Friday, December 19, 2014

Regin, the top-tier PASSIVE_LEVEL malware!

Over the past few weeks it seems left and right there's Regin this, Regin that. I am not going to do a detailed analysis and discuss its stages and what have you, as there are various/informative in-depth whitepapers, etc.

To name a few:

Symantec, Symantec.
Kaspersky, Kaspersky.
F-Secure.

In my opinion, Regin is your typical malware that expands outside of the reverse engineer/security community due to its original goal. Journalists or researchers with little kernel-level knowledge/background get a hold of it and before you know it, it's the next biggest sophisticated piece of malware and all that matters is PR. At this point, writing accurate and detailed articles doesn't matter anymore. What am I referring to, and what will I instead talk about with Regin?

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

Let's quickly talk about a short few things the whitepapers haven't mentioned (as far as I am aware), and the above article. Respectfully, I have absolutely no idea who reviewed the above article before it was pushed. You have to wonder if The Intercept rushed like hell to publish this article because Symantec released their whitepaper and didn't care about what half of it even said. Note the dates:



There's a lot of strange and irrelevant information in that article you can pick at, but the absolute best is:
This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.
Since its publication date this has yet to have been changed, so I guess they don't care after all about its inaccuracies. Anyway, if it's not a surprise, calling KeGetCurrentIrql over and over again throughout the code is just a PAGED_CODE macro. It has absolutely nothing to do with stealth, and PASSIVE_LEVEL doesn't automatically imply obfuscation or stealth. For an example, here's an excerpt from db405ad775ac887a337b02ea8b07fddc (kernel driver - stage 1).

 call  KeGetCurrentIrql  
 test  al, al  
 jnz   short loc_FDEFAA3D  
 push  dword ptr [esi] ; Handle  
 call  ZwClose  
 test  eax, eax  
 jnz   short loc_FDEFAA3D  
 push  18h  
 push  ebx  
 push  esi  
 call  sub_FDEFA2EC  
 add   esp, 0Ch  
 mov   bl, 1  


Again taking a look at db405ad775ac887a337b02ea8b07fddc, there's another interesting tidbit throughout the code:

 push  43726150h 
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The above is the kernel mode driver's pool tag, the # of bytes to allocate for the memory request, the pool type, and finally its call to ExAllocatePoolWithTag allocate pool memory. Okay, so what's the big deal? If we convert the pool tag operand to a character, we get the following result:

 push  'CraP'  
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The pooltag is CraP : ) This is probably how many of us feel about this malware being so hyped by the media. There are of course others throughout the code, for example:

 push  'CraP'  
 push  eax  
 push  1  
 call  ds:ExAllocatePoolWithTag  

Overall, I guess the moral is to take time to get as much accurate information as you can for your articles. I cannot speak for anyone but myself, but as someone with a love for reverse engineering, malware, and debugging, I appreciate in-depth whitepapers and articles that provide thorough analysis. If all you're worried about is competition for views and hyping malware, chances are you're not going to appeal to the people who really care about the written content.

PS: Thanks to KernelMode as always for the hilarious discussion.

70 comments:

  1. You can latest information regarding and download pdf official available MDU Result 2019 & get other imp details.

    ReplyDelete


  2. shareit
    shareit download
    shareit install
    shareit app download
    Every time we use modern technology we are worried that our data security will be violated and that information will be leaked.

    ReplyDelete
  3. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  4. Replies
    1. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

      Daintree Residence Location
      DainTree Residence Singapore
      daintree residence balance unit

      whistler grand condo
      whistler grand singapore
      whistler grand site plan

      jadescape location
      jadescape singapore
      jadescape condo

      Delete
  5. Hey, this is amazing content. thank you for sharing.
    ReverseEngineering

    ReplyDelete


  6. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
    I wanted to thank you for this websites! Thanks for sharing. Great websites!
    pubg mobile apk
    pubg lite
    pubg apk
    pubg mobile lite
    pubg

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Wow, that’s what I was exploring for, what a data! present here
    at this weblog, thanks admin of this web page.
    shareit for pc
    xender for pc

    ReplyDelete

  9. emuparadise roms get download all games rom in this website

    emulator zone get download emulator free here

    ReplyDelete
  10. Tekken 3 for pc get download all games pc game
    revdl for best apps and games free download apk revdl

    ReplyDelete
  11. gamekiller for windows
    gamekiller for android
    gamekiller for ios
    more quickly for data transfer between PCs and mobile devices, compared to USB drive transfer.

    ReplyDelete
  12. framaroot
    framaroot apk
    The app does what you can do using Bluetooth or NFC, but faster.

    ReplyDelete
  13. Maintain the printer intact by regularly accessing the test print page option by visiting the link print test page simple printer test page

    ReplyDelete
  14. The intuit viewmypaycheck is the only solutions for all tax related query at anytime from anywhere just log in and see what you want.

    ReplyDelete
    Replies
    1. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

      Daintree Residence Location
      DainTree Residence Singapore
      daintree residence balance unit

      whistler grand condo
      whistler grand singapore
      whistler grand site plan

      jadescape location
      jadescape singapore
      jadescape condo

      Delete
  15. This comment has been removed by the author.

    ReplyDelete
  16. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
    I wanted to thank you for this websites! Thanks for sharing. Great websites!
    APK Apps for fire stick
    whatsapp war apk
    whatsapp yo apk
    whatsapp faud apk
    whatsapp latest gb apk

    ReplyDelete
  17. GOOD Day !

    USA Fresh & Verified SSN Leads with best connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact Information 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  18. Nice Information! I personally really appreciate your article. This is a great website. I will make sure that I stop back again. These are some really great tips! Another important note is to make sure you give completely specific instructions to your cleaning staffs.

    Thanks,แทงบอล ออนไลน์

    ReplyDelete


  19. 192.168.1.254

    192.168.0.1 password

    192.168.l0.1
    This IP address is used by the routers like TP-Link, Netgear, D-Link uses it as the default IP address.

    ReplyDelete

  20. This is default IP address that is used by most of the router companies like the PTCL, TP-Link, D-Link, in order to access the admin page of the router

    192.168.10.1

    192-168-l0-1.club

    ReplyDelete

  21. This configuration can also be used for devices like Router, Modem etc. and they are all having the initial IP address

    192.168.254.254

    192.168.l78.1

    192.168.0.1

    ReplyDelete
  22. Microsoft Dynamics SL has driven business success since the 1980s, back when the product was known simply as Microsoft Dynamics Solomon, and before it was acquired by Microsoft. Even now, small and medium enterprises rely on Microsoft Dynamics SL 2015 and Microsoft Dynamics SL 2018, the most recent versions of the product, to drive their finances and operations. However, as more and more companies move to cloud-based ERP systems with virtually unlimited support timelines, it’s becoming more difficult to justify remaining on SL and dealing with versioning hurdles every few years. For this reason, an increasing number of MS Dynamics SL users are migrating to Microsoft Dynamics 365.

    ReplyDelete