How Regin Malware Spies While Escaping Detection

The computer-security firm Symantec says it may have found some of the most sophisticated malicious software ever made. The cyber-espionage bug, called Regin, has been making attacks for many years without being caught.

Picture: Regin

Most malware — which you are tricked into loading when you access free software, illegal film downloads or pornography sites — wants to spread as widely as possible. It aims to gather data that can be used for malicious purposes, such as holding your device ransom. That is why it spreads indiscriminately. The six-year-old Regin malware is different. It is unlikely to accidentally infect your system, unless the attacker wants that to happen.

The Swiss army knife of malware

Regin makes use of multiple stages to complete its attack. Once the victim is duped into loading the trojan application, by sending you an email with an infected attachment, it will download encrypted components needed for the attack. This allows the trojan to be easily adapt remotely, which makes it difficult for any anti-malware software to keep up.

Regin is more cunning still. As each component is downloaded, decrypted and activated, it then downloads another component. Each potentially different and very difficult to detect. Eventually it installs a kernel, the core application that runs the malware. It then loads its own "user framework", a collection of applications and system calls that talk to the kernel. All this enables Regin to access data on the attacked computer and spy as it is directed to.

Regins seems to be the Swiss army knife of malware, adapting to the user and the intended attack, adding different tools and resources in a stealthy stepwise manner. One victim gets one unique set of tools, and another victim gets a completely different set.

The tools Regin deploys include key loggers (recording which buttons on the keyboard are pressed), mouse-click monitors, network-traffic monitoring, screen capturing software and tools that log messenger chats.

This multi-staged attack has the hallmarks of a complex capable agency. The suspicion is that a western intelligence agency is behind Regin. The release pattern suggests that the period between 2008 and 2011 was used for field trials. Since then attacks have been highly targeted. Russia and Saudi Arabia top the list of those attacked so far.

Should I panic?

The variant discovered by Symantec will have already been included in their database. Anti-malware companies compete for customers, but they do share intelligence ensuring that no single provider is vulnerable. This means that, if you are using an anti-malware application and have enabled it to download all current malware definitions, you will be already protected or should receive protection in less than 48 hours.

But they have only been able to detect and respond to one variant. There are others and there will be more. Anti-malware companies play a cat and mouse game with cyber-criminals and malware creators. This situation is no different. The interesting part is that the attacks do not seem to be random. Like Stuxnet, which was used to attack Iran's nuclear facilities, and Stuxnet-like malware, Duqu, Regin's attacks have been highly targeted.

This is why I do not think that you will be affected (unless you have good reasons to be concerned). But I do strongly advise everybody to ensure that their anti-malware applications are kept up to date.The Conversation

Andrew Smith is Lecturer in Networking at The Open University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


Comments

    Wonder if this is from the US..

      And when you say "the US" most people read "NSA", but I bet you actually mean "Five Eyes".

        Isn't that the agreement between the five nations to share intel etc? I'd still bet this was a US only thing, and as you say, NSA most likely.

          Fairfax is now reporting there's "evidence" implicating GHCQ and NSA.

          That leaves the question of if Australia is truly not involved in cutting edge intelligence gathering technologies, or are we just better at keeping our role a secret.

          Call me a conspiracy theorist, but I have great faith in the abilities of the ASD... I don't believe the SAS are the pinnacle of Australia's specialist forces.

            Yeah, I'm pretty sure there is heaps of shady shit going on here, we just haven't had someone like Snowden blow the lid off yet. And probably never will. Look at the shit out politicians were saying about Assange. The AFP said "He's broken no laws" when Gillard (I think it was her) wanted to go after him.

              Yep. That government seemed to go out of its way to make sure Julian could never come home:
              https://newmatilda.com/2012/03/27/new-laws-target-wikileaks

Join the discussion!

Trending Stories Right Now