• Exploits used in Stuxnet appear in earlier viruses from the "Equation Group"
    5 replies, posted
[quote]For several years, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been closely monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide. The team has seen nearly everything, with attacks becoming increasingly complex as more nation-states got involved and tried to arm themselves with the most advanced tools.[/quote] [quote]The group itself has many codenames for their tools and implants, including SKYHOOKCHOW, UR, KS, SF, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, DESERTWINTER and GROK. Incredible as it may seem for such an elite group, one of the developers made the unforgivable mistake of leaving his username: "RMGREE5", in one of the malware samples as part of his working folder:[b]"c:\users\rmgree5\".[/b][/quote] [quote]Over the past years, the Equation group has performed many different attacks. One stands out: the Fanny worm. Presumably compiled in July 2008, it was first observed and blocked by our systems in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009. It's important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating that the Equation group had access to these zero-days before the Stuxnet group. The main purpose of Fanny was the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.[/quote] [url]https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/[/url] [url]https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf[/url] [url]http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage[/url]
Reuters seems pretty sure this is tied to the NSA. [url]http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216[/url]
[quote]Incredible as it may seem for such an elite group, one of the developers made the unforgivable mistake of leaving his username: "RMGREE5", in one of the malware samples as part of his working folder:"c:\users\rmgree5\".[/quote] Hah, I've actually come across stuff like this while doing reverse engineering/disassembly challenges. I could never solve the actual fucking [i]puzzles[/i] though.
This kind of shit fascinates me.
[QUOTE=froztshock;47155616]Hah, I've actually come across stuff like this while doing reverse engineering/disassembly challenges. I could never solve the actual fucking [i]puzzles[/i] though.[/QUOTE] Sounds like something they did intentionally to fuck with honeypotters, really doubt this would get left behind on accident
I found some stuff from the fanny.bmp virus that's linked to them [url]https://forum.avast.com/index.php?topic=71556.0[/url] [url]https://forum.avast.com/index.php?topic=71040.0;imode[/url] he reports it not being removable and that there was a fanny.bmp file.
Sorry, you need to Log In to post a reply to this thread.