Regin: Top-tier espionage tool enables stealthy surveillance

Discussion in 'malware problems & news' started by Dermot7, Nov 23, 2014.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  4. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,727
    Location:
    localhost
    Interesting, if you read well the article there is even the link to download the actual malware ;)
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Checked a few of the hashes on Virustotal, still a lot with zero detections..
     
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    If you want you can include the hashes, I don't think posting hashes break any rule, it has been allowed before anyway.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    There's a list of hashes in the article from post #4 ;)
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yeah I know quite many, I just mentioned it incase you had other hashes than those in the article. :)
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    No, I just checked some from the article.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    http://blog.trendmicro.com/trendlab...histicated-malware-but-not-without-precedent/
     
  13. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Regin Malware

    https://www.us-cert.gov/ncas/alerts/TA14-329A
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Do I need to worry about state-sponsored threats like Regin?
    http://www.welivesecurity.com/2014/11/26/need-worry-threats-like-regin/
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I've read some of the articles, and once again they don't tell you how to stop this with HIPS. If you block the driver from running, you have won the battle. But I would like to know what HIPS can do AFTER the driver has been loaded. Can "DLL code injection" still be stopped? If you block "direct disk access", can the virtual/hidden file system still be made? That's what I'm missing in the analysis, but apparently virus analysts don't care about this.
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  19. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That is not because they don't care about it (but actually they don't need to care because major AV or their AV now can detect it), but how Regin infected victims is still mystery, there're just theories & guesses.
    Also Regin is just a general term, there're many types & versions of Regin apart from another fact that core of Rigin only have minimal function and most dirty tasks are done by custom plugins. Maybe attacker used several method to infect victims.

    Yeah, if you deny driver installation Regin attack can be prevented, and considering the only chance to prevent Regin is to prevent initial infection or its execution (all subsequent attack will be hidden), I think it might make sense, but it seems in most case attacker already have admin right in initial infection.
    Though I can't say certain thing until how Regin infects victim is revealed, if attacker already have admin right then theoretically all prevention measure can be bypassed. It is even well possible that attacker physically intruded and installed the malware.

    Dll injection can be stopped, but when attacker already installed kernel driver, it means he have the same privilege as the security product. You know what I mean.
    I think virtual file system can be made w/out DDA, though not 100% sure. But if you deny driver installation, VFS can't be created.

    Generally in such a state-sponsored attack, any fact or claim that a product or certain measure could prevent the attack is almost meaningless unless it actually saved the victim, as such attacker use custom attack to infiltrate victim environment. If victim use product X, then all attacker need to do is just bypass
    it by any way (including social engineering), he don't need to care about other product.

    What makes more sense is, as described in Simplicity's nice post #15, post-infection detection. E.g even after a malware hide itself quite well, still hiding all network connection in all levels is almost impossible.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Yuki2718

    I know what you mean, but it would be nice for HIPS enthusiasts like myself to get some more info about this stuff. To me, it's nice to know at which point the malware can not be stopped anymore, for example after driver installation. But if this malware was running inside a sandbox, it wouldn't be able to run correctly, and would have lost the battle for sure. So the end conclusion is: if your system is infected with Regin and similar malware, you're doing something wrong.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Is it possible to attribute the backdoor Regin to the cybercrime?
    http://securityaffairs.co/wordpress/30647/intelligence/regin-backdoor-cybercrime.html
     
  22. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blogs.mcafee.com/mcafee-labs/mcafee-customers-protected-regin-malware-since-2011
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Well, I don't say such discussion is meaningless as often other criminals 'copy' or imitate (partly) those advanced attack.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Regin: When did protection start?:
     
  25. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/
     
Loading...