Regin: Top-tier espionage tool enables stealthy surveillance

http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance

 

It is from NSA/GHCQ:
https://twitter.com/cryptoron/status/536905293331202049

 

http://www.scmagazineuk.com/nsa-gchq-or-both-behind-stuxnet-like-regin-malware/article/384888/

 

https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

 

Interesting, if you read well the article there is even the link to download the actual malware

 

http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

 

Checked a few of the hashes on Virustotal, still a lot with zero detections..

 

If you want you can include the hashes, I don't think posting hashes break any rule, it has been allowed before anyway.

 

There's a list of hashes in the article from post #4

 

Yeah I know quite many, I just mentioned it incase you had other hashes than those in the article.

 

No, I just checked some from the article.

 

http://blog.trendmicro.com/trendlab...histicated-malware-but-not-without-precedent/

 

Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds... • The Register

 

Do I need to worry about state-sponsored threats like Regin?

http://www.welivesecurity.com/2014/11/26/need-worry-threats-like-regin/

 

I've read some of the articles, and once again they don't tell you how to stop this with HIPS. If you block the driver from running, you have won the battle. But I would like to know what HIPS can do AFTER the driver has been loaded. Can "DLL code injection" still be stopped? If you block "direct disk access", can the virtual/hidden file system still be made? That's what I'm missing in the analysis, but apparently virus analysts don't care about this.

 

See also:
This Artist’s Images Integrate Code From Malware Like Stuxnet and Flame
http://www.wired.com/2014/11/malware-art/

 

ESET users have detections in place.
http://virusradar.com/en/Win32_Regin.A/description

 

That is not because they don't care about it (but actually they don't need to care because major AV or their AV now can detect it), but how Regin infected victims is still mystery, there're just theories & guesses.
Also Regin is just a general term, there're many types & versions of Regin apart from another fact that core of Rigin only have minimal function and most dirty tasks are done by custom plugins. Maybe attacker used several method to infect victims.

Yeah, if you deny driver installation Regin attack can be prevented, and considering the only chance to prevent Regin is to prevent initial infection or its execution (all subsequent attack will be hidden), I think it might make sense, but it seems in most case attacker already have admin right in initial infection.
Though I can't say certain thing until how Regin infects victim is revealed, if attacker already have admin right then theoretically all prevention measure can be bypassed. It is even well possible that attacker physically intruded and installed the malware.

Dll injection can be stopped, but when attacker already installed kernel driver, it means he have the same privilege as the security product. You know what I mean.
I think virtual file system can be made w/out DDA, though not 100% sure. But if you deny driver installation, VFS can't be created.

Generally in such a state-sponsored attack, any fact or claim that a product or certain measure could prevent the attack is almost meaningless unless it actually saved the victim, as such attacker use custom attack to infiltrate victim environment. If victim use product X, then all attacker need to do is just bypass
it by any way (including social engineering), he don't need to care about other product.

What makes more sense is, as described in Simplicity's nice post #15, post-infection detection. E.g even after a malware hide itself quite well, still hiding all network connection in all levels is almost impossible.

 

@ 142395

I know what you mean, but it would be nice for HIPS enthusiasts like myself to get some more info about this stuff. To me, it's nice to know at which point the malware can not be stopped anymore, for example after driver installation. But if this malware was running inside a sandbox, it wouldn't be able to run correctly, and would have lost the battle for sure. So the end conclusion is: if your system is infected with Regin and similar malware, you're doing something wrong.

 

Is it possible to attribute the backdoor Regin to the cybercrime?

http://securityaffairs.co/wordpress/30647/intelligence/regin-backdoor-cybercrime.html

 

http://blogs.mcafee.com/mcafee-labs/mcafee-customers-protected-regin-malware-since-2011

 

Well, I don't say such discussion is meaningless as often other criminals 'copy' or imitate (partly) those advanced attack.

 

From Regin: When did protection start?:

 

https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/