Attribution is always thorny - but yes, targeting metadata does match those possible conclusions.
Quite a bit of the other information in the 'technical report' (which isn't as technical as I would like) does seem eerily reminiscent of what we know about the CHIMNEYPOOL framework, and (to some extent) FOXACID. A little overengineered, and a little sloppy in places - and that's everything I'd expect from a pork barrel remote intrusion tool with serious dollars thrown at it.
Go on, match it up and see what tallies! Assume "Stage 0" is the VALIDATOR egg (or a cousin), which is memory-resident, never touches disk, and fetches the rest, and work from there.
In particular, I'd single out as particularly telling the 7a69-CRC ICMP filled with string-literal (and very English) shit, and… a 20-round variant of RC5? That has a strong smell of hamburger to it, although I'd wonder if the analysts perhaps mistook it for RC6, or if this is perhaps an earlier version?
Yes, at first blush, this may indeed be NSA malware!
Are the samples available for analysis, Symantec? Inquiring minds want to take a closer look at this creature, and you have piqued my interest. My email won't be hard to find. Deadlists are fine. https://keybase.io/akr
What else makes you think serious dollars were thrown at it? What evidence would you be looking for of that? We managed to throw 900MM at a health insurance portal. :)
Is it really that unusual for trojans to be elaborately staged? I feel like I was on a CanSec stage with Jose Nazario about 12 years ago talking about malware staging. Staged malware, that is, is 2004 CanSec Jose Nazario levels of sophistication (due respect to Jose).
The Wikipedia page for RC5 says to use 20 rounds, because RC5 sucks and fell to differential cryptanalysis, which NSA knew about in the 1970s.
This is without having seen it, natch, so I can't speak to its quality except for what's in the "technical" paper: this is initial impressions and speculation, but I'd definitely love to see concrete deadlistings.
The overengineering, and the serious dollars? I say that because it's a large, modular framework, with perhaps more stages than strictly necessary - which they cut down on later on. This isn't a small, precision piece of malware from one highly-skilled VXer. This is a project. Abstraction, modularity, plugins. Exploits (0days?) and payloads and C&C mechanisms, all as plugins. A big project, designed for lots of people to work on, probably of very different skill levels. Adapted over time. Hell, there's a linkfiler in there and their own RPC. So, kind of like any other big software project: it sounds a little sprawling. And big means expensive, as you know. I know GCHQ and NSA developed theirs via contractors. Seems reasonable this is the kind of thing they might put out. (Note CHIMNEYPOOL was specifically mentioned as a framework for malware.)
Why did I call it sloppy in places? Because it's a (purported, and probable) nation-state espionage malware that touches disk, never mind the failure to clean up! Programmers of different skill levels; perhaps operators of different skill levels, too.
I want to know more about the C&C. I would expect to see a C&C technique that transmits decryption keys for encrypted functions as selectors, but I think this is not quite that advanced.
RC5 is indeed an odd cipher to use in the late 2000s (as is just bumping the rounds of it, rather than using a better one). I called that out, because at least one other piece of software which sounds very similar seems to use RC6 (the failed AES candidate), which is also a very unusual choice. It's not infeasible the two are linked, but I'm obviously lacking context here.
Right on. While I'm dubious about this being a US trojan, candor requires me to say that some of these observations are also things friends of mine pointed out to me about Stuxnet when I was doubting that was a US project. You probably can look at a raw assembly dump and get a sense of how many different people worked on it, and, if it's a lot, sure, maybe it's a defense contractor.
Quite a bit of the other information in the 'technical report' (which isn't as technical as I would like) does seem eerily reminiscent of what we know about the CHIMNEYPOOL framework, and (to some extent) FOXACID. A little overengineered, and a little sloppy in places - and that's everything I'd expect from a pork barrel remote intrusion tool with serious dollars thrown at it.
Go on, match it up and see what tallies! Assume "Stage 0" is the VALIDATOR egg (or a cousin), which is memory-resident, never touches disk, and fetches the rest, and work from there.
In particular, I'd single out as particularly telling the 7a69-CRC ICMP filled with string-literal (and very English) shit, and… a 20-round variant of RC5? That has a strong smell of hamburger to it, although I'd wonder if the analysts perhaps mistook it for RC6, or if this is perhaps an earlier version?
Yes, at first blush, this may indeed be NSA malware!
Are the samples available for analysis, Symantec? Inquiring minds want to take a closer look at this creature, and you have piqued my interest. My email won't be hard to find. Deadlists are fine. https://keybase.io/akr