Old stuff detected since 2011, symantec published a whitepaper about it today.
Looks interesting anyway.
Whitepaper : http://www.symantec.com/content/en/us/e ... alysis.pdf
Samples attached :
2c8b9d2885543d7ade3cae98225e263b
4b6b86c7fec1c574706cecedf44abded
187044596bc1328efa0ed636d8aa4a5c
06665b96e293b23acc80451abb413e50
d240f06e98c8d3e647cbf4d442d79475
6662c390b2bbbd291ec7987388fc75d7
ffb0b9b5b610191051a7bdf0806e1e47
b29ca4f22ae7b7b25f79c1d4a421139d
1c024e599ac055312a4ab75b3950040a
ba7bb65634ce1e30c1e5415be3d1db1d
b505d65721bb2453d5039a389113b566
b269894f434657db2b15949641a67532
bfbe8c3ee78750c3a520480700e440f8
All the ones mentionned in the paper appendix.
WinNT/Regin
WinNT/Regin
You do not have the required permissions to view the files attached to this post.
Re: Trojan:WinNT/Regin
Post from f-secure:
https://www.f-secure.com/weblog/archives/00002766.html
yara rules:
http://pastebin.com/0ZEWvjsC
https://www.f-secure.com/weblog/archives/00002766.html
yara rules:
http://pastebin.com/0ZEWvjsC
Code: Select all
rule Regin_APT_KernelDriver_Generic_A {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "187044596bc1328efa0ed636d8aa4a5c"
hash2 = "06665b96e293b23acc80451abb413e50"
hash3 = "d240f06e98c8d3e647cbf4d442d79475"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s0 = "atapi.sys" fullword wide
$s1 = "disk.sys" fullword wide
$s3 = "h.data" fullword ascii
$s4 = "\\system32" fullword ascii
$s5 = "\\SystemRoot" fullword ascii
$s6 = "system" fullword ascii
$s7 = "temp" fullword ascii
$s8 = "windows" fullword ascii
$x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii
condition:
$m0 at 0 and $m1 and
all of ($s*) and 1 of ($x*)
}
rule Regin_APT_KernelDriver_Generic_B {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
hash2 = "bfbe8c3ee78750c3a520480700e440f8"
hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
hash4 = "06665b96e293b23acc80451abb413e50"
hash5 = "2c8b9d2885543d7ade3cae98225e263b"
hash6 = "4b6b86c7fec1c574706cecedf44abded"
hash7 = "187044596bc1328efa0ed636d8aa4a5c"
hash8 = "d240f06e98c8d3e647cbf4d442d79475"
hash9 = "6662c390b2bbbd291ec7987388fc75d7"
hash10 = "1c024e599ac055312a4ab75b3950040a"
hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
hash12 = "b505d65721bb2453d5039a389113b566"
hash13 = "b269894f434657db2b15949641a67532"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s2 = "H.data" fullword ascii nocase
$s3 = "INIT" fullword ascii
$s4 = "ntoskrnl.exe" fullword ascii
$v1 = "\\system32" fullword ascii
$v2 = "\\SystemRoot" fullword ascii
$v3 = "KeServiceDescriptorTable" fullword ascii
$w1 = "\\system32" fullword ascii
$w2 = "\\SystemRoot" fullword ascii
$w3 = "LRich6" fullword ascii
$x1 = "_snprintf" fullword ascii
$x2 = "_except_handler3" fullword ascii
$y1 = "mbstowcs" fullword ascii
$y2 = "wcstombs" fullword ascii
$y3 = "KeGetCurrentIrql" fullword ascii
$z1 = "wcscpy" fullword ascii
$z2 = "ZwCreateFile" fullword ascii
$z3 = "ZwQueryInformationFile" fullword ascii
$z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii
condition:
$m0 at 0 and all of ($s*) and
( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
and filesize < 20KB
}
rule Regin_APT_KernelDriver_Generic_C {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "e0895336617e0b45b312383814ec6783556d7635"
hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s0 = "KeGetCurrentIrql" fullword ascii
$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
$s2 = "usbclass" fullword wide
$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
$x2 = "Universal Serial Bus Class Driver" fullword wide
$x3 = "5.2.3790.0" fullword wide
$y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii
condition:
$m0 at 0 and all of ($s*) and
( all of ($x*) or all of ($y*) )
and filesize < 20KB
}Re: Trojan:WinNT/Regin
http://securelist.com/blog/research/677 ... -networks/
A more detailed paper by Kaspersky.
Also, blogpost by F-Secure : https://www.f-secure.com/weblog/archives/00002766.html
A more detailed paper by Kaspersky.
Also, blogpost by F-Secure : https://www.f-secure.com/weblog/archives/00002766.html
-
frame4-mdpro
- Posts: 40
- Joined: Wed Jul 13, 2011 1:53 am
Re: Trojan:WinNT/Regin
You do not have the required permissions to view the files attached to this post.
-
TheExecuter
- Posts: 25
- Joined: Sat Aug 10, 2013 5:02 pm
Re: Trojan:WinNT/Regin
Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.
an executable perhaps. It could give more insight.
-
EP_X0FF
- Global Moderator
- Posts: 4872
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
- Contact:
Re: Trojan:WinNT/Regin
Leaving aside the reasons for the appearance of this yet-another-most-advanced-malware-ever fairy tale they seems dealing with already infected machines, which mean they don't have original dropper as the driver which is described by symantec still need to be installed before it starts it "Stages". Overall this malware so far doesn't look anyhow interesting or "advanced".Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.
Ring0 - the source of inspiration
Re: WinNT/Regin
Secret Malware in European Union Attack Linked to U.S. and British Intelligence.
Hilarious.This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion
-
EP_X0FF
- Global Moderator
- Posts: 4872
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
- Contact:
Re: WinNT/Regin
I stopped reading this doc after seeing this. Presenting developers incompetence as something "intended to be part of stealth" (just to fulfill overall paranoia) are revealing incompetence level of document author itself, so I suggest author go and perform suicide, don't forget to check IRQL before. I guess the reasons of this checks are simple, probably it is stupid "workaround" for IRQL reason BSOD. Or they installed low level hooks (which is hilarious itself as self-revealing) with logging of the data so they need this check to be able to work with file system as the hooks can be triggered at any level.Patrick wrote:Secret Malware in European Union Attack Linked to U.S. and British Intelligence.
Hilarious.This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion
It somehow remembered me case of one popular antivirus software I reversed long time ago. Their driver was full of strange things, dozens checks with MmSystemRangeStart, after each memory allocation for example p=ExAllocatePool(); if (p > MmSystemRangeStart) etc.
P.S.
It is a bit speculative, as I don't have right now at hand anything to check this myself.
Ring0 - the source of inspiration
-
EP_X0FF
- Global Moderator
- Posts: 4872
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
- Contact:
Re: WinNT/Regin
Reconstructed from memory dump Regin driver mentioned in above article.
You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.
Nothing interesting.
The above
From what I saw in docs and malware actual bodies (despite the fact of GSM abuse is interesting feature) there is a strong indication that our loved legalized malware production companies are trying to make elephant out of the fly. I do not know how much they paid for it but seems it is enough.
You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.
Nothing interesting.
The above
is a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever. Yet again so-called "mass media reversers" (we call them internet clowns) jumping to conclusions lacking any kind of kernel mode drivers development experience.probably in order to operate as silently as possible and to prevent possible IRQL confusion
From what I saw in docs and malware actual bodies (despite the fact of GSM abuse is interesting feature) there is a strong indication that our loved legalized malware production companies are trying to make elephant out of the fly. I do not know how much they paid for it but seems it is enough.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
Re: WinNT/Regin
This is what I assumed it was, which is why it was absolutely hilarious to me.EP_X0FF wrote:Reconstructed from memory dump Regin driver mentioned in above article.
You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.
Nothing interesting.
The aboveis a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever.probably in order to operate as silently as possible and to prevent possible IRQL confusion
One of my favorite parts about malware that reaches the media is how journalists and authors of articles with zero kernel development background always label the malware as 'top-tier' or 'the most sophisticated'. Never gets old.