Friday, December 19, 2014

Regin, the top-tier PASSIVE_LEVEL malware!

Over the past few weeks it seems left and right there's Regin this, Regin that. I am not going to do a detailed analysis and discuss its stages and what have you, as there are various/informative in-depth whitepapers, etc.

To name a few:

Symantec, Symantec.
Kaspersky, Kaspersky.
F-Secure.

In my opinion, Regin is your typical malware that expands outside of the reverse engineer/security community due to its original goal. Journalists or researchers with little kernel-level knowledge/background get a hold of it and before you know it, it's the next biggest sophisticated piece of malware and all that matters is PR. At this point, writing accurate and detailed articles doesn't matter anymore. What am I referring to, and what will I instead talk about with Regin?

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

Let's quickly talk about a short few things the whitepapers haven't mentioned (as far as I am aware), and the above article. Respectfully, I have absolutely no idea who reviewed the above article before it was pushed. You have to wonder if The Intercept rushed like hell to publish this article because Symantec released their whitepaper and didn't care about what half of it even said. Note the dates:



There's a lot of strange and irrelevant information in that article you can pick at, but the absolute best is:
This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.
Since its publication date this has yet to have been changed, so I guess they don't care after all about its inaccuracies. Anyway, if it's not a surprise, calling KeGetCurrentIrql over and over again throughout the code is just a PAGED_CODE macro. It has absolutely nothing to do with stealth, and PASSIVE_LEVEL doesn't automatically imply obfuscation or stealth. For an example, here's an excerpt from db405ad775ac887a337b02ea8b07fddc (kernel driver - stage 1).

 call  KeGetCurrentIrql  
 test  al, al  
 jnz   short loc_FDEFAA3D  
 push  dword ptr [esi] ; Handle  
 call  ZwClose  
 test  eax, eax  
 jnz   short loc_FDEFAA3D  
 push  18h  
 push  ebx  
 push  esi  
 call  sub_FDEFA2EC  
 add   esp, 0Ch  
 mov   bl, 1  


Again taking a look at db405ad775ac887a337b02ea8b07fddc, there's another interesting tidbit throughout the code:

 push  43726150h 
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The above is the kernel mode driver's pool tag, the # of bytes to allocate for the memory request, the pool type, and finally its call to ExAllocatePoolWithTag allocate pool memory. Okay, so what's the big deal? If we convert the pool tag operand to a character, we get the following result:

 push  'CraP'  
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The pooltag is CraP : ) This is probably how many of us feel about this malware being so hyped by the media. There are of course others throughout the code, for example:

 push  'CraP'  
 push  eax  
 push  1  
 call  ds:ExAllocatePoolWithTag  

Overall, I guess the moral is to take time to get as much accurate information as you can for your articles. I cannot speak for anyone but myself, but as someone with a love for reverse engineering, malware, and debugging, I appreciate in-depth whitepapers and articles that provide thorough analysis. If all you're worried about is competition for views and hyping malware, chances are you're not going to appeal to the people who really care about the written content.

PS: Thanks to KernelMode as always for the hilarious discussion.

64 comments:



  1. shareit
    shareit download
    shareit install
    shareit app download
    Every time we use modern technology we are worried that our data security will be violated and that information will be leaked.

    ReplyDelete
  2. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  3. Replies
    1. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

      Daintree Residence Location
      DainTree Residence Singapore
      daintree residence balance unit

      whistler grand condo
      whistler grand singapore
      whistler grand site plan

      jadescape location
      jadescape singapore
      jadescape condo

      Delete
  4. Hey, this is amazing content. thank you for sharing.
    ReverseEngineering

    ReplyDelete


  5. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
    I wanted to thank you for this websites! Thanks for sharing. Great websites!
    pubg mobile apk
    pubg lite
    pubg apk
    pubg mobile lite
    pubg

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Tekken 3 for pc get download all games pc game
    revdl for best apps and games free download apk revdl

    ReplyDelete
  8. gamekiller for windows
    gamekiller for android
    gamekiller for ios
    more quickly for data transfer between PCs and mobile devices, compared to USB drive transfer.

    ReplyDelete
  9. framaroot
    framaroot apk
    The app does what you can do using Bluetooth or NFC, but faster.

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
    I wanted to thank you for this websites! Thanks for sharing. Great websites!
    APK Apps for fire stick
    whatsapp war apk
    whatsapp yo apk
    whatsapp faud apk
    whatsapp latest gb apk

    ReplyDelete
  12. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

    Daintree Residence Location
    DainTree Residence Singapore
    daintree residence balance unit

    whistler grand condo
    whistler grand singapore
    whistler grand site plan

    jadescape location
    jadescape singapore
    jadescape condo

    ReplyDelete
  13. GOOD Day !

    USA Fresh & Verified SSN Leads with best connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact Information 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  14. I procrastinate a lot and don’t manage to get nearly anything done. waiting for your further write ups thanks once again. 카지노사이트

    ReplyDelete
  15. 온라인카지노 Great blog here! Also your website loads up fast! What web host are you using? Can I get your affiliate link to your host? I wish my web site loaded up as fast as yours lol

    ReplyDelete
  16. 토토사이트 Good day very cool web site!! Man .. Beautiful
    .. Wonderful .. I'll bookmark your website and take the feeds also?
    I am satisfied to find so many helpful info here in the put up, we want
    work out more strategies on this regard, thank you for sharing.

    ReplyDelete
  17. This is by far the best post I've seen recently. This article, which has been devoted to your efforts, has helped me to complete my task. Feel free to visit my website; 온라인카지노

    ReplyDelete
  18. I wanted to thank you for this site Thanks for sharing. Great websites! Bookmark site The Upcut News Portal

    ReplyDelete
  19. Some really useful stuff on here, keep up posting. Cheers.
    야설

    ReplyDelete
  20. I’ve read this post and if I may I want to suggest you some attention-grabbing things or suggestions. 국산야동

    ReplyDelete
  21. Wonderful article. Fascinating to read. I love to read such an excellent article. Thanks! It has made my task more and extra easy. Keep rocking.
    Dumb And Dumber Suits



    ReplyDelete
  22. Great Post! I look forward to seeing more from you in the future. There are some very great ideas above. Feel free to visit my website; 바카라사이트

    ReplyDelete
  23. Very good written information. It will be valuable to anybody who employess it, as well as yours truly :). Keep up the good work – for sure i will check out more posts. Feel free to visit my website; 바카라사이트

    ReplyDelete
  24. I really enjoyed reading this blog. It was explained and structured with perfection.
    토토사이트

    ReplyDelete
  25. I’m quite sure I’ll learn plenty of new stuff right here! Good luck for the next
    토토
    먹튀검증

    ReplyDelete
  26. Thanks for your marvelous posting! I actually enjoyed reading it, you can be a great author.
    온라인카지노
    카지노

    ReplyDelete
  27. It’s nice to come across a blog every once in a
    while that isn’t the same outdated rehashed material. Wonderful read!

    바카라사이트
    온라인카지노

    ReplyDelete
  28. Admiring the dedication you put into your site and detailed information you provide.
    카지노
    바카라사이트

    ReplyDelete
  29. At My Homework Help, we adhere to a proven methodology for delivering top-notch education to our clients. You can simply reach out to us via phone or email to access the best solutions. We boast an extensive database covering a wide range of subjects, including engineering, English, mathematics, chemistry, history, and more. Our team of experts consists of highly qualified professionals with vast experience in their respective fields.

    Since its inception, our educational platform, My Homework Help, has been dedicated to providing exceptional assistance to our clients. We have subject specialists who conduct detailed research and offer informative sessions on a wide array of topics. Whether it's homework assignments, thesis papers, or projects, we are committed to delivering the best outcomes for our clients. Our 24/7 active Python homework support ensures that you receive quality assignments within your specified deadline.

    ReplyDelete
  30. Coursework Help is your compass through academic challenges, offering tailored assistance to ensure mastery of course content. Our expert tutors provide comprehensive guidance, from understanding intricate concepts to crafting impeccable assignments. With a commitment to excellence, Coursework Help goes beyond conventional learning, ensuring that students receive the necessary support to excel in their coursework and assignments. Count on us for a seamless blend of expertise and dedication in both coursework and assignment help.

    ReplyDelete