Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...

FYI this isn't just going to target Windows, Linux and OS X fans

After Symantec published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it?

Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework plugins that provide individual bits of functionality. If a copy is captured, only parts of the malware are revealed rather than its full capabilities.

It uses multiple levels of encryption to obfuscate itself, hides itself on disk, and runs at the kernel level to stay out of sight. It can eavesdrop on network traffic and infiltrate mobile phone networks. On the face of it, Regin should have set alarm bells ringing much sooner when it was first detected in the wild.

It was injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware are said to have been floating around for years – since 2011, 2008 or 2004 depending on which antivirus vendor you talk to. On Sunday, Symantec went public with its dissection of the code.

Vikram Thakur, senior manager at Symantec's security response team, told The Register on Tuesday that the reason his firm took so long to disclose the malware is down to a couple of factors.

Firstly, the Windows-targeting malware is so complex, Symantec wasn't sure exactly what it was dealing with, since the authors have been very good at concealing it and changing it. Secondly, it was just one of thousands of samples of malicious code the company discovers and processes every month.

"Even today, I'm very certain we don't have every possible angle of Regin uncovered and I think there are a number of components that we don’t know about yet," he said.

Symantec started studying Regin late last year after it detected a few cases of infections. The total number of compromised PCs is barely a hundred, we're told, so there was a small sample of builds to study. When checking back through its logs of scanned files, the firm found some Regin tools had been in operation since 2008.

It's likely other security firms stumbled across similarly puzzling infections, Thakur said. Kaspersky claims it found cases of Regin a decade ago and has been actively tracking it for three years, and F-Secure says it saw builds five or six years ago – yet only went public with their findings this week.

It's assumed the pair decided to publish their in-depth research on Monday in response to Symantec going public on Sunday.

If you want to know how the malware works on a very technical level, El Reg recommends you read the trio's reports.

What was Professor Quisquater working on that made him a target?

Certainly the available pool of Regin samples was small, but with a program this sophisticated, and targets in the telecoms and energy industries around the world, you'd have thought someone would have taken a more active interest in what makes Regin tick. When renowned Belgian cryptographer Professor Jean-Jacques Quisquater was hit with the spyware in late 2013, it's surprising no one spoke up about the malware used.

"Maybe someone actually did," Thakur said. "Maybe Belgian law enforcement did and then managed to keep it to themselves."

Prof Quisquater has written about cryptographic systems that are resilient to leaking data; using software to hold elections; so-called forward-secure signatures; and plenty more. It has troubled many that an academic, rather than your usual terrorist bad guy, has been targeted by spyware only a state-level team could comfortably engineer and deploy.

A version of Regin dated July 2008 was uploaded to online malware database VirusTotal in 2009 but no one seemed to notice. Further samples were submitted again in 2011 – around the time Microsoft added a signature for Regin to its malware detection database, and the European Commission came under attack from state-sponsored hackers. Some in the security world reckon the infiltration of the EC and Belgacom are linked by Regin.

Thakur suggested Microsoft had only seen the outer two layers of the software's modular system when it added detection for Regin to its database, and did not delve deeper. Microsoft declined to comment on the issue. Symantec's research suggests there are at least six layers of encrypted encapsulation within Regin and that some of them are very sneaky indeed in terms of avoiding detection.

Most malware takes some precautions, but Regin was hiding itself in areas where the vast majority of security software doesn't even look for infection. For example, the malware stored data not by adding it to files hosted on the infected system, but in the metadata of those files – and in the Windows Registry [PDF].

"Looking at the balance of probabilities, the possibility of Regin being the result of a non-nation-state coder is between slim and none," Thakur said.

The malware has also been significantly altered since 2011, perhaps after being spotted by Microsoft, Thakur said. The framework running the modules was reworked in that year to make the malware slip past existing signatures and the code has been updated again since.

Given the complexity of the code and its likely source, Thakur said that it is highly probable that Windows systems are not the only vulnerable computers. Regin could well have been adapted to other platforms, and it's likely that versions are in circulation for Linux, Solaris, and other operating systems, he said.

In the meantime, the search is going on for more Regin modules and examples of the executables. Thakur said Symantec will be carrying on its investigation but that the code's authors are sure to take action.

"The possibilities for Regin are now twofold," Thakur concluded. "The first is that now people are aware of Regin it might make the authors abandon the code completely. Alternatively they could revamp the malware to the point where it's undetectable." ®

Broader topics

Narrower topics

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022