Jump to content

Regin (malware)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Pol098 (talk | contribs) at 20:16, 25 November 2014 (Identification and naming). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

For the Norse dwarf, see Regin (Norse mythology).

Regin is sophisticated stealthy malware revealed by Kaspersky Lab[1] and Symantec in November 2014 that targets specific users of Microsoft Windows-based computers.[2] Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003.[3] (The name Regin is first found on the VirusTotal website on 9 March 2011.[4]) Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria and Pakistan.[5] Kaspersky Lab was unable to determine the attack vector used, and said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers," possibly a Western government, as a targeted multi-purpose data collection tool.[6][7][8]

Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets.[9][10]

Regin is stealthy and does not store data in the file system of the infected computer; instead it has its own encrypted virtual file system (EVFS) that looks like a single file to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used RC5 cipher.[10] Regin communicates over the Internet using ICMP/ping, commands embedded in HTTP cookies and custom TCP and UDP protocols with a command and control server which can control operations, upload additional payloads, etc.[5][7]

Identification and naming

Symantec say that both they and Kaspersky identify the malware as Backdoor.Regin.[11] On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia;[12][13] later two more variants, Regin.B and Regin.C were added. Microsoft appears to call the 64-bit variants of Regin Prax.A and Prax.B. The Microsoft entries do not have any technical information.[4] Both Kaspersky and Symantec have published white papers with what information they know about the malware.[8][7]

Known attacks and originator of malware

German news magazine Der Spiegel reported in June 2013 that the US intelligence National Security Agency (NSA) had conducted online surveillance on both European Union (EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker Edward Snowden. According to a secret 2010 NSA document the EU diplomatic representations in Washington and to the United Nations were also attacked.[14] The attack on the EU networks took place in the months before the discovery of Regin.

The Intercept said that security industry sources (who provided code samples from their investigation of the attacks) and their own technical analysis suggest that Regin was the technology behind cyberattacks conducted by the NSA in 2010 against the Washington, D.C. offices of the European Union, and the UK GCHQ in 2013 against Belgacom, Belgium's largest telecommunications company.[4] These attacks may have led to Regin coming to the attention of security companies.

References

  1. ^ "Regin Revealed". Kaspersky Lab. Retrieved 24 November 2014.
  2. ^ Perlroth, Nicole (24 November 2014). "Symantec Discovers 'Regin' Spy Code Lurking on Computer Networks". New York Times. Retrieved 25 November 2014.
  3. ^ Kaspersky:Regin: a malicious platform capable of spying on GSM networks, 24 November 2014
  4. ^ a b c Marquis-Boire, Morgan; Guarnieri, Claudio; Gallagher, Ryan (24 November 2014). "Secret Malware in European Union Attack Linked to U.S. and British Intelligence"". The Intercept.
  5. ^ a b "Regin: Top-tier espionage tool enables stealthy surveillance". Symantec. 23 November 2014. Retrieved 25 November 2014.
  6. ^ "BBC News - Regin, new computer spying bug, discovered by Symantec". bbc.com. Retrieved 23 November 2014.
  7. ^ a b c "Regin White Paper" (PDF). Symantec. Retrieved 23 November 2014.
  8. ^ a b "Regin White Paper" (PDF). Kaspersky Lab. Retrieved 24 November 2014.
  9. ^ "Regin Malware - 'State-Sponsored' Spying Tool Targeted Govts". The Hacking Post - Latest hacking News & Security Updates.
  10. ^ a b "NSA, GCHQ or both behind Stuxnet-like Regin malware?". scmagazineuk.com. 24 November 2014. Retrieved 25 November 2014.
  11. ^ Symantec: Security Response - 23 November 2014Regin: Top-tier espionage tool enables stealthy surveillance,
  12. ^ Microsoft Malware Protection Center, click button "Malware Encyclopedia
  13. ^ Microsoft Protection Center: Trojan:WinNT/Regin.A
  14. ^ Attacks from America: NSA Spied on European Union Offices, Laura Poitras, Marcel Rosenbach, Fidelius Schmid and Holger Stark, Der Spiegel, 29 June 2013
Retrieved from "https://en.wikipedia.org/w/index.php?title=Regin_(malware)&oldid=635421211"