2014年12月9日星期二

----By Taiwan's Apple Daily reported that my great beauty freedom leader (1). ,, Obama sore throat doctor diagnosed as acid reflux~ (in cold weather, my idol Chief busy, overworked....really get people (including me ah) worried about his health, but also have plenty of rest time Oh~ (2).(RT.news) Kiev ignored before the collapse of the EU's requirements MH17 day airspace shutdown E. Ukraine - Report (published: December 7, 2014, modified: December 8, 2014) - (3).[securelist.com] analysis by SECURELIST - epic Turla operation [to solve the mystery of some snakes / Uroburos of] (through August 7th May, 2014) - uncover layer after layer of cover..."- ---由台灣蘋果日報報導---我的大美自由領袖,(1).歐巴馬喉嚨痛就醫,,診斷為胃酸倒流~(在寒冷的天氣下,我的偶像政務繁忙,操勞過度....真讓人們(包括我啊)擔心他的身體健康,還要有充足的作息時間喔~(2).(RT.news)基輔忽略了歐盟的要求MH17崩潰之前關閉E.烏克蘭空域天 - 報告(發布時間：2014年12月7日,編輯時間：2014年12月8日)-(3).[securelist.com] 由SECURELIST的分析-史詩Turla操作[解決一些蛇/ Uroburos的奧秘](通過 8月7日，2014年)-揭開一層又一層的遮蓋..."- USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage-

Journalists look at parts of the Malaysia Airlines plane Flight MH17 as Dutch investigators (unseen) arrive at the crash site near the Grabove village in eastern Ukraine on November 11, 2014 (AFP Photo/Menahem Kahana)

---By Taiwan's Apple Daily reported that my great beauty freedom leader (1). **,, Obama sore throat doctor diagnosed as acid reflux**~ (in cold weather, my idol Chief busy, overworked....really get people (including me ah)

worried about his health, but also have plenty of rest time Oh~ (2).(RT.news) Kiev ignored before the collapse of the EU's requirements MH17 day airspace shutdown E. Ukraine - Report (published: December 7, 2014, modified: December 8, 2014) - (3).[securelist.com] analysis by SECURELIST - epic Turla operation [to solve the mystery of some snakes /

Uroburos of] (through August 7th May, 2014) - uncover layer after layer of cover..."-
---由台灣蘋果日報報導---我的大美自由領袖,(1).**歐巴馬喉嚨痛就醫,,診斷為胃酸倒流**~(在寒冷的天氣下,我的偶像政務繁忙,操勞過度....真讓人們(包括我啊)擔心他的身體健康,還要有充足的作息時間喔~(2).(RT.news)基輔忽略了歐盟的要求MH17崩潰之前關閉E.烏克蘭空域天 - 報告(發布時間：2014年12月7日,編輯時間：2014年12月8日)-(3).[securelist.com] 由SECURELIST的分析-史詩Turla操作[解決一些蛇/ Uroburos的奧秘](通過 8月7日，2014年)-揭開一層又一層的遮蓋..."-
**USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-

-**Please use the god home use Google translator to translate the language of your country or city Oh ^^-

-**請各位用家善用谷歌大神的翻譯器,來翻譯你們的國家或城市的語言喔^^-

-**국가 또는 도시 오 ^^의 언어를 번역하는the 하나님의 가정에서 사용하는 구글 번역기를 사용하십시오-

-**Se il vous plaît utiliser l'utilisation de la maison de Dieu traducteur de Google pour traduire la langue de votre pays ou ville Oh ^^-

-**あなたの国や都市ああ^^の言語を翻訳するために神の家庭用のGoogle翻訳を使用してください -

-**Будь ласка, використовуйте бог домашнього використання перекладач

Google перевести мову вашої країни або міста Oh ^^-

-**Bitte benutzen Sie den Gott den Heimgebrauch Google Übersetzer, um die Sprache Ihres Landes oder Stadt Oh ^^ übersetzen-

-**Käytäthe jumala kotikäyttöön Googlen kääntäjä kääntääthe kieli maata tai kaupunkia Oh ^^-

-**Proszę używać korzystania bóg startowej Google Translator przetłumaczyć język kraju lub miasta Oh ^^-

-**Vui lòng sử dụng việc sử dụng thần chủ Google phiên dịch để dịch các ngôn ngữ của đất nước, thành phố của bạn Oh ^^-

-**Utilice el uso dios casa traductor de Google para traducir el idioma de su país o ciudad Oh ^^-

-**Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-

-**Пожалуйста, используйте бог домашнего использования переводчик Google перевести язык вашей страны или города Oh ^^ -

-**Gebruik de god thuisgebruik Google vertaler naar de taal van uw land of stad Oh ^^ vertalen-

-**Sila gunakan digunakan di rumah tuhan penterjemah Google untuk menterjemahkan bahasa negara atau bandar anda Oh ^^-

-**Bruk gud hjemmebruk Google oversetter til å oversette språket i landet eller byen Oh ^^-

-**Si prega di utilizzare l'uso dio Home page di Google traduttore per tradurre la lingua del proprio paese o città Oh ^^-

-**Mangyaring gamitin ang bahay diyos paggamit tagasalin ng Google upang i-translate ang wika ng iyong bansa o lungsod Oh ^^-

-**Använd guden hemmabruk Google översättare att översätta språket i ditt land eller stad Oh ^^-

-**الرجاء استخدام استخدام إله المنزل مترجم جوجل لترجمة لغة بلدك أو المدينة أوه ^^-

- **Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-

-**Silahkan gunakan penggunaan dewa rumah Google translator untuk menerjemahkan bahasa negara atau kota Oh ^^-

-**Brug venligst gud hjemmebrug Google oversætter til at oversætte sproget i dit land eller by Oh ^^-

-**Παρακαλώ χρησιμοποιήστε το θεό οικιακή χρήση του Google μεταφραστή να μεταφράσει τη γλώσσα της χώρας ή της πόλης σας Ω ^^-

-**กรุณาใช้theใช้งานที่บ้านพระเจ้าของ Google แปลที่จะแปลภาษาของประเทศหรือเมืองของคุณโอ้ ^^the-

-**Bonvolu uzi la dio hejmo uzo Google tradukisto por traduki la lingvon de via lando aŭ urbo Ho ^^- **

http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/%E6%AD%90%E5%B7%B4%E9%A6%AC%E5%96%89%E5%9A%A8%E7%97%9B%E3%80%80%E6%80%A5%E5%A5%94%E9%86%AB%E9%99%A2
http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/歐巴馬喉嚨痛　急奔醫院

[Update] Obama sore throat doctor diagnosed as acid reflux

US President Barack Obama doctor escort convoys. Associated Press.

n December 7, 2014
US President Barack Obama on Saturday suddenly see a doctor. The White House says Obama's health is no emergency situation, he just went to check sore throat.

The White House says President Obama to complain about a sore throat physician Jackson, Jackson suggested that he go to Maryland's Chinese Terry German Hospital (Walter Reed National Military Medical Center) for further examination. "As president Nothing afternoon, Jackson doctor then advised him to go to the nearest hospital to check Tavrida China."

But the incident was quite sudden, with Obama's visit to reporters groups have been throwing a lot of people suddenly discovered, back trouble was with the president's motorcade.

Reuters reported that Jackson later said in a statement through the inspection found that Obama is due to acid reflux sore throat caused by inflammation of the soft tissue, will be treated. In addition, doctors also performed for Obama computerized tomography (CT scan). (International Center / Dow Jones reports)

Press time: 04:48
Updated: 6:55

=====================================================
http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/%E6%AD%90%E5%B7%B4%E9%A6%AC%E5%96%89%E5%9A%A8%E7%97%9B%E3%80%80%E6%80%A5%E5%A5%94%E9%86%AB%E9%99%A2
http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/歐巴馬喉嚨痛　急奔醫院

【更新】歐巴馬喉嚨痛就醫　診斷為胃酸倒流

護送美國總統歐巴馬就醫的車隊。美聯社.

美國總統歐巴馬周六突然去看醫生。白宮表示歐巴馬的身體沒有緊急狀況，他只是喉嚨痛去檢查一下。

美國白宮表示，歐巴馬向總統醫師傑克森抱怨喉嚨痛，傑克森建議他去馬里蘭州的華特瑞德軍醫院（Walter Reed National Military Medical Center）接受進一步檢查。「由於總統下午沒事，傑克森醫師於是建議他就近去華特瑞德醫院檢查一下。」

但事發當時相當突然，跟訪歐巴馬的記者團有許多人突然發現被拋下，大費周章才跟回總統的車隊。

路透報導，傑克森稍後透過聲明表示，檢驗發現歐巴馬喉嚨痛是因胃酸倒流引發軟組織發炎，將進行治療。另外，醫生也為歐巴馬進行電腦斷層掃描（CT掃描）。（國際中心／綜合外電報導）

發稿時間：04：48
更新時間：06：55

=======================================================
http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/歐巴馬喉嚨痛　急奔醫院

[업데이트] 오바마 목의 통증 의사 역류성 식도염으로 진단

버락 오바마 미국 대통령 의사 호위 호송. AP 통신.

토요일에 버락 오바마 미국 대통령이 갑자기 의사를 참조하십시오. 백악관은 그가 단지 목의 통증을 조사하러 갔다, 오바마 대통령의 건강이 더 긴급 상황 없다고 말합니다.

백악관은 오바마 대통령이 잭슨, 잭슨이 그가 더 검사를 위해 메릴랜드의 중국어 테리 독일어 병원 (월터 리드 국립 군 의료 센터)에 갈 것을 제안 목이 의사에 대해 불평을 말한다. "대통령 아무것도 오후로, 잭슨의 의사는 Tavrida 중국을 확인하기 위해 가까운 병원에 가라고 조언했다."

그러나 사건은 기자들에게 오바마 대통령의 방문이 그룹이 갑자기 발견 된 많은 사람들을 던지고있다으로, 다시 문제는 대통령의 차량 행렬과 함께 계셨으니이 아주 갑자기이었다.

로이터는 검사 오바마 인한 연부 조직의 염증으로 인한 위산 역류 목의 통증에 처리됩니다 것을 발견을 통해 잭슨 나중에 성명에서 말했다 보도했다. 또한, 의사는 오바마 컴퓨터 단층 촬영 (CT 스캔)에 대해 수행. (국제 센터 / 다우 존스 보고서)

보도 시간 : 4시 48분
업데이트 : 6시 55분
<< >> 속보 이동

[Mise à jour] Obama maux de gorge médecin a diagnostiqué que le reflux acide

Le président américain Barack Obama convois médecin d'escorte. Associated Press.

Le président américain Barack Obama le samedi soudainement voir un médecin. La Maison Blanche a dit la santé d'Obama a pas de situation d'urgence, il a juste allé vérifier maux de gorge.

La Maison Blanche a dit le président Obama pour se plaindre de maux de gorge médecin Jackson, Jackson a suggéré de se rendre à l'hôpital Terry Allemand Chinois du Maryland (Walter Reed Centre national de médecine militaire) pour un examen plus approfondi. "En tant que président Rien après-midi, puis Jackson médecin lui a conseillé d'aller à l'hôpital le plus proche pour vérifier Tavrida Chine."

Mais l'incident a été très soudaine, avec la visite d'Obama à des journalistes groupes ont été jeter beaucoup de gens soudainement découvert, mal de dos était avec le cortège du président.

Reuters a rapporté que Jackson a dit plus tard dans un communiqué par l'inspection a constaté que Obama est due au reflux acide mal de gorge causée par l'inflammation des tissus mous, seront traités. En outre, les médecins aussi effectués pour Obama tomodensitométrie (CT scan). (Rapports Centre International / Dow Jones)

le temps presse: 04h48
Mise à jour: 06:55
<< >> Breaking Nouvelles déménagement

==================================================
http://www.appledaily.com.tw/realtimenews/article/new/20141207/519747/%E6%AD%90%E5%B7%B4%E9%A6%AC%E5%96%89%E5%9A%A8%E7%97%9B%E3%80%80%E6%80%A5%E5%A5%94%E9%86%AB%E9%99%A2

[Ĝisdatigo] Obama gorĝdoloron kuracisto diagnozis kiel acida refluo

US Prezidanto Barack Obama kuracisto eskorto transportojn. Associated Press.

US Prezidanto Barack Obama sabate subite vidi kuraciston. La Blanka Domo diras Obama sano estas neniu escepto, ĝi simple iris por kontroli gorĝdoloron.

La Blanka Domo diras Prezidanto Obama plendi pri gorĝdoloron kuraciston Jackson, Jackson sugestis ke li iri al Marilando la ĉina Terry germana Hospitalo (Walter Reed National Military Medical Center) por plua ekzameno. "Kiel prezidanto Nenio posttagmezo, Jackson kuracisto tiam konsilis lin iri al la plej proksima hospitalo por kontroli Tavrida Ĉinio."

Sed la incidento estis tute subita, kun la vizito de Obama al raportistoj grupoj estis ĵetante multaj homoj subite malkovris, reen problemo estis kun la prezidenta motorcade.

Reuters raportis ke Jackson poste diris en komunikaĵo tra la inspektado trovis ke Obama estas pro acida refluo gorĝdoloron kaŭzita de inflamo de la molaj histoj, estos traktita. Krome, kuracistoj ankaŭ agis por Obama computarizada tomografio (CT scan). (Internacia Centro / Dow Jones raportoj)

Gazetaraj tempo: 04:48
Ĝisdatigita: 6:55
<< >> Breaking News movado

=====================================================================
http://rt.com/news/212299-ukraine-ignored-eu-mh17/

Kiev ignored EU request to close E. Ukraine airspace days before MH17 crash – report

Published time: December 07, 2014 20:27
Edited time: December 08, 2014

Journalists look at parts of the Malaysia Airlines plane Flight MH17 as Dutch investigators (unseen) arrive at the crash site near the Grabove village in eastern Ukraine on November 11, 2014 (AFP Photo/Menahem Kahana).

The European air traffic control regulator urged Kiev to close the southeast of Ukraine for civilian aircraft days before the MH17 flight was downed near Donetsk, but the plea was ignored by local authorities, a new report claims.
Eurocontrol experts spoke privately to their Ukrainian colleagues about the danger of the situation in the east of the country, unnamed sources in the organization told the Sunday Times newspaper.

They were reportedly concerned that by that time anti-Kiev militias had already downed about 20 Ukrainian military planes; that the communication frequencies were jammed in the Donetsk Region; and that the Russian and Ukrainian air-traffic controllers couldn’t exchange information.

However, Eurocontrol lacks power to affect national governments’ decisions, and Kiev continued to allow civil planes to use airspace over war-torn Donetsk and Lugansk regions, the report said.

Ukraine only agreed to raise the minimum height, at which civilian aircraft were required to fly over the region from 8 to 9.7 kilometers.

Investigators watch as a piece of wreckage from the Malaysia Airlines flight MH17 is transported at the site of the plane crash near the village of Hrabove (Grabovo) in Donetsk region, eastern Ukraine November 20, 2014. (Reuters/Antonio Bronic).

On July 17, Malaysia Airlines MH17 flight crashed in south-eastern Ukraine, killing all 298 people on board.

The victims came from 10 nations, with the majority of the passengers having been citizens of the Netherlands.

The investigations by the Dutch Safety Board and an international investigation team are still underway, with Kiev and the militias trading blame for the tragedy.

The Boeing 777 was allegedly shot down, but it still unclear if it was done by a surface-to-air missile or by a military plane.

The families of some of the MH17 victims are suing Ukraine in the European Court of Human Rights for refusing to shut down the airspace over the battle zone.
READ MORE: Mother of German MH17 crash victim sues Ukraine in EU court
“I blame the Ukrainian authorities for not closing the airspace and Malaysia Airlines for not taking a decision to avoid it,” Robby Oehlers, who lost a cousin in the crash, told Sunday Times.
The lives of passengers of Malaysian jet were lost due to financial and political reasons, Elmar Giemulla, a lawyer for the families of four German victims.

Members of a group of international experts inspect wreckage at the site where the downed Malaysia Airlines flight MH17 crashed, near the village of Hrabove (Grabovo) in Donetsk region, eastern Ukraine August 1, 2014. (Reuters/Sergei Karpukhin).

“Presumably the Ukrainian authorities wanted to avoid losing the revenue from transit fees — up to $1 billion per year — and also for political reasons, as shutting your airspace means admitting a loss of control and a loss of sovereignty,” Giemulla said.
Eurocontrol (European Organization for the Safety of Air Navigation) coordinates and plans air traffic control for all of Europe since 1960.
The organization currently has 40 member states, with Ukraine having joined in 2004.

============================================================
http://rt.com/news/212299-ukraine-ignored-eu-mh17/

基輔忽略了歐盟的要求MH17崩潰之前關閉E.

烏克蘭空域天 - 報告

記者看看馬來西亞航空飛機飛行MH17的部分作為荷蘭研究者（看不見的）在2014年11月11日抵達墜機現場附近的Grabove村烏克蘭東部（法新社照片/米拿現卡納）.

歐洲空中交通控制調節呼籲基輔關閉烏克蘭東南部民用飛機天MH17航班被擊落頓涅茨克附近之前，但請求被地方當局，一個新的報告稱忽略。
歐洲航空安全組織的專家私下採訪了他們對在該國東部的局勢的危險烏克蘭的同事，在組織中的未具名消息人士告訴星期日泰晤士報報紙。

據報導，他們擔心到時反基輔武裝已經擊落20烏克蘭軍用飛機; 該通信頻率被卡在頓涅茨克地區; 而俄羅斯和烏克蘭空中交通管制無法進行信息交換。

然而，歐洲航空安全組織缺乏動力，影響各國政府的決策，和基輔繼續允許民用飛機使用領空飽受戰爭蹂躪的頓涅茨克和盧甘斯克地區，該報告稱。

烏克蘭只同意提高最低高度，其中民用飛機被要求在該地區飛行，從8到9.7平方公里。

調查作為一塊殘骸從馬來西亞航空公司的航班MH17運送近Hrabove（Grabovo）在頓涅茨克地區的村莊飛機墜毀的現場觀看，烏克蘭東部11月20日，2014（路透社/安東尼奧Bronic）

7月17日，馬來西亞航空MH17航班墜毀在東南烏克蘭，全部遇難298人在船上。

受害人來自10個國家，其中大部分具有荷蘭一直公民的乘客。

由荷蘭安全委員會和一個國際調查小組的調查仍在進行中，隨著基輔和悲劇民兵交易責任。

波音777據稱擊落，但還不清楚是否由表面對空導彈或軍用飛機已完成。

一些MH17受害者家屬起訴烏克蘭在歐洲人權法院拒絕關閉領空的戰鬥區域。
了解更多： 母親德國MH17崩潰受害者起訴烏克蘭在歐盟法庭
“我譴責烏克蘭當局不關閉領空，馬來西亞航空公司不作出決定，以避免它，”羅比Oehlers，誰在墜毀失去了表哥告訴星期日泰晤士報。
馬來西亞噴氣機乘客的生命消失了，由於金融和政治的原因，艾瑪Giemulla，律師為四家德國受害者家屬。

一個國際專家小組成員檢查飛機殘骸，在那裡被擊落的馬來西亞航空公司的航班MH17墜毀，近Hrabove（Grabovo）在頓涅茨克地區的村址，烏克蘭東部8月1日，2014（路透社/謝爾蓋Karpukhin）

“大概是烏克蘭當局希望避免丟失的過境費收入-高達100十億每年-也出於政治原因，因為你關閉空域意味著承認失去控制和主權的喪失，”Giemulla說。
歐洲航空安全組織（歐洲組織的空中航行安全）協調和計劃的空中交通控制，自1960年以來整個歐洲。
該組織目前有40個成員國，烏克蘭在2004年已經加入。

===================================================================
http://rt.com/news/212299-ukraine-ignored-eu-mh17/

키예프는 MH17 충돌 이전 E. 우크라이나 영공 일을 닫습니다 유럽 연합 (EU)의 요청을 무시 - 보고서를

게시 시간 : 2014년 12월 7일 20시 27분
편집 시간 : 2014년 12월 8일

기자는 말레이시아 항공 비행기 비행 MH17의 부품 보면 네덜란드 연구자 (보이지 않는) 2014년 11월 11일에 동부 우크라이나에서 Grabove 마을 근처에 추락 현장에 도착 (AFP 사진 / 므 나헴 Kahana).

유럽 항공 교통 제어 조절기는 MH17 비행은 도네츠크 근처에 추락하기 전에 민간 항공기 일 우크라이나의 남동부를 닫습니다 키예프를 촉구하지만, 항변은 지방 자치 단체, 새 보고서 청구 범위에 의해 무시되었습니다.
EUROCONTROL 전문가들은이 나라의 동쪽에있는 상황의 위험에 대한 자신의 우크라이나어 동료에게 개인적으로 말씀, 조직의 익명의 소스는 말했다 일요일 타임즈 신문.

그들은 소문에 의하면 그 시간 반 키예프 민병대는 이미 약 20 우크라이나어 군사 비행기를 격추했다고 우려했다; 통신 주파수가 도네츠크 영역에 걸린되었는지; 그리고 러시아와 우크라이나어 항공 교통 컨트롤러는 정보를 교환 할 수있다.

그러나, EUROCONTROL 국가 정부의 결정에 영향을 미치는 전력 부족, 키예프 시민 비행기가 전쟁으로 파괴 된 도네츠크와에 Lugansk 지역을 통해 영공을 사용할 수 있도록 계속,이 보고서는 말했다.

우크라이나는 민간 항공기가 8 9.7 킬로미터 지역에 걸쳐 비행해야했습니다있는 최소 높이를 인상하기로 합의했다.

조 사자는 MH17은 도네츠크 지역에서 Hrabove (Grabovo)의 마을 근처 비행기 추락 현장에서 이송 말레이시아 항공 비행에서 잔해의 조각으로 시청 동부 우크라이나 년 11 월 20 일 2014 년 (로이터 / 안토니오 Bronic)

7월 17일에서 말레이시아 항공 MH17 비행 보드에 모든 298명을 죽이고, 남쪽 - 동부 우크라이나에서 추락했다.

피해자는 네덜란드되어 시민을 갖는 승객의 대부분으로, 10 개국에서왔다.

네덜란드 안전위원회와 국제 조사단에 의한 조사는 키예프와 비극의 민병대 거래 비난과 함께, 여전히 진행 중입니다.

보잉 777은 주장 격추 있지만 여전히 불분명 그것은 지대공 미사일이나 군사 비행기에 의해 수행 된 경우.

MH17 피해자의 일부 가족들은 전투 영역을 통해 영공을 폐쇄를 거부 유럽 인권 법원에 우크라이나를 상대로 소송을 제기하고 있습니다.
: 자세히보기 EU 법원에서 우크라이나를 고소 독일어 MH17 사고 피해자의 어머니
"나는 그것을 피하기 위해 결정을 복용하지의 영공과 말레이시아 항공을 폐쇄하지에 대한 우크라이나 당국을 비난,"사고로 사촌을 잃은 로비 Oehlers는 선데이 타임스에 말했다.
말레이시아 제트의 승객의 생명은 재정적, 정치적 이유, 엘마 Giemulla, 네 독일어 피해자의 가족 변호사에 분실되었다.

국 제 전문가 그룹의 구성원이 다운 된 말레이시아 항공 비행 MH17은 도네츠크 지역에서 Hrabove (Grabovo)의 마을 근처, 추락 현장에서 잔해를 검사, 동부 우크라이나 8 월 1 일 2014 년 (로이터 / 세르게이 Karpukhin)

"아마도 우크라이나 당국은 교통 수수료 수익의 손실을 방지하기 위해 원 - 연간 10 억 달러까지를 - 그리고 또한 정치적인 이유로, 당신의 영공을 폐쇄로하는 제어의 손실과 주권의 손실을 인정하는 의미"Giemulla 말했다.
EUROCONTROL (항행의 안전을위한 유럽기구) 좌표로 1960 년 이후 유럽의 모든 항공 교통 관제를 계획하고있다.
우크라이나는 2004 년에 가입 한과 조직은 현재 40 개 회원국을 보유하고 있습니다.

===================================================================
http://rt.com/news/212299-ukraine-ignored-eu-mh17/

Kiev ignoré demande de l'UE de fermer E. Ukraine jours de l'espace aérien avant l'accident MH17 - rapport

Publié le temps: 07 Décembre, 2014 20:27
Edité temps: 08 Décembre, 2014

Les journalistes regardent les parties du plan de vol Malaysia Airlines MH17 que les enquêteurs néerlandais (invisible) arriver sur le site de l'accident près du village Grabove en Ukraine orientale le 11 Novembre 2014 (AFP Photo / Menahem Kahana).

Le régulateur européen de contrôle du trafic aérien a exhorté Kiev de fermer le sud-est de l'Ukraine pour les jours d'avions civils avant le vol MH17 a été abattu près de Donetsk, mais l'appel a été ignoré par les autorités locales, une nouvelle affirme le rapport.
Eurocontrol experts ont parlé en privé à leurs collègues ukrainiens sur le danger de la situation dans l'est du pays, des sources anonymes dans l'organisation dit au Sunday Times journal.

Ils auraient été concernés que d'ici là les milices anti-Kiev avaient déjà abattu environ 20 avions militaires ukrainiens; que les fréquences de communication ont été bloquées dans la région de Donetsk; et que les contrôleurs aériens russes et ukrainiens ne pouvaient pas échanger des informations.

Cependant, Eurocontrol manque de puissance pour influencer les décisions des gouvernements nationaux, et Kiev a continué de permettre aux avions civils d'utiliser l'espace aérien au-dessus de régions de Donetsk et de Lougansk déchirées par la guerre, dit le rapport.

Ukraine n'a accepté d'augmenter la hauteur minimale à laquelle les aéronefs civils ont été nécessaires pour survoler la région de 8 à 9,7 km.

Les enquêteurs regardent comme un morceau de l'épave du vol Malaysia Airlines MH17 est transporté sur le site de l'accident d'avion près du village de Hrabové (Grabovo) dans la région de Donetsk, Ukraine orientale Novembre 20, 2014. (Reuters / Antonio Bronic)

Le 17 Juillet, Malaysia Airlines MH17 vol se est écrasé dans le sud-est de l'Ukraine, tuant les 298 personnes à bord.

Les victimes venaient de 10 pays, la majorité des passagers ayant été citoyens des Pays-Bas.

Les enquêtes menées par le Bureau de la sécurité néerlandais et une équipe d'enquête internationale sont toujours en cours, avec Kiev et le blâme milices de négociation pour la tragédie.

Le Boeing 777 aurait été abattu, mais il reste difficile de savoir si cela a été fait par un missile sol-air ou par un avion militaire.

Les familles de certains des MH17 victimes poursuivent l'Ukraine à la Cour européenne des droits de l'homme pour avoir refusé de fermer l'espace aérien de la zone de combat.
Lire la suite: Mère de l'allemand MH17 accident victime, actionne l'Ukraine devant le tribunal de l'UE
"Je blâme les autorités ukrainiennes de ne pas fermer l'espace aérien et de Malaysia Airlines pour ne pas prendre une décision pour l'éviter," Robby Oehlers, qui a perdu un cousin dans l'accident, a dit Sunday Times.
La vie des passagers de jet de Malaisie ont été perdus pour des raisons financières et politiques, Elmar Giemulla, un avocat pour les familles de quatre victimes allemandes.

Les membres d'un groupe d'experts internationaux inspectent l'épave à l'endroit où le vol Malaysia Airlines MH17 abattu se est écrasé, près du village de Hrabové (Grabovo) dans la région de Donetsk, Ukraine orientale Août 1, 2014. (Reuters / Sergei Karpukhin)

"On peut supposer que les autorités ukrainiennes ont voulu éviter de perdre les recettes des redevances de transit - jusqu'à 1 milliard de dollars par année - et aussi pour des raisons politiques, que la fermeture de l'espace aérien de votre signifie admettre une perte de contrôle et une perte de souveraineté", a déclaré Giemulla.
Eurocontrol (Organisation européenne pour la sécurité de la navigation aérienne) coordonne et prévoit le contrôle du trafic aérien pour toute l'Europe depuis 1960.
L'organisation compte actuellement 40 Etats membres, avec l'Ukraine ayant rejoint en 2004.

=======================================================================
http://rt.com/news/212299-ukraine-ignored-eu-mh17/

Kievo ignoris EU peto fermi E. Ukrainio

aera spaco tagoj antaŭ MH17 kraŝo - raporto

Publikigita tempo: Decembro 07, 2014 20:27
Eldonita tempo: Decembro 08, 2014

La eŭropa aertrafiko kontrolo regulador insistis Kiev fermi la sudoriento de Ukrainio por civilaj aviadiloj tagojn antaŭ la MH17 flugo estis malkonstruita proksime Donetsk, sed la pledo estis ignorita de lokaj aŭtoritatoj, nova raporto asertoj.
Eurocontrol spertaj parolis private al siaj ukrainaj kolegoj pri la danĝero de la situacio en la oriento de la lando, anonimaj fontoj en la organizo sciigis la dimanĉo Times gazeto.

Ili estis raportite maltrankviligita ke de tiu tempo anti-Kievo milicioj estis jam malkonstruita proksimume 20 Ukraina militaj aviadiloj; ke la komunikado oftecoj estis ŝarĝitaj en la Donetsk regiono; kaj ke la rusa kaj ukraina aero-trafiko controladores ne povus interŝanĝi informojn.

Tamen, Eurocontrol malhavas povon tuŝi naciaj registaroj 'decidoj, kaj Kiev daŭrigis permesi civila ebenoj uzi aera spaco super milito-ŝirita Donetsk kaj Lugansk regionoj, la raporto diris.

Ukrainio nur konsentis levi la minimuma alteco, ĉe kiuj civilaj aviadiloj estis postulitaj por flugi super la regiono de 8 al 9,7 kilometroj.

Enketistoj spekti kiel peco de restoj de la Malaysia Airlines flugo MH17 transportas al la loko de la akcidento de aviadilo proksime de la vilaĝo de Hrabove (Grabovo) en Donetsk regiono, orienta Ukrainio novembro 20, 2014. (Reuters / Antonio Bronic).

Sur julio 17, Malaysia Airlines MH17 flugo frakasis en sudorienta Ukrainio, mortigante 298 personoj surŝipe.

La viktimoj venis de 10 nacioj, kun la plimulto de la pasaĝeroj havantaj estis civitanoj de Nederlando.

La esploroj de la nederlanda Sekureco Estraro kaj internacia esploro teamo estas ankoraŭ en marŝas, kun Kievo kaj la milicioj komercanta kulpo por la tragedio.

La Boeing 777 estis supozeble faligitaj, sed ankoraŭ ne estas certe se ĝi estis farita de surfaco-aero misilon aŭ por milita ebeno.

La familioj de kelkaj el la MH17 viktimoj demandan Ukrainio en la Eŭropa Kortumo pri Homaj Rajtoj por nei fermi la aeran spacon super la batalo zono.
LEGU PLI: Patrino de germana MH17 kraŝo viktimo peto al Ukrainio en EU tribunalo
"Mi kulpas la ukrainaj aŭtoritatoj por ne fermi la aeran spacon kaj Malaysia Airlines por ne preni decidon eviti ĝin," Robby Oehlers, kiuj perdis kuzo en la kraŝo, raportis dimanĉon Times.
La vivoj de pasaĝeroj de Malajzio jeto estis perditaj pro financaj kaj politikaj kialoj, Elmar Giemulla, advokato por la familioj de kvar germanaj viktimoj.

Membroj de grupo de internaciaj fakuloj inspektos restoj ĉe la ejo kie la malkonstruita Malaysia Airlines flugo MH17 frakasis, proksime de la vilaĝo de Hrabove (Grabovo) en Donetsk regiono, orienta Ukrainio aŭgusto 1, 2014. (Reuters / Sergei Karpukhin).

"Supozeble la ukrainaj aŭtoritatoj volis eviti perdi la enspezoj de trafiko kotizoj - ĝis $ 1 miliardo por jaro - kaj ankaŭ por politikaj kialoj, kiel sxlosinte vian aeran spacon signifas akceptante perdo de kontrolo kaj perdo de suvereneco," Giemulla diris.
Eurocontrol (Eŭropa Organizo por la Sekureco de Aero Navigation) kunordigas kaj planas aertrafiko kontrolo tuta Eŭropo ekde 1960.
La organizo nuntempe havas 40 membroŝtatojn, kun Ukrainio prpers kunigis en 2004.

====================================================================

http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

Regin: Nation-state ownage of GSM networks

"Beware of Regin, the master! His heart is poisoned. He would be thy bane..."

By GReAT on November 24, 2014.

Motto: " Beware of Regin, the master! His heart is poisoned. He would be thy bane... "

"The Story of Siegfried" by James Baldwin

Introduction, history

Download our full Regin paper (PDF) .
In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.
For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.
It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:

Telecom operators
Government institutions
Multi-national political bodies
Financial institutions
Research institutions
Individuals involved in advanced mathematical/cryptographical research

So far, we've observed two main objectives from the attackers:

Intelligence gathering
Facilitating other types of attacks

While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater ( https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater ), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling " The Magnet of Threats ". This computer belongs to a research institution and has been attacked by Turla , Mask/Careto , Regin , Itaduke , Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.

Initial compromise and lateral movement

The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.

The Regin platform

In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels .
The platform is extremely modular in nature and has multiple stages.

Regin platform diagram

The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:

%SYSTEMROOT%\system32\nsreg1.dat
%SYSTEMROOT%\system32\bssec3.dat
%SYSTEMROOT%\system32\msrdc64.dat

Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
A thorough description of all malware stages can be found in our full technical paper .

Virtual File Systems (32/64-bit)

The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).
During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper .

Unusual modules and artifacts

With high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:

legspinv2.6 and LEGSPINv2.6
WILLISCHECKv2.0
HOPSCOTCH

Another module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS :

GSM Targeting

The most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.

From https://en.wikipedia.org/wiki/Base_station_subsystem

According to the GSM documentation ( http://www.telecomabc.com/b/bsc.html ): " The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations ( BTS ). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of the MSC . "
Here's a look at the decoded Regin GSM activity log:

This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.

The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands .
Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:

2008-04-25 11:12:14: rxmop:moty=rxotrx;
2008-04-25 11:58:16: rxmsp:moty=rxotrx;
2008-04-25 14:37:05: rlcrp:cell=all;
2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;
2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;
2008-04-26 10:06:03: IOSTP;
2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;
2008-04-27 06:07:43: allip:acl=a2;
2008-04-28 06:27:55: dtstp:DIP=264rbl2;
2008-05-02 01:46:02: rlstp:cell=all,state=halted;
2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active;
2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;
2008-05-12 17:28:29: rrtpp:trapool=all;

2008-04-25 11:12:14: rxmop:moty=rxotrx;

2008-04-25 11:58:16: rxmsp:moty=rxotrx;

2008-04-25 14:37:05: rlcrp:cell=all;

2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;

2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;

2008-04-26 10:06:03: IOSTP;

2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;

2008-04-27 06:07:43: allip:acl=a2;

2008-04-28 06:27:55: dtstp:DIP=264rbl2;

2008-05-02 01:46:02: rlstp:cell=all,state=halted;

2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active;

2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;

2008-05-12 17:28:29: rrtpp:trapool=all;

Descriptions for the commands:

rxmop - check software version type;
rxmsp - list current call forwarding settings of the Mobile Station;
rlcrp - list off call forwarding settings for the Base Station Controller;
rxble - enable (unblock) call forwarding;
rxtcp - show the Transceiver Group of particular cell;
allip - show external alarm;
dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);
rlstc - activate cell(s) in the GSM network;
rlstp - stop cell(s) in the GSM network;
rlmfc - add frequencies to the active broadcast control channel allocation list;
rlnri - add cell neightbour;
rrtpp - show radio transmission transcoder pool details;

The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:

sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]
nss1:Eric[snip]

In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.

Communication and C&C

The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.
Here's a look at the decoded configurations:

17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443
17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443
50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080
51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322
18.159.0.1 transport 50271 DC ; transport 50271 DC

17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443

17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443

50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080

51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322

18.159.0.1 transport 50271 DC ; transport 50271 DC

In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 203.199.89.80.
The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:

27 - ICMP network listener using raw sockets
50035 - Winsock-based network transport
50037 - Network transport over HTTP
50051 - Network transport over HTTPS
50271 - Network transport over SMB (named pipes)

The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.
After decoding all the configurations we've collected, we were able to identify the following external C&Cs.

C&C server IP	Location	Description
61.67.114.73	Taiwan, Province Of China Taichung	Chwbn
202.71.144.113	India, Chetput	Chennai Network Operations (team-m.co)
203.199.89.80	India, Thane	Internet Service Provider
194.183.237.145	Belgium, Brussels	Perceval S.a.

One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.
These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.

Victim Statistics

Over the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.

So far, victims of Regin were identified in 14 countries:

Algeria
Afghanistan
Belgium
Brazil
Fiji
Germany
Iran
India
Indonesia
Kiribati
Malaysia
Pakistan
Russia
Syria

In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.
More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: intelreports@kaspersky.com

Attribution

Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.

As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.
More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: intelreports@kaspersky.com

Conclusions

For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.
The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.
From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Full technical paper with IOCs.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
If you detect a Regin infection in your network, contact us at: intelservices@kaspersky.com

==========================================================
http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

瑞晶：GSM網絡的民族國家OWNAGE

“當心瑞晶的，主！他的心臟被毒死的。他會是你的剋星......”

通過大上 11月24日，2014年

座右銘：“！當心瑞晶，師傅他的心臟被毒死，他會是你的剋星......”

“齊格弗里德的故事”由詹姆斯·鮑德溫

簡介，歷史

下載我們的瑞晶全文（PDF）。
在2012年的春天，下面就圍繞著不同尋常的事實，卡巴斯基實驗室演示的 Duqu惡意軟件，安全研究員與我們聯繫，並提到的Duqu想起另一個高端惡意軟件事件他。雖然他不能共用一個樣本，第三方研究人員所說的“瑞晶”的名稱，惡意軟件攻擊是現在許多安全管理員在世界各地的政府機構可怕。
在過去的兩年裡，我們一直在跟踪這個全世界最難以捉摸的惡意軟件。不時，樣品會出現在各種多掃描器服務，但它們都相互無關，隱蔽在功能和缺乏上下文。
它是未知的創建瑞晶的第一樣本什麼時候。他們中的一些有時間戳可以追溯到2003年。
瑞晶的受害者分為以下幾類：

電信運營商
政府機構
多國政治團體
金融機構
研究機構
參與先進的數學/密碼學研究的人士

到目前為止，我們已經觀察到的兩個主要目標的攻擊：

情報收集
促進其它類型的攻擊

雖然在多數情況下，攻擊者都集中在提取敏感信息，諸如電子郵件和文件，我們觀察到的情況下，攻擊者損害的電信運營商，以使發射的附加複雜的攻擊。更多關於這個在GSM下面針對部分。
也許瑞晶的最公知的受害者1是盧梭Quisquater（ https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater ），公知的比利時密碼員。在2014年2月，Quisquater宣布他是一個複雜的網絡入侵事件的受害者。我們能夠從Quisquater情況下獲得的樣品，並確認它們屬於瑞晶平台。
瑞晶的另一個有趣的受害者就是我們稱之為“ 威脅的磁鐵 ”的計算機。這台計算機屬於一個研究機構，已經攻擊Turla，面膜/ Careto，瑞晶，Itaduke，動物農場和沒有公開的名稱其他一些先進的威脅，所有的共存在同一台計算機在某些時候就開心。

最初的妥協和橫向運動

初步妥協的確切方法仍是一個謎，雖然有幾個理論的存在，其中包括人在最中間用瀏覽器零日漏洞攻擊。對於一些受害者，我們觀察到設計的橫向移動工具和模塊。到目前為止，我們還沒有遇到任何漏洞。複製模塊通過使用Windows管理共享，然後執行複製到遠程計算機。顯然，這種技術需要在受害者的網絡內部的管理權限。在一些情況下，被感染的機器也是Windows域控制器。通過基於Web的漏洞瞄準系統管理員是實現對整個網絡管理員立即訪問的一個簡單方法。

瑞晶的平台

總之，瑞晶是一種網絡攻擊平台，攻擊者在受害者網絡的終極遙控器在所有可能的層面進行部署。
該平台在本質上是高度模塊化，具有多個階段。

瑞晶平台圖

第一階段（“階段1”），通常是將出現在受害者的系統的唯一可執行文件。進一步的階段存儲直接在硬盤上（64位系統），為NTFS擴展屬性或註冊表項。我們已經觀察到許多不同的階段1的模塊，它有時也被合併到公共資源，實現一種多態性，檢測過程複雜化。
第二級具有多種用途並且可以從系統如果由第三階段的指示，以便去除雷因感染。
第二階段還創建了可以被用來識別被感染的機器的標記文件。已知的文件名這個標記是：

％SYSTEMROOT％\ SYSTEM32 \ nsreg1.dat
％SYSTEMROOT％\ SYSTEM32 \ bssec3.dat
％SYSTEMROOT％\ SYSTEM32 \ msrdc64.dat

第三階段只存在於32位系統 - 在64位系統上，第2階段的負載直接調度，跳過第三階段。
階段4中，調度員，也許是整個平台的最複雜的單一模塊。調度是框架的用戶模式核心。它被直接加載為64位自舉過程的第三階段，或萃取，從VFS加載模塊50221為在32位系統中的第四階段。
調度器採用的雷因平台的最複雜的任務，例如提供一個API來訪問虛擬文件系統，基本通信和存儲功能，以及網絡傳輸子程序的照顧。 在本質上，調度器是運行的腦整個平台。
所有惡意軟件階段的完整描述可以在我們的全部找到技術文件。

虛擬文件系統（64分之32位）

從雷因平台的最有趣的代碼存儲在加密文件存儲器，稱為虛擬文件系統（VFSes）。
在我們的分析中，我們能夠獲得24 VFSes，來自世界各地的多個受害者。一般地，這些具有隨機名稱，並且可以位於在幾個地方中被感染的系統。有關完整列表，其中包括瑞晶VFSes的格式，請參閱我們的技術文件。

不尋常的模塊和文物

高端APT群體，如瑞晶背後一，錯誤是非常罕見的。然而，他們確實發生了。一些我們分析了含有似乎是部署在受害者的模塊的相應的代號話VFSes的：

legspinv2.6和LEGSPINv2.6
WILLISCHECKv2.0
跳房子

我們發現了另一個模塊，這是一個插件式55001.0引用另一個代號，這是U_STARBUCKS：

GSM定向

我們發現迄今關於雷因最有趣的方面是關係到一個大的GSM運營商的傳染。我們位於一個VFS加密進入了內部ID 50049.2，似乎是在GSM基站控制器的活動日誌。

從https://en.wikipedia.org/wiki/Base_station_subsystem

根據GSM文檔（ http://www.telecomabc.com/b/bsc.html ）：“ 基站控制器（BSC）為控制和監督的一些基站收發信台的（ BTS ）。BSC是負責無線電資源給移動呼叫和被其控制下的基站之間進行越區切換的分配。其他的切換是根據對控制的MSC “。
下面就一起來看看解碼瑞晶GSM活動日誌：

該日誌是關於70KB大小，包含數百個像以上這樣的條目。它還包括時間戳這表明完全命令執行時。

日誌中的條目看起來包含愛立信OSS MML（人機語言由ITU-T定義的）命令。
下面是關於基站控制器發出的某些命令的列表，連同他們的一些時間戳：

2008-04-25 11:12:14: rxmop:moty=rxotrx;
2008-04-25 11:58:16: rxmsp:moty=rxotrx;
2008-04-25 14:37:05: rlcrp:cell=all;
2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;
2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;
2008-04-26 10:06:03: IOSTP;
2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;
2008-04-27 06:07:43: allip:acl=a2;
2008-04-28 06:27:55: dtstp:DIP=264rbl2;
2008-05-02 01:46:02: rlstp:cell=all,state=halted;
2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active;
2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;
2008-05-12 17:28:29: rrtpp:trapool=all;

2008 - 04 - 25 11 : 12 : 14 : rxmop : moty = rxotrx ;

2008 - 04 - 25 11 : 58 : 16 : rxmsp : moty = rxotrx ;

2008 - 04 - 25 14 : 37 : 05 : rlcrp : cell = all ;

2008 - 04 - 26 04 : 48 : 54 : rxble : mo = rxocf - 170 , subord ;

2008 - 04 - 26 06 : 16 : 22 : rxtcp : MOty = RXOtg , cell = kst022a ;

2008 - 04 - 26 10 : 06 : 03 : IOSTP ;

2008 - 04 - 27 03 : 31 : 57 : rlstc : cell = pty013c , state = active ;

2008 - 04 - 27 06 : 07 : 43 : allip : acl = a2 ;

2008 - 04 - 28 06 : 27 : 55 : dtstp : DIP = 264rbl2 ;

2008 - 05 - 02 01 : 46 : 02 : rlstp : cell = all , state = halted ;

2008 - 05 - 08 06 : 12 : 48 : rlmfc : cell = NGR035W , mbcchno = 83 & 512 & 93 & 90 & 514 & 522 , listtype = active ;

2008 - 05 - 08 07 : 33 : 12 : rlnri : cell = NGR058y , cellr = ngr058x ;

2008 - 05 - 12 17 : 28 : 29 : rrtpp : trapool = all ;

Descriptions for the commands:

rxmop - check software version type;
rxmsp - list current call forwarding settings of the Mobile Station;
rlcrp - list off call forwarding settings for the Base Station Controller;
rxble - enable (unblock) call forwarding;
rxtcp - show the Transceiver Group of particular cell;
allip - show external alarm;
dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);
rlstc - activate cell(s) in the GSM network;
rlstp - stop cell(s) in the GSM network;
rlmfc - add frequencies to the active broadcast control channel allocation list;
rlnri - add cell neightbour;
rrtpp - show radio transmission transcoder pool details;

The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:

sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]
nss1:Eric[snip]

In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include " prn021a, gzn010a, wdk004, kbl027a, etc... ". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.

Communication and C&C

17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443
17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443
50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080
51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322
18.159.0.1 transport 50271 DC ; transport 50271 DC

17.3.40.101 transport 50037 0 0 y . y . y . 5 : 80 ; transport 50051 217.y.y.yt : 443

17.3.40.93 transport 50035 217.x.x.x : 443 ; transport 50035 217.x.x.x : 443

50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z : 8080

51.9.1.3 transport 50035 192.168.3.3 : 445 ; transport 50035 192.168.3.3 : 9322

18.159.0.1 transport 50271 DC ; transport 50271 DC

In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 203.199.89.80 .
The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:

27 - ICMP network listener using raw sockets
50035 - Winsock-based network transport
50037 - Network transport over HTTP
50051 - Network transport over HTTPS
50271 - Network transport over SMB (named pipes)

C&C server IP	Location	Description
61.67.114.73	Taiwan, Province Of China Taichung	Chwbn
202.71.144.113	India, Chetput	Chennai Network Operations (team-m.co)
203.199.89.80	India, Thane	Internet Service Provider
194.183.237.145	Belgium, Brussels	Perceval S.a.

One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office , a research center , educational institution network and a bank .
These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.

Victim Statistics

So far, victims of Regin were identified in 14 countries :

Algeria
Afghanistan
Belgium
Brazil
Fiji
Germany
Iran
India
Indonesia
Kiribati
Malaysia
Pakistan
Russia
Syria

In total, we counted 27 different victims , although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.
More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: intelreports@kaspersky.com

Attribution

Conclusions

For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.
The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.
From some points of view, the platform reminds us of another sophisticated malware: Turla . Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Full technical paper with IOCs.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin .
If you detect a Regin infection in your network, contact us at: intelservices@kaspersky.com.

==============

In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.
the Duqu ====
http://securelist.com/analysis/publications/65545/the-epic-turla-operation/

The Epic Turla Operation

Solving some of the mysteries of Snake/Uroburos

By GReAT on August 7, 2014. turla

Technical Appendix with IOCs

Executive Summary

Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call "Epic Turla". The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.
The attacks are known to have used at least two zero-day exploits:

CVE-2013-5065 - Privilege escalation vulnerability in Windows XP and Windows 2003
CVE-2013-3346 - Arbitrary code-execution vulnerability in Adobe Reader

We also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies in these attacks. The primary backdoor used in the Epic attacks is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tavdig".
When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors.
Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms.
The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.
Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact: intelreports@kaspersky.com

The Epic Turla attacks

The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:

Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR
Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown)
Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers

The attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes (waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to serve malicious code.
So far we haven't been able to locate any e-mail used against the victims, only the attachments. The PDF attachments do not show any "lure" to the victim when opened, however, the SCR packages sometime show a clean PDF upon successful installation.

Some of known attachment names used in the spearphishing attacks are:

ؤتمر جنيف.rar (translation from Arabic: "Geneva conference.rar")
NATO position on Syria.scr
Note_№107-41D.pdf
Talking Points.scr
border_security_protocol.rar
Security protocol.scr
Program.scr

In some cases, these filenames can provide clues about the type of victims the attackers are targeting.

The watering hole attacks

Currently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision.
Some of the injected websites include:

The website of the City Hall of Pinor, Spain

A site promoting entrepreneurship in the border area of Romania

Palestinian Authority Ministry of Foreign Affairs In total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in Romania.
Here's a statistic on the injected websites:

The distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in Romania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to local governments (City Hall).
Most of the infected sites use the TYPO3 CMS (see: http://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform.
Injected websites load a remote JavaScript into the victim's browser:

The script "sitenavigatoin.js" is a Pinlady-style browser and plugin detection script, which in turn, redirects to a PHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the PHP handler on the server, using "JPG" files to run PHP scripts:

Profiling script The main exploitation script "wreq.php", "main.php" or "main.jpg" performs a numbers of tasks. We have located several versions of this script which attempt various exploitation mechanisms.
One version of this script attempts to exploit Internet Explorer versions 6, 7 and 8:

Internet Explorer exploitation script

Unfortunately, the Internet Explorer exploits have not yet been retrieved.
Another more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player:

Java and Flash Player exploitation scripts Although the Flash Player exploits couldn't be retrieved, we did manage to obtain the Java exploits:

Name	MD5
allj.html	536eca0defc14eff0a38b64c74e03c79
allj.jar	f41077c4734ef27dec41c89223136cf8
allj64.html	15060a4b998d8e288589d31ccd230f86
allj64.jar	e481f5ea90d684e5986e70e6338539b4
lstj.jar	21cbc17b28126b88b954b3b123958b46
lstj.html	acae4a875cd160c015adfdea57bd62c4

The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations.
The payload dropped by these Java exploits is the following:

MD5: d7ca9cf72753df7392bfeea834bcf992

The Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The backdoor extracted from the Java exploits has the following C&C hardcoded inside:

www.arshinmalalan[.]com/themes/v6/templates/css/in.php

This C&C is still online at the moment although it redirects to a currently suspended page at "hxxp://busandcoachdirectory.com[.]au". For a full list of C&C servers, please see the Appendix.
The Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment. Most recently, we observed them using yet another technique coupled with watering hole attacks. This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5: 030f5fdb78bfc1ce7b459d3cc2cf1877):

In at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials app (MD5: 89b0f1a3a667e5cd43f5670e12dba411):

The fake application is signed by a valid digital certificate from Sysprint AG:
Serial number: ‎00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95
Thumbprint: ‎24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46

Valid signature from Sysprint AG on Epic dropper This file was distributed from the Ministry of Foreign Affairs of Tajikistan's website, at "hxxp://mfa[.]tj/upload/security.php".
The file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5 7731d42b043865559258464fe1c98513.
This is an Epic backdoor which connects to the following C&Cs, with a generic internal ID of 1156fd22-3443-4344-c4ffff:

hxxp://homaxcompany[.]com/components/com_sitemap/
hxxp://www.hadilotfi[.]com/wp-content/themes/profile/

A full list with all the C&C server URLs that we recovered from the samples can be found in the technical Appendix.

The Epic command-and-control infrastructure

The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality.
The huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships function as both exploitation sites and command and control panels for the malware.
Here's how the big picture looks like:

Epic Turla lifecycle The first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to the "mothership" server. The mothership server is generally a VPS, which runs the Control panel software used to interact with the victims. The attackers operate the mothership using a network of proxies and VPN servers for anonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks, delivering Java, IE or fake applications to the victim.
We were able to get a copy of one of the motherships, which provided some insight into the operation.
It runs a control panel which is password protected:

Epic mothership control panel login

Once logged into the Control panel, the attackers can see a general overview of the system including the number of interesting potential targets:

Epic control panel status overview A very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To change the file, they are using the "Task editor" from the menu. Depending on the "tasks", they will decide whether to infect the visitors or not. In this case, we found they targeted two ranges belonging to:

"Country A" - Federal Government Network
"Country B" - Government Telecommunications and Informatics Services Network

It should be noted though, the fact that the attackers were targeting these ranges doesn't necessarily mean they also got infected. Some other unknown IPs were also observed in the targeting schedules.
There is also an "except.css" file where attackers log the reasons they didn't try to exploit certain visitors. There are three possible values:

TRY
DON'T TRY -> Version of the browser and OS does not meet the conditions
DON'T TRY -> (2012-09-19 10:02:04) - checktime

These are the "don't meet the conditions" reasons observed in the logs:

Windows 7 or 2008 R2
MSIE 8.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)
Adobe Shockwave 11.5.1.601
Adobe Flash 10.3.181.14
Adobe Reader 10.1.0.0
Win Media Player 12.0.7601.17514
Quick Time null
MS Word null
Java null

The Epic / Tavdig / Wipbot backdoor

For this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult.
The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems.
Other known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig.
The main backdoor is about 60KB in size and implements a C&C protocol on top of normal HTTP requests. The communication protocol uses xxx

requests in the C&C replies, which the malware decrypts and processes. The replies are sent back to the C&C through the same channel.
The malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C&C URLs. He have also seen one case where the configuration block contains just one URL. The configuration can also be updated on the fly by the attackers, via the C&C.
The backdoor attempts to identify the following processes and, if found, it will terminate itself:

tcpdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
dsniff.exe

It contains an internal unique ID, which is used to identify the victim to the C&C. Most samples, especially old ones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as "interesting", the attackers upload another Epic backdoor which has a unique ID used to control this specific victim.
During the first C&C call, the backdoor sends a pack with the victim's system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware.
Through monitoring, we were able to capture a large amount of commands sent to the victims by the attackers, providing an unique view into this operation. Here's a look at one of the encrypted server replies:

Once a victim is infected and "checks in" with the server, the attackers send a template of commands:

Next, the attackers try to move through the victim's network using pre-defined or collected passwords:

Listing all .doc files recursively is also a common "theme":

In total, we have decoded several hundreds of these command packages delivered to the victims, providing an unique insight into the inner workings of the attackers.
In addition to generic searches, some very specific lookups have been observed as well. These include searches for:

*NATO*.msg
eu energy dialogue*.*
EU*.msg
Budapest*.msg

In this case, the attackers were interested to find e-mails related to "NATO", "Energy Dialogue within European Union" and so on.
For some of the C&C servers, the attackers implemented RSA encryption for the C&C logs, which makes it impossible to decrypt them. This scheme was implemented in April 2014.

Lateral movement and upgrade to more sophisticated backdoors

Once a victim is compromised, the attackers upload several tools that are used for lateral movement.
One such tool observed in the attacks and saved as "C:\Documents and Settings\All users\Start Menu\Programs\Startup\winsvclg.exe" is:

Name: winsvclg.exe
MD5: a3cbf6179d437909eb532b7319b3dafe
Compiled: Tue Oct 02 13:51:50 2012

This is a keylogger tool that creates %temp%\~DFD3O8.tmp. Note: the filename can change across victims. On one Central Asian government's Ministry of Foreign Affairs victim system, the filename used was "adobe32updt.exe".
In addition to these custom tools, we observed the usage of standard administration utilities. For instance, another tool often uploaded by the attackers to the victim's machine is "winrs.exe":

Name: winrs.exe
MD5: 1369fee289fe7798a02cde100a5e91d8

This is an UPX packed binary, which contains the genuine "dnsquery.exe" tool from Microsoft, unpacked MD5: c0c03b71684eb0545ef9182f5f9928ca.
In several cases, an interesting update has been observed -- a malware from a different, yet related family.

Size: 275,968 bytes
MD5: e9580b6b13822090db018c320e80865f
Compiled: Thu Nov 08 11:05:35 2012

another example:

Size: 218,112 bytes
MD5: 071d3b60ebec2095165b6879e41211f2
Compiled: Thu Nov 08 11:04:39 2012

This backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the "Carbon system" or Cobra by the Turla attackers. Several plugins for the "Carbon system" are known to exist.

Decoded configuration for e9580b6b13822090db018c320e80865f

Note: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been sinkholed by Kaspersky Lab.
Other packages delivered to the victims include:

MD5: c7617251d523f3bc4189d53df1985ca9
MD5: 0f76ef2e6572befdc2ca1ca2ab15e5a1

These top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed victims, effectively linking the Epic and Turla Carbon operations together.
The Turla Carbon dropper from these packages has the following properties:

MD5: cb1b68d9971c2353c2d6a8119c49b51f

This is called internally by the authors "Carbon System", part of the "Cobra" project, as it can be seen from the debug path inside:

This acts as a dropper for the following modules, both 32 and 64 bit:

MD5	Resource number
4c1017de62ea4788c7c8058a8f825a2d	101
43e896ede6fe025ee90f7f27c6d376a4	102
e6d1dcc6c2601e592f2b03f35b06fa8f	104
554450c1ecb925693fedbb9e56702646	105
df230db9bddf200b24d8744ad84d80e8	161
91a5594343b47462ebd6266a9c40abbe	162
244505129d96be57134cb00f27d4359c	164
4ae7e6011b550372d2a73ab3b4d67096	165

The Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded platform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always feature at least two exports named:

ModuleStart
ModuleStop

Carbon system plugin with characteristic exports

Several Epic backdoors appear to have been designed to work as Carbon system plugins as well - they require a specialized loader to start in victim systems that do not have the Carbon system deployed.
Some modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact Carbon system version is very rarely seen in samples:

The author of the Carbon module above can be also seen in the code, as "gilg", which also authored several other Turla modules.
We are planning to cover the Turla Carbon system with more details in a future report.

Language artifacts

The payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55 2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named "Zagruzchik.dll":

The word "Zagruzchik" means "boot loader" in Russian.
The Control panel for the Epic motherships also sets the language to codepage "1251":

Codepage 1251 is commonly used to render Cyrillic characters.
There are other indications that the attackers are not native English language speakers:

Password it´s wrong!
Count successful more MAX
File is not exists
File is exists for edit

***NOTE*** HERE.....!!!>>>
The sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded backdoor, has the compilation code page language set to "LANG_RUSSIAN".

The threat actor behind the "Epic" operation uses mainly hacked servers to host their proxies. The hacked servers are controlled through the use of a PHP webshell. This shell is password protected; the password is checked against an MD5 hash:

The MD5 "af3e8be26c63c4dd066935629cf9bac8" has been solved by Kaspersky Lab as the password "kenpachi". In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked servers, although using a much stronger password.
Once again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render Cyrillic characters.
There appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost.

Victim statistics

On some of the C&C servers used in the Epic attacks, we were able to identify detailed victim statistics, which were saved for debugging purposes by the attackers.
This is the country distribution for the top 20 affected countries by victim's IP:

According to the public information available for the victims' IPs, targets of "Epic" belong to the following categories:

Government

Ministry of interior (EU country)
Ministry of trade and commerce (EU country)
Ministry of foreign/external affairs (Asian country, EU country)
Intelligence (Middle East, EU Country)

Embassies
Military (EU country)
Education
Research (Middle East)
Pharmaceutical companies
Unknown (impossible to determine based on IP/existing data)

Summary

When G-Data published their Turla paper, there were few details publicly available on how victims get infected with this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with Epic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get upgraded to the Turla Carbon system.
Most recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation remains fresh and ongoing.
Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com
We would like to add the following at the end of the blogpost, right before the detection names:
Further reading
If you'd like to read more about Turla/Uroburos, here's a few recommendations:

G-Data's paper "Uroburos Highly complex espionage software with Russian roots"
BAE Systems analysis of "The Snake campaign"
"Uroburos: the snake rootkit", technical analysis by deresz and tecamac
"TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos" by CIRCL.LU

Kaspersky products' detection names for all the malware samples described in this post:
Backdoor.Win32.Turla.an
Backdoor.Win32.Turla.ao
Exploit.JS.CVE-2013-2729.a
Exploit.JS.Pdfka.gkx
Exploit.Java.CVE-2012-1723.eh
Exploit.Java.CVE-2012-1723.ou
Exploit.Java.CVE-2012-1723.ov
Exploit.Java.CVE-2012-1723.ow
Exploit.Java.CVE-2012-4681.at
Exploit.Java.CVE-2012-4681.au
Exploit.MSExcel.CVE-2009-3129.u
HEUR:Exploit.Java.CVE-2012-1723.gen
HEUR:Exploit.Java.CVE-2012-4681.gen
HEUR:Exploit.Java.Generic
HEUR:Exploit.Script.Generic
HEUR:Trojan.Script.Generic
HEUR:Trojan.Win32.Epiccosplay.gen
HEUR:Trojan.Win32.Generic
HackTool.Win32.Agent.vhs
HackTool.Win64.Agent.b
Rootkit.Win32.Turla.d
Trojan-Dropper.Win32.Dapato.dwua
Trojan-Dropper.Win32.Demp.rib
Trojan-Dropper.Win32.Injector.jtxs
Trojan-Dropper.Win32.Injector.jtxt
Trojan-Dropper.Win32.Injector.jznj
Trojan-Dropper.Win32.Injector.jznk
Trojan-Dropper.Win32.Injector.khqw
Trojan-Dropper.Win32.Injector.kkkc
Trojan-Dropper.Win32.Turla.b
Trojan-Dropper.Win32.Turla.d
Trojan.HTML.Epiccosplay.a
Trojan.Win32.Agent.iber
Trojan.Win32.Agent.ibgm
Trojan.Win32.Agentb.adzu
Trojan.Win32.Inject.iujx
Trojan.Win32.Nus.g
Trojan.Win32.Nus.h

Technical Appendix with IOCs

Note!!! G-Data's paper===> "Uroburos Highly complex espionage software with Russian roots"

=====================
Miniduke
https://securelist.com/blog/incidents/31112/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor

By GReAT on February 27, 2013. 6:00 pm

Incidents

GReAT
Kaspersky Labs' Global Research & Analysis Team
@e_kaspersky/great

(or, how many cool words can you fit into one title)
On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware ?ItaDuke because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri-s ?Divine Comedy.
Since the original announcement, we have observed several new attacks using the same exploit (CVE-2013-0640) which drop other malware. Between these, we've observed a couple of incidents which are so unusual in many ways that we-ve decided to analyse them in depth.
Together with our partner CrySyS Lab, we-ve performed a detailed analysis of these unusual incidents which suggest a new, previously unknown threat actor. For the CrySyS Lab analysis, please read [here]. For our analysis, please read below.
Key findings include:
• The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013. To compromise the victims, the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets. The PDFs were highly relevant and well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine-s foreign policy and NATO membership plans.

These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10 and 11, bypassing its sandbox.
• Once the system is exploited, a very small downloader is dropped onto the victim-s disc that-s only 20KB in size. This downloader is unique per system and contains a customized backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer-s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later.
• If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts. These accounts were created by MiniDuke-s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.

These URLs provide access to the C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.
• Based on the analysis, it appears that the MiniDuke-s creators provide a dynamic backup system that also can fly under the radar - if Twitter isn-t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2. This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.
• Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim-s machine.

Once they are downloaded to the machine, they can fetch a larger backdoor which carries out the cyberespionage activities, through functions such as copy file, move file, remove file, make directory, kill process and of course, download and execute new malware and lateral movement tools.
• The final stage backdoor connects to two servers, one in Panama and one in Turkey to receive the instructions from the attackers.
• The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines:

• By analysing the logs from the command servers, we have observed 59 unique victims in 23 countries:
Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.

For the detailed analysis and information on how to protect against the attack, please read:
[The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor.PDF]

===============================================================
http://securelist.com/analysis/publications/65545/the-epic-turla-operation/

史詩Turla操作

解決一些蛇/ Uroburos的奧秘

通過大上 8月7日，2014年

技術附錄與國際石油公司

執行摘要

在過去的10個月內，卡巴斯基實驗室的研究人員分析了我們稱之為“史詩Turla”大規模網絡間諜活動的操作。後面史詩Turla攻擊者已經感染了幾百台計算機在超過45個國家，其中包括政府機構，大使館，軍隊，教育，科研和製藥公司。
這些攻擊是已知有至少使用兩個零日漏洞：

CVE-2013-5065 -在Windows XP和Windows 2003的權限提升漏洞
CVE-2013-3346 -在Adobe Reader任意代碼執行漏洞

我們也觀察到的攻擊針對老年（修補）安全漏洞，社會工程技術和水坑策略在這些攻擊。在史詩攻擊所使用的主要後門也被稱為“WorldCupSec”，“TadjMakhal”，“Wipbot”或“Tavdig”。
當G-數據公佈Turla / Uroburos早在二月，一些問題仍然沒有答案。一個巨大的未知數是為了Turla（又名蛇或Uroburos）的感染載體。我們的分析表明，受害者是通過一個複雜的多階段攻擊，這始於史詩Turla感染。隨著時間的推移，由於攻擊者獲得信心，這是升級到更複雜的後門程序，如碳/眼鏡蛇系統。有時候，這兩個後門都串聯運行，並用於“救市”對方如果通訊中斷的後門程序之一。
一旦攻擊者獲得無受害人必要的憑證注意到，他們部署Rootkit和其他極端持久性機制。
攻擊仍在進行中截至2014年7月，針對活躍用戶在歐洲和中東地區。
注：史詩攻擊一個完整的分析是提供給卡巴斯基智能服務用戶。 聯繫方式： intelreports@kaspersky.com

史詩Turla攻擊

在這次競選中攻擊陷入取決於初始妥協使用矢量幾個不同的類別：

Spearphishing電子郵件與Adobe PDF漏洞（CVE-2013-3346 + CVE-2013-5065）
社會工程學欺騙用戶去運行惡意軟件的安裝與“.SCR”為擴展名，有時也擠滿了RAR
澆水使用Java漏洞（CVE-2012年至1723年），閃存漏洞攻擊孔（未知）或Internet Explorer 6,7,8漏洞（未知）
依賴於社會工程的水坑攻擊誘騙用戶運行假冒“Flash播放器”的惡意軟件安裝

攻擊者使用直接spearphishing和水坑攻擊感染的受害者。澆水孔（水潭）感興趣的已損害了攻擊者和注射服務的惡意代碼受害者的網站。
到目前為止，我們一直沒能找到任何電子郵件用來對付受害者，只有附件。的PDF附件不顯示任何“引誘”到受害者打開時，但是，這個SCR的包的某個時候顯示在成功安裝一個乾淨的PDF。

有的在spearphishing攻擊中使用的稱為附件名稱是：

ؤتمرجنيف.RAR（翻譯阿拉伯語：“日內瓦conference.rar”）
在Syria.scr北約位置
Note_№107-41D.pdf
說話Points.scr
border_security_protocol.rar
安全protocol.scr
Program.scr

在某些情況下，這些文件名可以提供有關攻擊者的目標受害者的類型的線索。

該水坑攻擊

目前，史詩襲擊者運行澆水針對遊客的手術精密小孔組成的龐大網絡。
一些注射網站包括：

市政廳皮尼奧爾，西班牙網站

站點在羅馬尼亞邊境地區促進創業

外交部巴勒斯坦權力機構部 總共，我們觀察到超過100注入的網站。目前，人數最多的注射部位是在羅馬尼亞。
下面是關於注入的網站的統計：

分佈顯然不是隨機的，它反映了一些攻擊者的利益。例如，在羅馬尼亞的許多受感染的部位是在穆列什地區，而許多的西班牙受感染的網站屬於地方政府（市政廳）。
大多數感染的網站使用TYPO3 CMS（見： http://typo3.org/ ），這可能表明攻擊者濫用特定的漏洞在這個發布平台。
注射網站加載遠程JavaScript到受害者的瀏覽器：

腳本“sitenavigatoin.js”是Pinlady式的瀏覽器和插件檢測腳本，這反過來，重定向到一個PHP腳本有時也被稱為main.php或wreq.php。有時候，攻擊者註冊.JPG擴展名與服務器上的PHP處理程序，使用“JPG”文件來運行PHP腳本：

分析腳本 其主要開發的腳本“wreq.php”，“main.php”或“main.jpg”執行任務的數量。我們已經找到了幾個版本此腳本嘗試各種開發機制。
這個腳本的一個版本試圖利用的Internet Explorer版本6，第7和8：

互聯網瀏覽器開發的腳本

不幸的是，Internet Explorer的漏洞尚未檢索。
另一種較新的版本試圖利用甲骨文的Sun Java和Adobe Flash Player：

Java和Flash播放器開發的腳本 雖然Flash Player的漏洞不能被檢索，我們還是設法獲得了Java漏洞：

名字	MD5
allj.html	536eca0defc14eff0a38b64c74e03c79
allj.jar	f41077c4734ef27dec41c89223136cf8
allj64.html	15060a4b998d8e288589d31ccd230f86
allj64.jar	e481f5ea90d684e5986e70e6338539b4
lstj.jar	21cbc17b28126b88b954b3b123958b46
lstj.html	acae4a875cd160c015adfdea57bd62c4

Java文件利用流行的漏洞， CVE-2012年至1723年，在各種配置。
由這些Java漏洞丟棄淨荷是以下內容：

MD5：d7ca9cf72753df7392bfeea834bcf992

在Java漏洞利用一種特殊的裝載機，試圖最終史詩後門載荷注入到explorer.exe的。從Java漏洞利用提取的後門有下面的C＆C裡面的硬編碼：

www.arshinmalalan [。] COM /主題/ V6 /模板/ CSS / in.php

這個C＆C是在網上還是在那一刻，雖然它重定向到目前暫停頁面“hxxp：//busandcoachdirectory.com金[。]”。 對於C＆C服務器的完整列表，
請參閱Note....>>just for SECURELIST ,careless, & just for looking, dont did it..!!! 附錄。<<<
史詩Turla攻擊者利用漏洞或取決於什麼是可用的時刻不同的方法非常動態的。最近，我們發現他們使用尚未加上水坑攻擊的另一種技術。這需要社會工程的優勢，誘騙用戶運行一個假的Flash Player（MD5：030f5fdb78bfc1ce7b459d3cc2cf1877）：

至少在一個情況下，他們試圖誘使用戶下載並運行一個假的Microsoft Security Essentials的應用程序（MD5：89b0f1a3a667e5cd43f5670e12dba411）：

假申請由SYSPRINT AG一個有效的數字證書簽名：
序號：00 C0 A3 9E 33 EC 8B EA 47 72日4B直流B7 49 BB 95
指紋：24 21 58 64 28 F1 2B 97 26 22 17二維EE 62 82 46 07 99 46 CA

從SYSPRINT AG史詩滴管有效簽名 此文件是從外交部塔吉克斯坦的網站，工信部分佈在“hxxp：[] // MFA TJ /上傳/ security.php”。
該文件是一個包含加密資源.NET應用程序。這降低了惡意文件的MD5 7731d42b043865559258464fe1c98513。
這是一個史詩般的後門它連接到下面的C＆CS，與1156fd22-3443-4344-c4ffff一個通用的內部ID：

hxxp：[] // homaxcompany COM /組件/ com_sitemap /
hxxp：[。] //www.hadilotfi COM /可濕性粉劑內容/主題/型材/

一個完整的列表所有我們從樣品中回收的C＆C服務器的URL可以在技術上可以找到附錄。

史詩指揮和控制基礎設施

史詩後門是由一個巨大的黑客攻擊服務器提供指揮和控制功能的網絡指揮。
龐大的網絡的史詩Turla襲擊者吩咐多種用途。例如，母艦充當兩個開採地點和指揮控制面板的惡意軟件。
下面是大畫面的樣子：

史詩Turla生命週期 指揮和控制代理的第一級一般跟代理的第二個層次，這又聊到“母艦”的服務器。母艦服務器通常是VPS，它運行用來與受害者進行交互控制面板軟件。攻擊者使用操作匿名的原因代理和VPN服務器的網絡母艦。母艦也作為在水坑攻擊中使用的開發服務器，提供的Java，IE還是假的應用程序的受害者。
我們能夠得到母艦，它提供了一些洞察的操作中的一個的副本。
它運行一個控制面板，它的密碼保護：

史詩母艦的控制面板登錄

一旦登錄進入控制面板，攻擊者可以看到，包括有趣的潛在目標數系統的概述：

史詩般的控制面板狀態概覽 在服務器上的一個非常有趣的文件是task.css，其中攻擊定義IP範圍，他們有興趣。要改變文件，他們使用從菜單中的“任務編輯器”。根據“任務”，他們將決定是否感染了觀眾與否。在這種情況下，我們發現，他們的目標屬於兩個範圍：

“國家A” - 聯邦政府網絡
“國家B” - 政府電信與信息服務網絡

應該指出，雖然，該攻擊者針對這些範圍並不一定意味著他們也受到感染的事實。一些其它未知IP地址也觀察到靶向時間表。
還有一個“except.css”文件，其中攻擊者登錄的原因，他們並沒有試圖利用某些遊客。有三種可能的值：

TRY
不要嘗試 - >瀏覽器版本和操作系統不符合條件
不要嘗試 - >（2012-09-19 10點02分04秒） - checktime

這些都是在日誌中觀察到的“不符合條件”的原因：

Windows 7或2008 R2
MSIE 8.0
Mozilla的/ 4.0（兼容; MSIE 8.0; Windows NT的6.1; WOW64;三叉戟/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; NET4.0C; .NET4.0E）
土坯衝擊波11.5.1.601
的Adobe Flash 10.3.181.14
使用Adobe Reader 10.1.0.0
贏媒體播放器12.0.7601.17514
快速的時間空
微軟Word空
Java的空

史詩/ Tavdig / Wipbot後門

對攻擊的第一階段中，威脅演員使用自定義的後門。在一些情況下，後門被包裝在一起與CVE-2013-5065期末利用和大量混淆。這使得分析更加困難。
在CVE-2013-5065漏洞允許借殼來實現系統的管理員權限和運行不受限制。這個漏洞只能在未打補丁的微軟Windows XP系統。
對於借殼其他已知的檢測名稱是Trojan.Wipbot（賽門鐵克）或Tavdig。
主要的後門大約60KB的大小，並實現正常的HTTP請求之上的C＆C協議。該通信協議使用 XXX

要求在C＆C的答复，該惡意軟件解密和流程。的答复是通過同一信道回送到C＆amp; C。
該惡意軟件的行為是由配置塊定義。配置塊通常包含兩個硬編碼的C＆C的URL。他也看到了一個案例，其中配置塊只包含一個URL。該配置也可以更新在由攻擊者飛，經由C＆amp; C。
該後門程序試圖找出以下進程，如果找到，它會自行終止：

tcpdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
dsniff.exe

它包含一個內部的唯一ID，它用於標識受害者到C＆amp; C。大多數樣品，尤其是舊的，有ID 1156fd22-3443-4344-c4ffff。 一旦受害者被確認為“有趣”，攻擊者上傳其他史詩後門有用於控制這一特定受害人的唯一ID。
在第一個C＆C呼叫，借殼發送與受害者的系統信息的包。發送到C＆amp; C的所有進一步的信息進行加密用的公共密鑰的框架，使得解密是不可能的。從C＆amp; C的命令被加密，以更簡單的方式，如果截取的，因為密鑰被硬編碼在惡意軟件可以被解密。
通過監測，我們能夠捕捉到大量由攻擊者發送給受害者的命令，提供了一個獨特的視角為這一操作。下面就來看看在加密服務器回复之一：

一旦受害者被感染，“檢查中”與服務器，攻擊者發送命令的模板：

接下來，攻擊者嘗試使用預定義或收集密碼，即可在受害者的網絡：

列出所有.doc文件遞歸也是一個共同的“主題”：

總體而言，我們已經解碼的幾百交付給這些受害者命令包，提供了一個獨特的洞察到攻擊者的內部運作。
除了一般的搜索，一些很特定的查找已觀察為好。這些措施包括搜索：

*北約*味精
歐盟能源對話*。*
歐盟*味精
布達佩斯*味精

在這種情況下，攻擊者有興趣了解有關“北約”，“能源對話歐盟範圍內”等電子郵件。
對於一些C＆C服務器，攻擊者實施RSA加密為C＆C的日誌，這使得它無法解密。該方案在2014年4月開始實施。

橫向移動並升級到更複雜的後門

一旦受害者被攻破，攻擊者上傳了用於橫向移動的幾種工具。
一個這樣的工具在攻擊觀察，並保存為“C：\ Documents和Settings \所有用戶\開始菜單\程序\啟動\ winsvclg.exe”是：

名稱：winsvclg.exe
MD5：a3cbf6179d437909eb532b7319b3dafe
編譯：週二10月2日13時51分五十〇秒2012

這是一種鍵盤記錄工具，創建％temp％\〜DFD3O8.tmp注意：文件名可以在受害者的改變。在外交部的一個中亞政府的受害系統，使用的文件名是“adobe32updt.exe”。
除了這些定制工具，我們觀察到的標準管理實用程序的使用。舉例來說，另一個工具經常被攻擊者上傳到受害者的機器是“winrs.exe”：

名稱：winrs.exe
MD5：1369fee289fe7798a02cde100a5e91d8

這是一個UPX包裝的二進制文件，其中包含來自微軟的正版“dnsquery.exe”的工具，解壓MD5：c0c03b71684eb0545ef9182f5f9928ca。
在一些案例中，一個有趣的更新已觀察到 - 惡意軟件從不同的，但相關的家庭。

大小：275968字節
MD5：e9580b6b13822090db018c320e80865f
編譯：週四11月8日11時05分35秒2012

另一例子：

大小：218112字節
MD5：071d3b60ebec2095165b6879e41211f2
編譯：週四11月8日11:04:39 2012

這個後門是更複雜，更屬於網絡間諜工具，一個新的水平稱為“碳制”或眼鏡蛇的攻擊Turla。幾個插件為“碳系統”已知存在。

對於e9580b6b13822090db018c320e80865f解碼配置

注：[]的命令和控制服務器www.losguayaberos COM和COM thebesttothbrushes已經sinkholed卡巴斯基實驗室[。]。
傳遞到災民其它軟件包包括：

MD5：c7617251d523f3bc4189d53df1985ca9
MD5：0f76ef2e6572befdc2ca1ca2ab15e5a1

這些頂級包兩種更新史詩後門和Turla碳系統後門程序部署到證實受害人，有效地連接史詩和Turla碳操作在一起。
從這些包的Turla碳滴管具有以下屬性：

MD5：cb1b68d9971c2353c2d6a8119c49b51f

這就是所謂的內部由作者“碳系統”，在“眼鏡蛇”項目的一部分，因為它可以從內部調試路徑可以看出：

這作為一個滴管為以下模塊，包括32位和64位：

MD5	資源數量
4c1017de62ea4788c7c8058a8f825a2d	101
43e896ede6fe025ee90f7f27c6d376a4	102
e6d1dcc6c2601e592f2b03f35b06fa8f	104
554450c1ecb925693fedbb9e56702646	105
df230db9bddf200b24d8744ad84d80e8	161
91a5594343b47462ebd6266a9c40abbe	162
244505129d96be57134cb00f27d4359c	164
4ae7e6011b550372d2a73ab3b4d67096	165

碳系統本質上是一個可擴展的平台，非常類似於其他攻擊平台，如Tilded平台或火焰平台。插件為碳系統可以容易地識別，因為它們總是設有至少兩個出口命名為：

ModuleStart
ModuleStop

具有特色的出口碳系統插件

幾個史詩後門似乎已經被設計成碳系統插件以及工作 - 他們需要一個專門的裝載機開始在沒有部署碳系統的受害者的系統。
某些模塊具有文物這表明碳系統已經在3.x版本，雖然確切的碳系統版本是非常罕見的樣本：

上述碳模塊的作者也可以看出，在代碼，如“白木香”，這也撰寫了一些其他Turla模塊。
我們計劃覆蓋Turla碳系統，在未來的報告中更多的細節。

語言文物

有效載荷回收從母艦其中一台服務器（在newsforum.servehttp COM / WordPress的/ WP-包括/ CSS / IMG / upload.php的 ，MD5 [。]：4dc22c1695d1f275c3b6e503a1b171f5，編譯：週四9月6日14時09分55秒2012）包含兩個模塊，一個裝載機/注射器和一個後門。在內部，後門被命名為“Zagruzchik.dll”：

單詞“Zagruzchik”是指俄羅斯的“引導加載程序”。
在控制面板的史詩母艦還設置了語言代碼頁“1251”：

代碼頁1251是常用來渲染西里爾字符。
還有其他一些跡象表明，攻擊者不是以英語為母語語言的人：

密碼it's錯了！
算成功更MAX
文件不存在
文件存在編輯

**NOTE: Here....RUSSIAN = 攻擊者!!!

被送到幾個史詩受害者的升級後門樣品e9580b6b13822090db018c320e80865f，具有編譯代碼頁語言設置為“LANG_RUSSIAN”。

背後的“史詩”操作的威脅演員用途主要被攻擊的服務器來承載他們的代理人。的黑客攻擊的服務器是通過使用一個PHP的webshell的控制。這個外殼被密碼保護; 該密碼核對MD5哈希：

在MD5“af3e8be26c63c4dd066935629cf9bac8”已經解決了卡巴斯基實驗室作為密碼“劍八”。在2014年2月，我們觀察到的Miniduke使用他們砍死服務器相同的後門，但使用的是更強大的密碼威脅的演員。
再次，這也是有趣指出代碼頁1251的使用中的webshell，其用於呈現西里爾字符。
似乎有Turla和Miniduke的幾個環節，但我們會離開，對於未來的博文。

受害者統計

對一些史詩攻擊中使用的C＆C服務器，我們能夠確定詳細的受害人的統計數據，這是保存由攻擊者調試。
這是前20名受影響國家受害者IP的國家分佈：

根據現有的受害者IP的公共信息，對“史詩”的目標屬於以下幾種：

政府

內政部（歐盟國家）
財政部商貿（歐盟國家）的
外交部/對外事務（亞洲國家，歐盟國家）
智能（中東，歐盟國家）

使館
軍事（歐盟國家）
教育
研究（中東）
製藥公司
未知（不可能基於IP /現有數據來確定）

總結

當G-數據發表了他們的論文Turla，有可公開獲得的有關如何獲得受害者感染此惡意軟件運動一些細節。我們的分析表明，這是一個複雜的多階段感染; 它始於史詩Turla。這是用來站穩腳跟並驗證高調受害者。如果受害人有趣的是，他們得到升級到Turla碳系統。
最近，我們觀察到針對卡巴斯基實驗室用戶的這種攻擊對2014年8月5日，指示操作保持新鮮和持續。
注：史詩攻擊一個完整的分析是提供給卡巴斯基智能服務的客戶。 聯繫方式： intelreports@kaspersky.com
我們想補充以下內容在博文的最後，前右檢測的名字：
延伸閱讀
如果您想了解更多關於Turla / Uroburos，這裡的一些建議：

G-Data的文件“Uroburos高度複雜的間諜軟件，俄羅斯的根”
BAE系統公司的分析“蛇戰役”
“Uroburos：蛇的rootkit” ，由deresz和特卡馬卡技術分析
“TR-25分析- Turla / Pfinet /蛇/ Uroburos”由CIRCL.LU

卡巴斯基產品的所有在這篇文章中所描述的惡意軟件樣本檢測的名字 ：
Backdoor.Win32.Turla.an
Backdoor.Win32.Turla.ao
Exploit.JS.CVE-2013-2729.a
Exploit.JS.Pdfka.gkx
Exploit.Java.CVE-2012-1723.eh
Exploit.Java.CVE-2012-1723.ou
Exploit.Java.CVE-2012-1723.ov
Exploit.Java.CVE-2012-1723.ow
Exploit.Java.CVE-2012-4681.at
Exploit.Java.CVE-2012-4681.au
Exploit.MSExcel.CVE-2009-3129.u
HEUR：Exploit.Java.CVE-2012-1723.gen
HEUR：Exploit.Java.CVE-2012-4681.gen
HEUR：Exploit.Java.Generic
HEUR：Exploit.Script.Generic
HEUR：Trojan.Script.Generic
HEUR：Trojan.Win32.Epiccosplay.gen
HEUR：Trojan.Win32.Generic
HackTool.Win32.Agent.vhs
HackTool.Win64.Agent.b
Rootkit.Win32.Turla.d
木馬Dropper.Win32.Dapato.dwua
木馬Dropper.Win32.Demp.rib
木馬Dropper.Win32.Injector.jtxs
木馬Dropper.Win32.Injector.jtxt
木馬Dropper.Win32.Injector.jznj
木馬Dropper.Win32.Injector.jznk
木馬Dropper.Win32.Injector.khqw
木馬Dropper.Win32.Injector.kkkc
木馬Dropper.Win32.Turla.b
木馬Dropper.Win32.Turla.d
Trojan.HTML.Epiccosplay.a
Trojan.Win32.Agent.iber
Trojan.Win32.Agent.ibgm
Trojan.Win32.Agentb.adzu
Trojan.Win32.Inject.iujx
Trojan.Win32.Nus.g
Trojan.Win32.Nus.h

技術附錄與國際石油公司

====================================================

"In such cold weather, my idol Chief busy, overworked .... really let people (including me ah) worried about his health, but also have plenty of rest time Oh ~ (... drink grapefruit honey, pear honey oh my 'little sister' best Korean winter drink Oh ^^)

Then these information security important information from Google search Great God Almighty, the
Air casual means, Google big God is my friends and family, and if a close friend like.
It led us to recognize the grand world ...
Let's get more advanced knowledge, and sharing in the same country for different people,
Regardless of boundaries, color ... etc., All kinds of wonderful information to share ~
Thanks ... Great God Google generous and selfless sharing Oh ^^
I love using Google `` ~
     Yours sincerely as stag small Melody.Blog ~

http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html
=======================================

"在這麼寒冷的天氣下,我的偶像政務繁忙,操勞過度....真讓人們(包括我啊)擔心他的身體健康,還要有充足的作息時間喔~(...多喝柚子蜜,雪梨蜜喔~是我的'小姐姐'韓國的冬天最佳的飲料喔^^)

接著這些資安重要信息,從谷歌大神的萬能搜尋器中,
隨意指航的,谷歌大神是我的親朋好友,又如密友般.
它帶領我們認識宏大的世界...
讓我們獲得更多先進知識,和分享在同為人類不同國度,
不分界限,膚色...etc.,共享各種美妙的資訊~
感謝谷歌大神的寬大...和無私的分享喔^^
我最愛使用的谷歌``~
    如麈渺小 Melody.Blog衷心敬上~

http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html
=======================================

"같은 추운 날씨에, 내 아이돌 최고 바쁜, 과로 .... 내 배 꿀 오, 자몽 꿀 음료 ... 정말 자신의 건강에 대해 걱정 (아 나를 포함 명) 할뿐만 아니라, 휴식 시간 아 ~ (의 많음이있다 '여동생'최고의 한국어 겨울 음료 오 ^^)

그리고 구글에서 이러한 정보 보안 중요한 정보는 전능하신 검색,
공기 캐주얼 수단, 구글 큰 하나님은 내 친구와 가족, 그리고 가까운 친구 좋아합니다.
그것은 그랜드 세계를 인식 우리를 이끌고 ...
,의 다른 사람들을 위해 같은 나라에 더 많은 고급 지식 및 공유를하자
에 관계없이 등 경계, 색상 ...의 멋진 모든 종류의 정보가 공유 ~
감사합니다 ... 위대한 하나님 구글 관대하고 사심 공유 오 ^^
나는 ~``구글을 사용하여 사랑
      진심으로 사슴 작은 Melody.Blog으로 너의 ~

http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html
=======================================

"Dans ce temps froid, mon chef idole occupé, surchargé de travail .... vraiment laisser les gens (dont moi ah) se inquiètent de sa santé, mais ils ont aussi beaucoup de temps de repos Oh ~ (... boire de pamplemousse de miel, poire au miel Oh My meilleure boisson d'hiver coréenne 'petite sœur' Oh ^^)

Puis ceux-ci sécurité de l'information des informations importantes de recherche Google Grand Dieu Tout-Puissant, le
Des moyens occasionnels Air, Google est grand Dieu mes amis et famille, et si un ami proche aiment.
Elle nous conduit à reconnaître le grand monde ...
Obtenons des connaissances plus approfondies, et le partage dans le même pays pour différentes personnes,
Indépendamment des frontières, la couleur ... etc., toutes sortes de merveilleux informations à part ~
Merci ... partage généreux et désintéressé Grand Dieu Google Oh ^^
Je aime utiliser Google `` ~
      Cordialement que cerf petite Melody.Blog ~

http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html
=======================================

"En tia malvarma vetero, mia idolo estro okupata, overworked .... vere lasu personoj (inkludante min ah) zorgis pri lia sano, sed ankaŭ havas multegajn resto tempo Ho ~ (... trinku pomelo mielo, piro mielo Ho mia 'fratineto' bona korea vintro trinku Ho ^^)

Tiam tiuj informoj sekureco grava informo de Google serĉo Granda Dio Ĉiopova, la
Aero hazardaj rimedoj, Google granda Dio estas miaj amikoj kaj familio, kaj se tre amiko ŝatas.

Ĝi kondukis nin rekoni la grandan mondon ...
Ek pli progresinta scio, kaj partopreno en la sama lando dum diversaj homoj,
Sendepende de la limoj, koloro ... ktp, Ĉiaj mirinda informo kunhavigi ~
Danke ... Granda Dio Google sindona kaj neprofitema sharing Ho ^^
Mi sxategas uzante Google `` ~
Sincere via kiel cervo malgrandaj Melody.Blog ~

http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html

=======================================

---By Taiwan's Apple Daily reported that my great beauty freedom leader (1). **,, Obama sore throat doctor diagnosed as acid reflux**~ (in cold weather, my idol Chief busy, overworked....really get people (including me ah) worried about his health, but also have plenty of rest time Oh~ (2).(RT.news) Kiev ignored before the collapse of the EU's requirements MH17 day airspace shutdown E. Ukraine - Report (published: December 7, 2014, modified: December 8, 2014) - (3).[securelist.com] analysis by SECURELIST - epic Turla operation [to solve the mystery of some snakes / Uroburos of] (through August 7th May, 2014) - uncover layer after layer of cover..."-
---由台灣蘋果日報報導---我的大美自由領袖,(1).**歐巴馬喉嚨痛就醫,,診斷為胃酸倒流**~(在寒冷的天氣下,我的偶像政務繁忙,操勞過度....真讓人們(包括我啊)擔心他的身體健康,還要有充足的作息時間喔~(2).(RT.news)基輔忽略了歐盟的要求MH17崩潰之前關閉E.烏克蘭空域天 - 報告(發布時間：2014年12月7日,編輯時間：2014年12月8日)-(3).[securelist.com] 由SECURELIST的分析-史詩Turla操作[解決一些蛇/ Uroburos的奧秘](通過 8月7日，2014年)-揭開一層又一層的遮蓋..."-
**USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-
http://melody-free-shaing.blogspot.com/2014/12/by-taiwans-apple-daily-reported-that-my.html
---대만의 빈과 일보가 보도함으로써 나의 큰 아름다움 자유 리더 (1).**,,오바마 목이 의사는** ~ (추운 날씨에, 내 아이돌 최고 바쁜, 과로....정말 자신의 건강에 대해 걱정 아 나를 포함 명 ()를 얻을 역류성 식도염으로 진단뿐만 아니라 나머지 충분한 시간을 가지고 아 ~ (2).(RT.news) 키예프 무시 EU의 요구 사항 MH17 일 공역 종료 E. 우크라이나의 붕괴 전에 - 보고서 (발표 : 2014년 12월 8일 : 2014년 12월 7일, 수정) -.SECURELIST (3).[securelist.com] 분석 - 서사시 Turla 작업 (8 월 2014년 5월 7일를 통해) / Uroburos의 일부 뱀의 신비를 해결하기 위해] - 커버 층 후에 레이어를 발견..."-
---En Apple Daily de Taiwan a rapporté que mon grand leader de la liberté de la beauté (1).**,,Obama maux de gorge médecin a diagnostiqué que le reflux acide**~ (par temps froid, mon chef idole occupé, surchargé de travail ... vraiment amener les gens (dont moi ah) se inquiètent de sa santé, mais ils ont aussi beaucoup de temps de repos Oh~ (2).(RT.news) Kiev ignoré avant l'effondrement des exigences de l'UE MH17 l'espace aérien de jour arrêt E. Ukraine - Rapport (parution: 7 Décembre 2014, modifiée: 8 Décembre 2014) -. (3).[securelist.com] analyse par securelist - opération épique Turla [pour résoudre le mystère de certains serpents / Uroburos de] (par le biais Août 7 mai 2014) - découvrir couche après couche de couverture ... »-
---Per tajvana Apple Daily raportis ke mia granda beleco libereco ĉefo (1).**,, Obama gorĝdoloron kuracisto diagnozis kiel acida refluo**~ (en malvarma vetero, mia idolo estro okupata, overworked ...vere akiri personoj (inkludante min ah) zorgis pri lia sano, sed ankaŭ havas multegajn resto tempo Ho~ (2).(RT.news) Kiev ignorita antaŭ la kolapso de la EU-postulojn MH17 tagon aera spaco elŝaltita E. Ukrainio - raporto (eldonita: decembro 7, 2014, modifita: decembro 8, 2014) - (3).[securelist.com] analizo de SECURELIST - epopeo Turla operacio [solvi la misteron de iu serpentoj / Uroburos de] (tra aŭgusto 7 majo, 2014) - nudigi tavolo post tavolo de portita..."-
**USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-

===Melody.Blog===FOLLOW FOLLOW===>/

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

沒有留言:

張貼留言

window.___gcfg = {
lang: 'zh-CN',
parsetags: 'onload'
};

訂閱：張貼留言 (Atom)

2014年12月9日 星期二

[Update] Obama sore throat doctor diagnosed as acid reflux

【更新】歐巴馬喉嚨痛就醫 診斷為胃酸倒流

[업데이트] 오바마 목의 통증 의사 역류성 식도염으로 진단

[Mise à jour] Obama maux de gorge médecin a diagnostiqué que le reflux acide

[Ĝisdatigo] Obama gorĝdoloron kuracisto diagnozis kiel acida refluo

Kiev ignored EU request to close E. Ukraine airspace days before MH17 crash – report

基輔忽略了歐盟的要求MH17崩潰之前關閉E.

烏克蘭空域天 - 報告

키예프는 MH17 충돌 이전 E. 우크라이나 영공 일을 닫습니다 유럽 연합 (EU)의 요청을 무시 - 보고서를

Kiev ignoré demande de l'UE de fermer E. Ukraine jours de l'espace aérien avant l'accident MH17 - rapport

Kievo ignoris EU peto fermi E. Ukrainio

aera spaco tagoj antaŭ MH17 kraŝo - raporto

Regin: Nation-state ownage of GSM networks

"Beware of Regin, the master! His heart is poisoned. He would be thy bane..."

Introduction, history

Initial compromise and lateral movement

The Regin platform

Virtual File Systems (32/64-bit)

Unusual modules and artifacts

GSM Targeting

Communication and C&C

Victim Statistics

Attribution

Conclusions

瑞晶：GSM網絡的民族國家OWNAGE

“當心瑞晶的，主！他的心臟被毒死的。他會是你的剋星......”

簡介，歷史

最初的妥協和橫向運動

瑞晶的平台

虛擬文件系統（64分之32位）

不尋常的模塊和文物

GSM定向

Communication and C&C

Victim Statistics

Attribution

Conclusions

The Epic Turla Operation

Solving some of the mysteries of Snake/Uroburos

Executive Summary

The Epic Turla attacks

The watering hole attacks

The Epic command-and-control infrastructure

The Epic / Tavdig / Wipbot backdoor

Lateral movement and upgrade to more sophisticated backdoors

Language artifacts

Victim statistics

Summary

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor

史詩Turla操作

解決一些蛇/ Uroburos的奧秘

執行摘要

史詩Turla攻擊

該水坑攻擊

史詩指揮和控制基礎設施

史詩/ Tavdig / Wipbot後門

橫向移動並升級到更複雜的後門

語言文物

受害者統計

總結

沒有留言:

張貼留言

2014年12月9日星期二

【更新】歐巴馬喉嚨痛就醫　診斷為胃酸倒流