[Cryptography] GHCQ Penetration of Belgacom

Jerry Leichter leichter at lrw.com
Mon Dec 15 12:28:25 EST 2014


On Dec 13, 2014, at 9:21 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> It's hard to imagine the Regin malware being developed w/o Microsoft's knowledge and/or help -- if only to keep Microsoft's changes/updates from detecting and/or clobbering the thing by accident.
Insufficient evidence.  It's hard to imagine that anyone could build this kind of thing and keep it secret with or without Microsoft's help - but they obviously did.  "Hard to imagine" isn't useful evidence.

> The damn Regin thing builds an entire encrypted virtual file system inside the NTFS metadata.
The idea of hiding stuff in NTFS extended attributes - not really metadata - is old.  I remember doing it years ago.  There are standard command line programs that come with Windows that can do it.  People used to Unix file system semantics tend not to think of this stuff, but both Windows and MacOS have long had file systems that supported stuff beyond the "a file is just a stream of bytes" concept for years.  It's never been widely used on Windows, and it's been getting less and less use in MacOS for a while now - but there's nothing new here.

> "Each VFS has a structure that is very similar to a real disk file system such as FAT.  The VFS files start with a header
> that provides basic information required to operate the file system.  The header is followed by the bitmap of used/
> free sectors and then by the file table."
Again, not much really new here.  In fact, SOP for many complex files in Windows:  The classic .doc/.xls file formats are more or less FAT file systems stored within a single containing file.  (All these programs had to face the issue of how to store independent streams of data - e.g., the base contents of a document and recent changes - within a single file.  Since FAT already solved that - why not re-use it?  This became less of an issue 
when hard disks became faster - and much faster than the original floppies, so simpler formats that required completely re-writing the contents on disk became practical.  More recently, this flipped around again as highly graphic content made writing the whole thing expensive again.  When Apple initially came up with Pages/Keynote/Numbers as its own "office suite", it used multiple separate files, but hid them within a "package" - a directory marked so that Finder would usually treat it as a single file.  But this didn't work well for iCloud, so the newest versions use a single linear file re-written each time - which is noticeably slower in common cases.)

Anyway ... no surprise, whoever designed Regin had deep familiarity with the innards of Windows.  But the information and the basic design patterns here didn't require insider knowledge.  I'm not particularly versed in Windows internals (and the last time I had to use Windows, it was Win2K), but none of this is new to me.  That doesn't minimize the sophistication of Regin as a whole - but nothing here leads me to say "Microsoft had to be involved".
                                                        -- Jerry



More information about the cryptography mailing list