Wednesday, December 03, 2014

G-Data Reins In Regin: Top-tier Espionage Tool.

Regin is a full cyber espionage platform capable of complete remote control and monitoring on all possible levels. Attribution is difficult in cases like this however considering the complexity of development, G-Data suspects that this operation is supported by a nation-state, but not originating from Russia and not from China.

Kaspersky Lab has done some research on the Regin as well;

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
G-Data has created a tool to detect the trojan;
We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:
typedef struct _HEADER {
  uint16_t SectorSize;
  uint16_t MaxSectorCount;
  uint16_t MaxFileCount;
  uint8_t FileTagLength;
  uint16_t crc32custom;
}
During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
 Get the tool from G-Data

Tuesday, December 02, 2014

FBI Warns Business Of 'Destructive' Malware Attackes In The Wake Of Sony Hack.

According to Reuters, the FBI has warned businesses in the USA via a confidential report about new malicious software that can be used to launch "destructive" cyber attacks, which explains that U.S. businesses should remain vigilant. Last week Sony Pictures was hacked and and investigators are still at task.
The report does not directly connect the Sony incident but the five page FBI report mentions about the malware used in the attack. It advices business how to react to the Malware and to report any suspected malware to FBI.
The malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.The hard drives will need to be replaced or re imaged after such attacks and is very time consuming.
Reuters