Highest Rated Comments


banya_addict175 karma

Hi all,

So I always read your reports with attention, and I came across something funny in the Equation report. It was a good report on the NSA toolset I must admit, but as we say, devil is in the details.

So if we read the report, we see :

18.How did you discover this malware? We discovered one of the first EQUATIONDRUG modules during our research into the Regin nation-state APT operation.

And while looking at 9412a66bc81f51a1fa916ac47c77e02ac1a7c9dff543233ed70aa265ef6a1e76, mentionned in your report as an "EquationLaser installer", I saw that you detected this sample back in 2006 when Regin was not yet used ; but wait this isn't the best part yet.

Let's look at these pictures : [1] [2], [3]

We can see that on the first submission the malware is already signed by some antivirus companies, and that two days later all of them except Microsoft have deleted it. But, when this is resubmitted in 2015 everyone and many others detect it,and with the same signatures.

So my question is : why did you, amonst other antivirus companies, deleted a signature for a NSA malware in 2006, only to put it back later ?

banya_addict2 karma

it’s a pretty unique situation, which never repeated again after the publication of our analysis on Regin. Yes, this probably means the other guys read our research too.

FVEY already did CCNE using Regin plugins in 2010, they did not wait for your research to come public.

cf. this TS//SI Snowden document Discovering aliens on CNE infrastructure