Regin

Regin

A friend of mine recently alerted me to the Symantec article on Regin. I felt a little abashed that I had not heard of such a major threat. The US CERT’s notice arrived in my email a day or so later, and it referenced the Kaspersky article on Regin. The Finnish company F-Secure has a brief but interesting report as well. I recommend reading these articles.

Briefly, Regin is a very sophisticated platform that sets up attacks in several phases, each from code that is both hidden and encrypted. Regin can be customized for specific, targeted attacks (good article by Wired). There are many “stage 5” add-ons for various types of information stealing and espionage.

From what I’ve read, the US has not been seriously targeted (yet).  There is some speculation that the US (NSA) and/or the UK (GCHQ) and/or Israel govt is a sponsor, but that speculation, while realistic, seems flimsy to me. Regin’s sophistication does argue for its developers having significant funding, e.g. from a nation-state. VirusTotal reports that most anti-virus programs now detect it.  I’ve searched my own system for the MD5s that are published, but found nothing.  I’m guessing that this is what most of the anti-virus vendors do as well. However, since Regin hides itself in various known ways, an anti-virus program could specifically look in those places. Perhaps some do. I’ve found no specific “Regin detectors” on line that claim to do a thorough search. If some reader knows of one, please let me know.

One question that always arises is whether removal is inadequate. This is likely but neither the Symantec nor the Kaspersky report mention this (as my feeble mind will recall).  All that would be necessary to recover from a deletion, this would be to hide another program which wakes up now and then and checks that “Regin is well”. If not, it could re-install Regin. It might not appear malicious, and such a check would only take milliseconds.  I don’t recall Stuxnet having this capability, but it certainly had this level of sophistication.

All in all, Regin seems to be at the same level of sophistication of Stuxnet and its descendants.  It is undoubtedly a harbinger of a new round of malware warfare that will come to the US soon enough. I strongly recommend not only learning about it (cf. above citations) but also staying abreast of new developments. After all, it is a platform, not a single attack.

-gayn

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: