[Cryptography] GHCQ Penetration of Belgacom

Henry Baker hbaker1 at pipeline.com
Sat Dec 13 21:21:50 EST 2014

At 05:22 PM 12/13/2014, Jim Windle wrote:
>Malware masquerading as Microsoft code penetrate an western European national telco.
>"It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom.  But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on.  The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data."

It's hard to imagine the Regin malware being developed w/o Microsoft's knowledge and/or help -- if only to keep Microsoft's changes/updates from detecting and/or clobbering the thing by accident.

The damn Regin thing builds an entire encrypted virtual file system inside the NTFS metadata.

"The particular feature used (or abused) by Regin to hide its next stages is called NTFS Extended Attributes
(EA).  Originally, these were implemented in Windows NT for compatibility with OS/2 applications; however, they
made their way into later versions of Windows, namely 2000, XP and Vista.  The malware hides its modules in
NTFS EAs, splitting large files into several blocks of limited size.  These are dynamically joined, decrypted and
executed in memory."

"The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File
Systems (VFSes)."

"Each VFS has a structure that is very similar to a real disk file system such as FAT.  The VFS files start with a header
that provides basic information required to operate the file system.  The header is followed by the bitmap of used/
free sectors and then by the file table."

Kaspersky Lab Report
Version 1.0
24 November 2014

More information about the cryptography mailing list