Snowden effect
It is disturbing to see that all these discoveries are for the malwares originated in pre-Snowden era. I think the (state sponsored) terrorists and perverts have become more cautious now and covering their deeds even more securely.
A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both. "Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity …
@cavehomme2 - I think the OP does realise this. He is pointing out this malware appears to be pre-Snowden, when most of the world (not El Reg readers mind you) didn't actively think their Govnt was up to such a thing. Post-Snowden, World + dog is now far more suspicious and the OP is positing that the State sponsored coders will therefore have changed/upp'ed their game considerably to the point that no one has found any examples. He is not saying it has stopped - quite the opposite. I would suggest you calm down a bit and think for a second before jumping down someone's throat.
"More importantly, are we safe to assume that present day AV will detect Regin?"
No, you're not. I was listening to the Symantec spokeswoman on R4 this morning, and she chose her words very carefully, talking about older variants. They clearly have their view on who produced, and went so far as to suggest that it was a Western spy agency. Symantec being a US company, they'll be under the cosh from the NSA and other state goon agencies, and there's no way they will be producing products to block the current work of NSA or partner agencies.
At a guess, Symantec need to "find" older non-operational Western spyware to try and show they are able to do that. The goon agencies won't mind if its older stuff they aren't using, but they'd be very worried if somebody actually came up with a Windows security programme that actually stopped malware. So the only reason this has come out is specifically because the authors have a variant (or complete replacement) programme, and possibly because customers were within spitting distance of spotting it through other means (which then loses Symantec reputation and market share).
"Symantec being a US company, they'll be under the cosh from the NSA and other state goon agencies, and there's no way they will be producing products to block the current work of NSA or partner agencies."
Yes, but there's more to AV in the world than Symantec & US companies.
Governments and criminal organisations are writing malware which is used "sensibly" and thus signature-based antivirus (even supplemented with cloud "knowledge" is being bypassed. Behaviour is the key but the world is becoming more mobile and thus our assets are rarely on our network.
Which is annoying and hard to defend against.
Also I'm becoming unsure if detective controls are sufficient for this type of problem. A network appliance monitoring callbacks will only detect callbacks which pass though it.
To defend against this type of threat, you have to design your entire network to be more resilient against the threat. Is now the time for BYOD to hit the endpoint and we harden the heck out of virtual desktops and applications?
On the bright side, I have lots of work and few budgetary issues as I know my C-level management are now very concerned about IT security and what it means for us as a threat.
So have a smiley, people, in a strange way....!
This post has been deleted by its author
more like
National Insecurity
The more and more we hear about all this stuff, the more insecure we get. Naturally this is exactly what the spooks want... Well to spook us into letting them have even more draconian powers to invade our lives. A sel fulfilling prophecy?
"If you forcibly deprive someone of that airy concept called freedom, he will resent you and, given the chance, he will fight to regain it. Better, as governments all across the world discovered long ago, to have people willingly give up their freedoms, to actually collude in the process; then, before they realize their mistake, their chains are adamantine. Make the process slow enough to sit below immediate perception and they will grow accustomed to their enslavement; they even might not realize they are wearing any chains at all. By so slowly depriving people of what were only really considered inalienable rights during a brief period in human history, and in only a few countries, did the Committee come to power. But how did it get the people to willingly forgo all control over their own destinies? Simple, really: it used the formula proven by the governments that were its original components. First make the people afraid . . ."
- From The Departure by Neal Asher
Not only that, but people will willingly defend the imposed policies as long as they have been relabeled as "progressive". The Roosevelts showed the way on how it is done. Very hardcore. Today it is impossible to even hint at the fact they they were hardcore bastards, megalomaniacs or clueless idiots, or all three.
This post has been deleted by its author
"The security firm did not name a nation as the source of Regin"
Well let's look at the nations who are not on the target list...US, UK, Israel, China.
Which of these would be primarily targeting Russia and Saudi? I'd say it's an alliance, possibly a joint effort between the US and Israel.
Whatever, it's very intriguing but also worrying as to what else is out there and how it can be detected and stopped. I guess that ultimately there is no practical means of protection against a really determined and really clever attack like this.
And everyone not of the sheeple knows that Belgium doesn't actually exist!
"lets see, which country might have Russia as a historical enemy and suffers terrorist attacks from Saudi AND Ireland.."
Ahhhh, but it seems more economic than anything which would explain why you have a higher amount of individuals infected.
My bet is the US and Israel those two great guardians of fair play and democracy.
I just can't get my head around the idea that a government that cannot put together a functioning web site on schedule might be credited with something as complex and professional as this is supposed to be. Perhaps its authors might have been better employed in getting healthcare.gov up and running.
"El Reg" and "Regin" - 60% of the letters are the same! Is there a connection? I think we should be told.
Oh, and has anyone seen mention of any scanner which would check for the presence of Regin (rather than plough through the information at the end of the PDF), and remove it? It may be early days, though.
ok ... so if we could get other types of government IT projects classified as "malware", would everyone be more impressed by their complexity and performance? :-)
Or, if these government malware writers are so brilliant, could we not send them off to the DWP to sort out the universal credit mess? It'd probably do more to enhance our national well being and security... (possibly even if they were Russians :-)
The letters u, v, w, x, y, and z seem to be displayed in a larger font than the rest of the alphabet throughout the text of the report.
I don't suppose that could possibly be caused by a payload (an experimental one, prehaps) of a Regin infection on the researchers' machines?
Ooh err, you might be on to something there. Years ago when I studied Erse or shall we call it Gaielge, the alphabet was as follows: abcdefghilnoprstu , with bh for V mh for W etc.
Could it be an evil Irish construction created by the Tims / Prods to achieve word domination and access to cheaper alcohol?
Hmm. That doesn't happen when I render regin-analysis.pdf to screen using Okular. There is no line in the pdf which contains all the letters {u...z}. Page 15 has a body text line with nine instances of {u...y}:
'computers that may or may not be associated with 64-bit Regin, including several variants of svcsstat.exe, a file that'
I'd be interested to see what that line looks like for you. Are you using an Adobe viewer?
"Who could be their common enemy? My money is on Lichtenstein"
Nah. It's the UK. The UK has a long, long, LONG history of operating against all of them. (Yes, including Mexico; look up 'Zimmerman Telegram'.)
My only question is 'How come Germany, France, China, and Japan aren't on the list?'
Nope, can't be the UK
The article says "It is likely that its development took months, if not years, to complete" and yet from years of watching Spooks, we know that the chaps over at MI5 could knock something like this up in an afternoon.
we know that the chaps over at MI5 could knock something like this up in an afternoon
Pfft. NCIS could do it in half an hour, using their innovative pair-programming technique.
So there are ways to get these things in, we all know that. But why is the data being allowed to get out?
If this is really targeting the types of organisations claimed, surely (sarcastically) the governments etc know what traffic is leaving their network, especially the "sensitive" bits of the network, the bits worth spying on? Or have they been stupid enough to let any old traffic exit the building...
"GCHQ almost certainly - the US don't need to spy on dissident republicans in Eire.
(just putting it out there) some might argue we do...."
It is a well known fact that IRA men lie under deep cover in the research, hospitality, airline, energy and telecoms sectors.
I can se it all now:
Sean, would you be after planting the bomb on the hated Saxon oppressor's British Airways flight tonight?
Ach jaysus Paddy I would like to but my thesis is running behind and I promised Mary I would dig up some sacks of peat before I erect the marquee for tonights celidh for the tourists. Could you not be after passing it over to Liam as his thesis is done and he will be finishing work at Telecom Eireann early tonight.
Bejaysus Sean I will so. How is Sinead's dissertation on the Munroe effect and explosively formed projectiles going? I saw her at mass the other day and she was after looking banjaxed so she was.
Those targets look economic! Could be the French though although I would put it down to the US and it's 52 state.
To a careful reader, the report shows that 21 systems were infected, since 2008. So it either has a very low detection ratio (in Symantec AV products), or the chance of being targeted is pretty low. I suspect a bit of both.
It would appear to be highly targeted, and presenting averages by region or sector only confuse the really interesting question about this virus: what do the targeted individuals and institutions have in common?
Another nice one (IMHO): most Western countries require institutions and business to report any breach in security to their users/customers.
"To a careful reader, the report shows that 21 systems were infected"
Which could be true. But that assumes that that is the number actually detected by Symantec. To a large extent, the business model of AV companies is not about saying to customers "you've been pawned for the last five years and our product failed to protect you". It is about selling a basically competent product on an annuity basis, providing reactive defence when a customer company has an undeniable malware problem, and finding enough new threats in the environment to keep the fear levels high. I see this report as being the last of those three.
Another reason for suspecting that the published infection data is incomplete is that any sensible spy agencies wouldn't be above leaning on the report's publisher to omit any inconvenient facts or statistics, and firmly in that category would be embarrassing "friendly fire" intrusions. Look at the problems the US have had after being caught eavesdropping on Merkel's phone.
You would expect to find some hits in the US if that were so. If it was of US origin, you'd expect to find some China hits.
Though maybe it is one of those two and they use something specially developed when they target the other, due to an assumed greater ability to detect malware/attacks.
I think the obvious players could be involved but I wouldn't be surprised if it wasn't. Taking many months or years to create doesn't have to mean a government. Any number of coders on any number of continents could be working together to create something like this. Anonymous could be doing this for example, to expose who knows whatever. You want to get an idea about who is claiming responsibility for hacks, what type etc. ? Go to zone-h.org and you may be surprised.