是一个完整的网络监视平台,目标是在所有可能的层面实现完整的远程控制和监视。对这种事件定性很难,但是考虑到这个项目如此复杂我们怀疑这是一个有国家层面支持的项目。从已有的信息来看,我们认定来源既不是俄罗斯也不是中国。
If you need more information please contact us at intelligence@gdata.de
Example of Regin MD5:
4b6b86c7fec1c574706cecedf44abded
b505d65721bb2453d5039a389113b566
ba7bb65634ce1e30c1e5415be3d1db1d
a3915d7e41eb51ba07a2ae5e533e0673
2c8b9d2885543d7ade3cae98225e263b
49a6d5256ff9d061c964aa62788d0519
bfbe8c3ee78750c3a520480700e440f8
d240f06e98c8d3e647cbf4d442d79475
b29ca4f22ae7b7b25f79c1d4a421139d
b269894f434657db2b15949641a67532
187044596bc1328efa0ed636d8aa4a5c
ffb0b9b5b610191051a7bdf0806e1e47
1c024e599ac055312a4ab75b3950040a
49d4a603b117355a054b844487de55d9
6662c390b2bbbd291ec7987388fc75d7
06665b96e293b23acc80451abb413e50
G DATA detects known Regin samples.-gdata可以检测已知的所有regin样本
附上铁壳的相关报告。http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
|
发表于 2014-12-4 10:09:51
楼主