After Symantec published its report on the Regin super-spyware, there were many questions raised:
http://scforum.info/index.php/topic,9500.0.html Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it?
Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework plugins that provide individual bits of functionality. If a copy is captured, only parts of the malware are revealed rather than its full capabilities.
It uses multiple levels of encryption to obfuscate itself, hides itself on disk, and runs at the kernel level to stay out of sight. It can eavesdrop on network traffic and infiltrate mobile phone networks. On the face of it, Regin should have set alarm bells ringing much sooner when it was first detected in the wild.
It was injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware are said to have been floating around for years – since 2011, 2008 or 2004 depending on which antivirus vendor you talk to. On Sunday, Symantec went public with its dissection of the code.
Vikram Thakur, senior manager at Symantec's security response team, told The Register on Tuesday that the reason his firm took so long to disclose the malware is down to a couple of factors.
Firstly, the Windows-targeting malware is so complex, Symantec wasn't sure exactly what it was dealing with, since the authors have been very good at concealing it and changing it. Secondly, it was just one of thousands of samples of malicious code the company discovers and processes every month.
"Even today, I'm very certain we don't have every possible angle of Regin uncovered and I think there are a number of components that we don’t know about yet," he said.
Symantec started studying Regin late last year after it detected a few cases of infections. The total number of compromised PCs is barely a hundred, we're told, so there was a small sample of builds to study. When checking back through its logs of scanned files, the firm found some Regin tools had been in operation since 2008.
It's likely other security firms stumbled across similarly puzzling infections, Thakur said. Kaspersky claims it found cases of Regin a decade ago and has been actively tracking it for three years, and F-Secure says it saw builds five or six years ago – yet only went public with their findings this week.
It's assumed the pair decided to publish their in-depth research on Monday:
https://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/ in response to Symantec going public on Sunday:
https://www.f-secure.com/weblog/archives/00002766.htmlIf you want to know how the malware works on a very technical level, El Reg recommends you read the trio's reports.
What was Professor Quisquater working on that made him a target?Certainly the available pool of Regin samples was small, but with a program this sophisticated, and targets in the telecoms and energy industries around the world, you'd have thought someone would have taken a more active interest in what makes Regin tick. When renowned Belgian cryptographer Professor Jean-Jacques Quisquater was hit with the spyware in late 2013, it's surprising no one spoke up about the malware used.
"Maybe someone actually did," Thakur said. "Maybe Belgian law enforcement did and then managed to keep it to themselves."
Prof Quisquater has written about cryptographic systems that are resilient to leaking data:
http://www.uclouvain.be/crypto/people/show/2 ; using software to hold elections; so-called forward-secure signatures:
http://dl.acm.org/citation.cfm?id=1880031 ; and plenty more. It has troubled many that an academic, rather than your usual terrorist bad guy, has been targeted by spyware only a state-level team could comfortably engineer and deploy.
A version of Regin dated July 2008 was uploaded to online malware database VirusTotal in 2009 but no one seemed to notice:
https://www.virustotal.com/en/file/b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047/analysis/ Further samples were submitted again in 2011 – around the time Microsoft added a signature for Regin to its malware detection database:
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3AWinNT%2FRegin.A#tab=1 , and the European Commission came under attack from state-sponsored hackers:
http://www.europeanvoice.com/article/cyber-attack-spreads-to-european-parliament/ Some in the security world reckon the infiltration of the EC and Belgacom are linked by Regin.
Thakur suggested Microsoft had only seen the outer two layers of the software's modular system when it added detection for Regin to its database, and did not delve deeper. Microsoft declined to comment on the issue. Symantec's research suggests there are at least six layers of encrypted encapsulation within Regin and that some of them are very sneaky indeed in terms of avoiding detection.
Most malware takes some precautions, but Regin was hiding itself in areas where the vast majority of security software doesn't even look for infection. For example, the malware stored data not by adding it to files hosted on the infected system, but in the metadata of those files – and in the Windows Registry [PDF]:
https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"Looking at the balance of probabilities, the possibility of Regin being the result of a non-nation-state coder is between slim and none," Thakur said.
The malware has also been significantly altered since 2011, perhaps after being spotted by Microsoft, Thakur said. The framework running the modules was reworked in that year to make the malware slip past existing signatures and the code has been updated again since.
Given the complexity of the code and its likely source, Thakur said that it is highly probable that Windows systems are not the only vulnerable computers. Regin could well have been adapted to other platforms, and it's likely that versions are in circulation for Linux, Solaris, and other operating systems, he said.
In the meantime, the search is going on for more Regin modules and examples of the executables. Thakur said Symantec will be carrying on its investigation but that the code's authors are sure to take action.
"The possibilities for Regin are now twofold," Thakur concluded. "The first is that now people are aware of Regin it might make the authors abandon the code completely. Alternatively they could revamp the malware to the point where it's undetectable."
(ElReg)