back to article 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described

A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both. "Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity …

  1. solo
    Holmes

    Snowden effect

    It is disturbing to see that all these discoveries are for the malwares originated in pre-Snowden era. I think the (state sponsored) terrorists and perverts have become more cautious now and covering their deeds even more securely.

    1. Anonymous Coward
      Anonymous Coward

      Re: Snowden effect

      ... especially the (state-sponsored) perverts and their Interests being in the Interests of National Security.

    2. Anonymous Coward
      Anonymous Coward

      Re: Snowden effect

      No correleation at all. You really think that this kind of malware is not still out there and still new versions being made, you must be extremely naive? Snowden did us a big favour, but I'm not into hero worshipping, I'd suggest you also stop and wake up.

      1. Destroy All Monsters Silver badge
        Headmaster

        I find your profferring of innuendo disturbing

        I woke up at 06:30 in the morning, what are you implying?

      2. Gezza

        Re: Snowden effect

        @cavehomme2 - I think the OP does realise this. He is pointing out this malware appears to be pre-Snowden, when most of the world (not El Reg readers mind you) didn't actively think their Govnt was up to such a thing. Post-Snowden, World + dog is now far more suspicious and the OP is positing that the State sponsored coders will therefore have changed/upp'ed their game considerably to the point that no one has found any examples. He is not saying it has stopped - quite the opposite. I would suggest you calm down a bit and think for a second before jumping down someone's throat.

    3. Anonymous Coward
      Anonymous Coward

      Re: Snowden effect

      More importantly, are we safe to assume that present day AV will detect Regin?

      1. Anonymous Coward
        Anonymous Coward

        Re: Snowden effect

        "More importantly, are we safe to assume that present day AV will detect Regin?"

        No, you're not. I was listening to the Symantec spokeswoman on R4 this morning, and she chose her words very carefully, talking about older variants. They clearly have their view on who produced, and went so far as to suggest that it was a Western spy agency. Symantec being a US company, they'll be under the cosh from the NSA and other state goon agencies, and there's no way they will be producing products to block the current work of NSA or partner agencies.

        At a guess, Symantec need to "find" older non-operational Western spyware to try and show they are able to do that. The goon agencies won't mind if its older stuff they aren't using, but they'd be very worried if somebody actually came up with a Windows security programme that actually stopped malware. So the only reason this has come out is specifically because the authors have a variant (or complete replacement) programme, and possibly because customers were within spitting distance of spotting it through other means (which then loses Symantec reputation and market share).

        1. Anonymous Coward
          Anonymous Coward

          Re: Snowden effect

          "Symantec being a US company, they'll be under the cosh from the NSA and other state goon agencies, and there's no way they will be producing products to block the current work of NSA or partner agencies."

          Yes, but there's more to AV in the world than Symantec & US companies.

          1. Tom 13

            Re: there's more to AV in the world than Symantec & US companies.

            Yep. But you forgot:

            All ur AV bazes belong to US.

  2. Khaptain Silver badge

    Which OS / Platform ?

    Which platforms are targeted ? And what was the method of distribution. ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Which OS / Platform ?

      Clue:

      Specialist modules were found monitoring Microsoft Internet Information Services network traffic, parsing mail from Exchange databases

      Of course, if you're really interested you could always read the Symantec PDF linked to in the article...

      1. Khaptain Silver badge

        Re: Which OS / Platform ?

        >Of course, if you're really interested you could always read the Symantec PDF linked to in the article...

        Isn't that the point of El Reg, to do a little bit of the footwork for us.

      2. Anonymous Coward
        Anonymous Coward

        Re: Which OS / Platform ?

        PDF being a great way to circulate malware.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which OS / Platform ?

          "PDF being a great way to circulate malware."

          Only if you use Adobe, my advice would be to use something else.

  3. Fuh Quit
    Happy

    More evidence you need a defence-in-depth approach to malware today

    Governments and criminal organisations are writing malware which is used "sensibly" and thus signature-based antivirus (even supplemented with cloud "knowledge" is being bypassed. Behaviour is the key but the world is becoming more mobile and thus our assets are rarely on our network.

    Which is annoying and hard to defend against.

    Also I'm becoming unsure if detective controls are sufficient for this type of problem. A network appliance monitoring callbacks will only detect callbacks which pass though it.

    To defend against this type of threat, you have to design your entire network to be more resilient against the threat. Is now the time for BYOD to hit the endpoint and we harden the heck out of virtual desktops and applications?

    On the bright side, I have lots of work and few budgetary issues as I know my C-level management are now very concerned about IT security and what it means for us as a threat.

    So have a smiley, people, in a strange way....!

    1. This post has been deleted by its author

  4. Steve Davies 3 Silver badge
    Black Helicopters

    Stop calling it National Security

    more like

    National Insecurity

    The more and more we hear about all this stuff, the more insecure we get. Naturally this is exactly what the spooks want... Well to spook us into letting them have even more draconian powers to invade our lives. A sel fulfilling prophecy?

    1. Anonymous Coward
      Anonymous Coward

      Re: Stop calling it National Security

      "If you forcibly deprive someone of that airy concept called freedom, he will resent you and, given the chance, he will fight to regain it. Better, as governments all across the world discovered long ago, to have people willingly give up their freedoms, to actually collude in the process; then, before they realize their mistake, their chains are adamantine. Make the process slow enough to sit below immediate perception and they will grow accustomed to their enslavement; they even might not realize they are wearing any chains at all. By so slowly depriving people of what were only really considered inalienable rights during a brief period in human history, and in only a few countries, did the Committee come to power. But how did it get the people to willingly forgo all control over their own destinies? Simple, really: it used the formula proven by the governments that were its original components. First make the people afraid . . ."

      - From The Departure by Neal Asher

      1. Anonymous Coward
        Anonymous Coward

        Re: Stop calling it National Security

        Not only that, but people will willingly defend the imposed policies as long as they have been relabeled as "progressive". The Roosevelts showed the way on how it is done. Very hardcore. Today it is impossible to even hint at the fact they they were hardcore bastards, megalomaniacs or clueless idiots, or all three.

      2. Elmer Phud

        Re: Stop calling it National Security

        With cattle you can take away the battery from the shock system and they will still keep away from the fence.

      3. Yugguy

        Re: Stop calling it National Security

        Heh - sounds like the creeping towards a United States of Europe that's been going on ever since we joined the Common Market.

    2. This post has been deleted by its author

  5. Anonymous Coward
    Coat

    Oh god...

    ...that's another 10% CPU Symantec are going to use....quick pass me another 4 cores.

  6. Anonymous Coward
    Anonymous Coward

    Who dunnit?

    "The security firm did not name a nation as the source of Regin"

    Well let's look at the nations who are not on the target list...US, UK, Israel, China.

    Which of these would be primarily targeting Russia and Saudi? I'd say it's an alliance, possibly a joint effort between the US and Israel.

    Whatever, it's very intriguing but also worrying as to what else is out there and how it can be detected and stopped. I guess that ultimately there is no practical means of protection against a really determined and really clever attack like this.

    1. Vladimir Plouzhnikov

      Re: Who dunnit?

      No - it's the French! Russia and others are just decoys. Did you see - Belgium's on the list.

      1. Destroy All Monsters Silver badge

        Re: Who dunnit?

        And everyone not of the sheeple knows that Belgium doesn't actually exist!

        1. Anonymous Coward
          Anonymous Coward

          Re: Who dunnit?

          lets see, which country might have Russia as a historical enemy and suffers terrorist attacks from Saudi AND Ireland..

          1. Bloakey1

            Re: Who dunnit?

            "lets see, which country might have Russia as a historical enemy and suffers terrorist attacks from Saudi AND Ireland.."

            Ahhhh, but it seems more economic than anything which would explain why you have a higher amount of individuals infected.

            My bet is the US and Israel those two great guardians of fair play and democracy.

            1. Robert Helpmann?? Silver badge
              Joke

              Re: Who dunnit?

              I just can't get my head around the idea that a government that cannot put together a functioning web site on schedule might be credited with something as complex and professional as this is supposed to be. Perhaps its authors might have been better employed in getting healthcare.gov up and running.

        2. chivo243 Silver badge
          Joke

          Re: Who dunnit?

          @Destroy All Monsters

          "And everyone not of the sheeple knows that Belgium doesn't actually exist!"

          Yeah, it's called the border between The Netherlands and France!

    2. Yet Another Anonymous coward Silver badge

      Re: Who dunnit?

      Which oil producing countries aren't on the list?

      - I suspect the UK and Canada

      The software was likely developed by a government agency due to the amazing technical competence displayed

      - That lets the UK and Canada govts off the hook

  7. Anonymous IV

    Is the clue in the name?

    "El Reg" and "Regin" - 60% of the letters are the same! Is there a connection? I think we should be told.

    Oh, and has anyone seen mention of any scanner which would check for the presence of Regin (rather than plough through the information at the end of the PDF), and remove it? It may be early days, though.

  8. Anonymous Coward
    Anonymous Coward

    developed by a nation-state ... to produce code of this complexity.

    ok ... so if we could get other types of government IT projects classified as "malware", would everyone be more impressed by their complexity and performance? :-)

    Or, if these government malware writers are so brilliant, could we not send them off to the DWP to sort out the universal credit mess? It'd probably do more to enhance our national well being and security... (possibly even if they were Russians :-)

  9. dajames Silver badge
    Trollface

    Strange PDF ...

    The letters u, v, w, x, y, and z seem to be displayed in a larger font than the rest of the alphabet throughout the text of the report.

    I don't suppose that could possibly be caused by a payload (an experimental one, prehaps) of a Regin infection on the researchers' machines?

    1. Destroy All Monsters Silver badge

      Re: Strange PDF ...

      A secondary payload to infect your visual cortex, dear. The fact that you noticed it is bad prognosis...

      Snowcrash soon.

    2. Bloakey1

      Re: Strange PDF ...

      Ooh err, you might be on to something there. Years ago when I studied Erse or shall we call it Gaielge, the alphabet was as follows: abcdefghilnoprstu , with bh for V mh for W etc.

      Could it be an evil Irish construction created by the Tims / Prods to achieve word domination and access to cheaper alcohol?

    3. Jonathan Richards 1

      @dajames Re: Strange PDF ...

      Hmm. That doesn't happen when I render regin-analysis.pdf to screen using Okular. There is no line in the pdf which contains all the letters {u...z}. Page 15 has a body text line with nine instances of {u...y}:

      'computers that may or may not be associated with 64-bit Regin, including several variants of svcsstat.exe, a file that'

      I'd be interested to see what that line looks like for you. Are you using an Adobe viewer?

  10. Dan 55 Silver badge
    FAIL

    Yahoo Messenger vulnerability

    Any company in the telecommunications, energy or health sectors letting their employees run that has going to have serious problems anyway...

    1. JAK 1

      Re: Yahoo Messenger vulnerability

      yahoo messenger is the standard IM tool within the Coal industry, and also vast parts of the Chemicals market

      1. Dan 55 Silver badge
        Pirate

        Re: Yahoo Messenger vulnerability

        We're all going to die.

        1. Destroy All Monsters Silver badge

          Re: Yahoo Messenger vulnerability

          Since 9/11, I have died many times over and I am now only an illusionless husk ripe for ISIS pickings....

  11. Frankee Llonnygog

    Russia, Saudi Arabia, Mexico and Ireland

    Who could be their common enemy? My money is on Lichtenstein

    1. James O'Shea

      Re: Russia, Saudi Arabia, Mexico and Ireland

      "Who could be their common enemy? My money is on Lichtenstein"

      Nah. It's the UK. The UK has a long, long, LONG history of operating against all of them. (Yes, including Mexico; look up 'Zimmerman Telegram'.)

      My only question is 'How come Germany, France, China, and Japan aren't on the list?'

      1. Simon Harris

        Re: Russia, Saudi Arabia, Mexico and Ireland @ James

        Nope, can't be the UK

        The article says "It is likely that its development took months, if not years, to complete" and yet from years of watching Spooks, we know that the chaps over at MI5 could knock something like this up in an afternoon.

        1. Anonymous Coward
          Anonymous Coward

          Re: Russia, Saudi Arabia, Mexico and Ireland @ James

          "Nope, can't be the UK"

          I think there's a more compelling clue in the article that it didn't come from these shores:

          "a degree of technical competence rarely seen"

          1. Bloakey1

            Re: Russia, Saudi Arabia, Mexico and Ireland @ James

            <snip>

            ""a degree of technical competence rarely seen""

            By God sir you are right, it is straight from an Indian call center.

        2. Michael Wojcik Silver badge

          Re: Russia, Saudi Arabia, Mexico and Ireland @ James

          we know that the chaps over at MI5 could knock something like this up in an afternoon

          Pfft. NCIS could do it in half an hour, using their innovative pair-programming technique.

  12. Velv

    Fail

    So there are ways to get these things in, we all know that. But why is the data being allowed to get out?

    If this is really targeting the types of organisations claimed, surely (sarcastically) the governments etc know what traffic is leaving their network, especially the "sensitive" bits of the network, the bits worth spying on? Or have they been stupid enough to let any old traffic exit the building...

    1. Version 1.0 Silver badge

      Re: Fail

      ... have they been stupid enough to let any old traffic exit the building ...

      Egress filtering is a nice idea but I would expect that this little demon would hide its traffic in with normal HTTP/HTTPS traffic and you're not going to stop that are you?

  13. Anonymous Coward
    Anonymous Coward

    Developed by the US government with help from Microsoft surely?

    After all, nation states want to see Windows source code to check for backdoors, but if you install some malware then that's a way around the lack of "backdoor".

    1. Anonymous Coward
      Anonymous Coward

      >Developed by the US government with help from Microsoft surely?

      GCHQ almost certainly - the US don't need to spy on dissident republicans in Eire.

      (just putting it out there) some might argue we do....

      1. Bloakey1

        "GCHQ almost certainly - the US don't need to spy on dissident republicans in Eire.

        (just putting it out there) some might argue we do...."

        It is a well known fact that IRA men lie under deep cover in the research, hospitality, airline, energy and telecoms sectors.

        I can se it all now:

        Sean, would you be after planting the bomb on the hated Saxon oppressor's British Airways flight tonight?

        Ach jaysus Paddy I would like to but my thesis is running behind and I promised Mary I would dig up some sacks of peat before I erect the marquee for tonights celidh for the tourists. Could you not be after passing it over to Liam as his thesis is done and he will be finishing work at Telecom Eireann early tonight.

        Bejaysus Sean I will so. How is Sinead's dissertation on the Munroe effect and explosively formed projectiles going? I saw her at mass the other day and she was after looking banjaxed so she was.

        Those targets look economic! Could be the French though although I would put it down to the US and it's 52 state.

  14. Britt Johnston

    tin-hat correlations

    The world economy suddenly took a dive in 2008, as REGIN started up, It is slowly improving now, but hasn't really recovered fully yet, which is consistent with this malware being discovered in 2011, but with modern versions probably still being extant.

  15. Anonymous Coward
    Anonymous Coward

    Don't panic

    To a careful reader, the report shows that 21 systems were infected, since 2008. So it either has a very low detection ratio (in Symantec AV products), or the chance of being targeted is pretty low. I suspect a bit of both.

    It would appear to be highly targeted, and presenting averages by region or sector only confuse the really interesting question about this virus: what do the targeted individuals and institutions have in common?

    Another nice one (IMHO): most Western countries require institutions and business to report any breach in security to their users/customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't panic

      "To a careful reader, the report shows that 21 systems were infected"

      Which could be true. But that assumes that that is the number actually detected by Symantec. To a large extent, the business model of AV companies is not about saying to customers "you've been pawned for the last five years and our product failed to protect you". It is about selling a basically competent product on an annuity basis, providing reactive defence when a customer company has an undeniable malware problem, and finding enough new threats in the environment to keep the fear levels high. I see this report as being the last of those three.

      Another reason for suspecting that the published infection data is incomplete is that any sensible spy agencies wouldn't be above leaning on the report's publisher to omit any inconvenient facts or statistics, and firmly in that category would be embarrassing "friendly fire" intrusions. Look at the problems the US have had after being caught eavesdropping on Merkel's phone.

  16. chivo243 Silver badge
    Black Helicopters

    A shot in the dark

    would be aimed at China being behind this kind of long term snooping. Somehow they are under estimated.

    1. Anonymous Coward
      Anonymous Coward

      Re: A shot in the dark

      You would expect to find some hits in the US if that were so. If it was of US origin, you'd expect to find some China hits.

      Though maybe it is one of those two and they use something specially developed when they target the other, due to an assumed greater ability to detect malware/attacks.

  17. Anonymous Coward
    Anonymous Coward

    Secret squirrel stuff 'eh

    I think the obvious players could be involved but I wouldn't be surprised if it wasn't. Taking many months or years to create doesn't have to mean a government. Any number of coders on any number of continents could be working together to create something like this. Anonymous could be doing this for example, to expose who knows whatever. You want to get an idea about who is claiming responsibility for hacks, what type etc. ? Go to zone-h.org and you may be surprised.

    1. Anonymous Coward
      Anonymous Coward

      Re: Secret squirrel stuff 'eh

      How Ironic, AC. Have a large beer and a thumbs down on me :D

  18. jzlondon

    Why Britain or the US? Given how tightly they co-operate, I'd expect it to be both.

  19. Anonymous Coward
    Anonymous Coward

    Belgium

    5% Belgium?! What have they got against the Belgians?

    1. Marketing Hack Silver badge
      Black Helicopters

      Re: Belgium

      Probably watching certain organizations (could be the EU, could be NATO) HQ'd in Brussels.

      1. Yet Another Anonymous coward Silver badge

        Re: Belgium

        Probably the US then - they were targeting France and missed

  20. Marketing Hack Silver badge
    Stop

    Well, the good news is....

    That our sigint agencies agencies assure us that the nasty stuff they create will never get out into the wild! Oh look, it just got our into the wild...

  21. Anonymous Coward
    Anonymous Coward

    shiii%^^

    If I weren't on wifi I'd get the tin snips out :P

  22. Adrian Midgley 1

    is any use of this legal, by anyone

    on anyone, anywhere?

  23. Wombling_Free

    Put the evidence together

    it targets hospitality, health, airlines - this was a country looking for a person/s,

    USA, remnant software looking for Saddam, then for Bin Laden, then for whoever else is on the watch list.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020