back to article Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...

After Symantec published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it? Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework …

  1. Anonymous Coward
    Anonymous Coward

    Those who do not remember history...

    It was injected into systems at Belgian telecoms outfit Belgacom around 2010,

    Let me guess. Via a LinkedIn Spearfish?

    All you need is to add 2 and 2 here.

  2. Anonymous Coward
    Anonymous Coward

    Regin: el REG's INfiltrator

    We all know whodunnit !!!! Our favourite spearhead of techno investigative journalism :-)

  3. Anonymous Coward
    Anonymous Coward

    Ahh, there's the nub...

    "The first is that now people are aware of Regin it might make the authors abandon the code completely.

    *unlikely

    Alternatively they could revamp the malware to the point where it's undetectable

    *absolutley

    This is yet another techo cat and mouse game.

  4. Mr C

    sleep tight

    I wonder if the persons who wrote this (and presumably know what its for) sleep well at night.

    It might not be an actual weapon with a trigger firing metal slugs, but it's still pretty damn close.

    But of course we know its there to protect the general public against terrorists, so now at least we get to sleep better at night

    1. Dan 55 Silver badge
      Black Helicopters

      Re: sleep tight

      Who says they know what they're writing? It's split into different plugins.

      Insert reference to favourite conspiracy-theory film here.

    2. FrankAlphaXII

      Re: sleep tight

      If you were working on something like this, you should probably know that development would be compartmented all to hell, you'd never know exactly what it is you were actually doing. Only the sysadmin, the devops manager, and maybe even security might have an inkling. However I doubt the sysadmins really know any longer.

  5. DropBear
    WTF?

    Okay, honest question...

    ...what exactly is it about a piece of (even significantly complex) software that makes it the privilege of "nation states" only? A couple of guys in front of a bunch of computers day in and day out for years is simply called "pretty much any software project you can think of" - sure, it's not something a "hobbyist" would afford but why would it be beyond the financial clout of any vaguely large-ish business...? It's not like even complex malware requires a dozen supercomputers to write or something...! Okay, so these probably are pretty smart guys, but are you really saying running them would be more expensive than running, say, a football team (a popular pastime these days even among well-off individuals, FFS!)...?

    1. Gray
      Boffin

      Re: Okay, honest question...

      Motivation, m'boy, motivation.

      For anything other than a nation state, it would be financial gain. Regin is an improbable means.

      For nation states, paranoia + aggression + espionage = power. Eureka!

      (Fortunately, the protections of the Constitution of the United States precludes any such ... ? ... )

      1. Otto is a bear.

        Re: Okay, honest question...

        There are non-nation state groups out there who have the capability to build and deploy sophisticated malware/spyware what ever ware. Financial gain is not just about ripping credit card details, but also about knowledge, and knowledge is power. The same sort of information that police and security services look for is also useful to criminal and other organisations. A little bit of insider trading, put a competitor out of business, infiltrate law enforcement and so on. Cat and mouse is right, but who is the cat and who is the mouse will never be black and white.

        Still no matter what, the AV vendors make money. Perhaps the conspiracy theorists should follow the money and see who make the most out of Malware, Just think how much harder it would all be it we didn't mostly use Windows and x86. I assume that if they think Linux and Solaris, persumably the x86 variants, are vulnerable, then so is OSX. So there's a reason to think ARM, Power, Sparc etc.

        1. Arbiter

          The key insight here...

          ...is that government is organised crime.

          1. Fred Flintstone Gold badge

            Re: The key insight here...

            Very organised crime? :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Okay, honest question...

        There are other actors that are at least when your remove power and money. Ideology, conscience, and ego are also in the mix. The question I would like to ask us there any non-state/non-criminal actors that can pull it off and if so, what are the resources (human and other) required to pull it off.

        For all that, I have a real short list: NSA, GCHQ, & Israel. (Israel could be supporting the other two for favors received.) Maybe Russia, but I seriously doubt it.

        1. FrankAlphaXII

          Re: Okay, honest question...

          I think its Chinese after reading the Kaspersky technical paper on it, since none of the C&C servers they've seen are in China, but there is one in Taiwan, one in Brussels, and two in India. It makes it easy to claim NATO's doing it, especially with samples coming from Afghanistan and Iran. A little too easy I'd figure. Especially since there are no known samples from anywhere China may want to fuck with a little, like Taiwan, Vietnam, the Philippines, Japan, Russia, South Korea and the DPRK government, the US and the vast majority of NATO, etc. Its a little too convenient for my liking.

          It could also be France, all of the countries that submitted samples are of an interest of France, and one country is very noticeably absent from the list, Iraq. France gives fuck all about Iraq. It was never their problem except when they were selling Saddam Hussein nuclear technology and nerve gas. I'd be interested to know if any of the European microstates have infections, especially Monaco.

          However, it might be five eyes and with Fiji and Kiribati being targeted its sort of easy to believe (I believe New Zealand has responsibility for them) but then again, its a little too obvious for anyone involved with UKUSA, especially with cryptonyms in the Virtual File Systems. NSA/CSS and I'm presuming GCHQ would strip it out. Also whoever it is isn't very familiar with UKUSA classification levels, because one of them looks like it is labeled as Unclassified just before a supposed cryptonym.

    2. Anonymous Coward
      Anonymous Coward

      Re: Okay, honest question...

      ...what exactly is it about a piece of (even significantly complex) software that makes it the privilege of "nation states" only?

      Its complexity means it was costly to develop, and most (other :) ) criminal outfits tend to look for a much quicker return on investment and focus on volume rather than specific, individual targets. Governments can much easier fund such an effort as it is covert, and thus most likely not subject to public oversight.

    3. hapticz

      Re: Okay, honest question...

      nahhh, that's too simple. media (aka software giants) need these mystery 'crisis' to self sustain themselves, maintain the public in a state of constant fear and give employment to the ones who cannot create systems ware impermeable to defeat or injection. since 99 percent of the users (is that too generous?) are actually honest and properly dazzled by the glut of software, internet traffic (aka useless advertising and hollywood junk) and desire to have the 'bestest and fastest' regardless of cost or actual functionality, then this one Regin thing has actually next to nothing for them to be concerned with. it's the people who derive financial gain, and control over others that really shake in their boots when they find someone has been banging their bride behind their back, in their own bed. i agree, this could be a really smart attempt at truly subversive stealth by some real cornball MIT, Eton, Princeton type or even a 14 year old genius (like the sandy hook school massacre brat) with no thing else to do. some people just do it for fun, as a challenge. elevating this to 'nation state' status makes for great popular entertainment, at the nation state level at least. again, we are all swapping petabytes of code with no real 'sheriff' to keep the mayhem in check. why would anyone want to screw with communications companies anyway? (sarcasm off)

    4. Anonymous Coward
      Anonymous Coward

      Re: Okay, honest question...

      The simple answer to your question is money. Even the most well funded mafia organization cannot afford the sheer cost of it. Not just the smart people, but the literally tens of millions of dollars of IT equipment required. Something this complex needs to be tested against literally every possible iteration of the OSes involved, patching levels, AV scanners, hypervisor software, you name it.

      If you think coding this sumbitch is hard, try to imagine what the QA is like on something that must be the digital equivalent of a trained ninja?

      These take years to develop, massive QA efforts, constant maintenance and costly experts. That's a massive up front cost before you ever reap anything (knowledge, money, etc.) Unsustainable for any but the largest of the large.

      What's more...the instant you're discovered, all that investment is so much dust in the wind. *pffft* gone. If you keep using it you risk being discovered. Since being covert about things was quite obviously the most critical element of it's design then discovery means retirement...at least of the core dropper and execution platform.

      And then there's the issue of what to do about all the people who had to work on this project? Governments have the resources to watch these people for the rest of time. Mafiosos don't. They could kill them all, but where do they get their next round of supernerds for their next round of cybercrime? If you whack everyone who works for you, you tend to get a bad rep as an employer...and you can't kidnap enough people to write software this big without causing an international manhunt.

      So, let me put this to you another way: if this is anything other than a nation state's malware, we are all in very deep shit. Because it means that someone, somewhere has managed to overcome all (or at least most) of the problems I've listed above, and managed to commoditise the "cyber" equivalent of nuclear ordinance.

      If that's the case, the internet's done for.

  6. Androgynous Cupboard Silver badge

    Nothing on C&C

    The reports don't mention anything about command & control, which is annoying - the Symantec one says that the compromised machine can initiate contact with the attacker so presumably they've seen evidence of this, but doesn't mention how or where this is done. An IP address? An IRC channel? I'm still frustrated by the lack of detail here.

    (edit - found it elsewhere: http://blogs.cisco.com/security/talos/regin-campaign. Four IP addresses listed, one in Taiwan, two in India and one in Belgium)

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing on C&C

      Heh that's clever. No need to actually control the servers at those addresses, just make sure that they are physically located such that packets originating from the mark will likely come past a tap you have previously deployed and are listening on.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nothing on C&C

        That's how I'd do it, the internet equivalence of the old brush-pass. C&C servers old tech, dead-drops.

        1. Anonymous Coward
          Anonymous Coward

          Re: Nothing on C&C

          Do you mean like the taps on the undersea fibers?

          1. Trevor_Pott Gold badge

            Re: Nothing on C&C

            "Hundreds" of infected machines. Why tap the undersea fibers? Get some men in bright vests to dig a hole in the ground outside the company in question and just put the taps in there. Then the packets aren't leaking across the internet for everyone to see.

  7. Nonymous Crowd Nerd

    Are we considering the obvious

    OK, so we've been told for years not see conspiracies under every bed, but this looks like the real thing to me. In others words, the antivirus guys have known about this, and other government sponsored malware, for years and have kept quiet because the government organisations have appealed to their sense of patriotism, or bribed them, or bullied them, or blackmailed them, or...

    And they're coming clean now because they're afraid of a second Edward Snowden spilling the beans and ruining their anti-malware credibility.

    1. This post has been deleted by its author

    2. BillG
      Meh

      Re: Are we considering the obvious

      I've been thinking the same thing, it's government sponsored malware and the antivirus companies are in on it. But does that apply to eastern European antivirus vendors like Kaspersky and Bitdefender?

  8. John Arthur
    Black Helicopters

    "Alternatively they could revamp the malware to the point where it's undetectable."

    Perhaps they already have...

    1. sandman

      Re: "Alternatively they could revamp the malware to the point where it's undetectable."

      Splendid - that's what I call proper paranoia :-)

    2. Bloakey1

      Re: "Alternatively they could revamp the malware to the point where it's undetectable."

      I am sure they already have revamped it and are now many iterations ahead. From the look of things they were after timely intelligence at that given point in time and presumeably they got it. Any further info from those sources would be mere background noise now and they would move on for legal, financial, operational or other issues.

      I am sure that more sophisticated versions are out there and by leaving obsolete kit around for people to find they are muddying the waters and obfuscating other nasties that they have unleashed,

    3. Anonymous Coward
      Anonymous Coward

      Re: "Alternatively they could revamp the malware to the point where it's undetectable."

      Perhaps they already have...

      Yup. I just don't understand why it needs a new name.

      AFAIK, Windows 8.1 already HAS a name.

      (sorry, couldn't resist :) )

      1. Anonymous Coward
        Anonymous Coward

        Re: "Alternatively they could revamp the malware to the point where it's undetectable."

        No no, you've misunderstood.

        This article is about malware, not crapware.

        (sorry, couldn't resist :) )

    4. Mpeler
      Black Helicopters

      Re: "Alternatively they could revamp the malware to the point where it's undetectable."

      Perhaps this malware is itself a decoy, to keep people from even looking for the undetectable malware.

      Now where did I put that hall of mirrors...

      Proper paranoia HAS to be expensive... (searches for icon with Paris in a black helicoper)...

  9. Paul Smith

    Nation states?

    "Looking at the balance of probabilities, the possibility of Regin being the result of a non-nation-state coder is between slim and none," Thakur said.

    Are you seriously trying to tell us that the coders behind the NHS patient records debacle or the MOD procurment process are somehow better then a couple of gifted and motivated amateurs? In fact, can you name a single piece of not-shit software that can be credited to a nation-state? Even BT's fucked up Phorm was written by a private entity.

    1. Vic

      Re: Nation states?

      In fact, can you name a single piece of not-shit software that can be credited to a nation-state?

      Stuxnet?

      Vic.

      1. FrankAlphaXII

        Re: Nation states?

        Duqu? Turla? Vic already mentioned Stuxnet.

    2. Trevor_Pott Gold badge

      Re: Nation states?

      "Are you seriously trying to tell us that the coders behind the NHS patient records debacle or the MOD procurment process are somehow better then a couple of gifted and motivated amateurs? In fact, can you name a single piece of not-shit software that can be credited to a nation-state? Even BT's fucked up Phorm was written by a private entity."

      As a general rule, the "not shit" coders working for a state end up working for the spooks, or the banks. Unimportant things like health care get the mediocre of what's left. They don't really pay all that well to code for health care.

  10. Andrew Davenport

    But is this the tip of the iceberg?

    What other exceptionally good and undetectable malware have they not detected yet?

    1. John Sanders
      Holmes

      Re: But is this the tip of the iceberg?

      Plenty.

      But what I wonder is why so much insistence on "only a state can write this"

      No, we do not know for sure this is not the case, just because they do not know of enough competent low level programmers doesn't mean it was a state. Unless they had help from the vendor, if they could only write it using non-public information from our MS friends this is another matter.

      But alas, all you need to create an undetectable malware is keep a very low profile.

      1. Anonymous Coward
        Anonymous Coward

        Re: But is this the tip of the iceberg?

        But what I wonder is why so much insistence on "only a state can write this"

        It's an assessment based on probability. To create something that complex needs a LOT of funding, and putting money in something creates an expectation that there is somewhere a return on investment. There are few entities large enough to risk a large dollop of cash on something that is at best uncertain in the returns category, but governments tend to have less of a problem with that. It's not really their money to start with, and covert ops budgets tend to be free from pesky scrutiny anyway so they can afford to take a punt and hide it with the other skeletons if it doesn't pay off.

        I would suggest to be more accurate though: I think the actual statement is that only a state would COMMISSION this - I agree with others on this forum that such expertise is nowadays in private hands, so it's probably a subcontracted job with a boatload of threats to stop people from pulling a Snowden on the project and leaking it. But the complexity suggests state funding.

  11. NP-HARD
    Unhappy

    Out for tender

    "...a state-level team could comfortably engineer and deploy."

    Why aren't these guys working on the Universal Credit programme?

    1. Promotor Fidei
      Joke

      Re: Out for tender

      They did - but unfortunately their version was completely undetectable, so a new one had to be made from scratch and in a hurry.

  12. Anonymous Coward
    Anonymous Coward

    wouldnt it be funny....

    ....if it turned out to be a bunch of corporates kicking off a real-life Syndicate Wars style control.

    http://en.wikipedia.org/wiki/Syndicate_Wars

    Lets see if the next malware is called "Harbinger", get ready for your cyborg implants/ google glasses!

  13. Mark 85

    Peculiar targeting...

    I just seems peculiar that the targers were limited in scope if we believe what we've heard. Big if there. An encryption expert, telecoms and power grid companies with telecoms seeming to be the main. Not slurping the user throughput such as phone calls but the inner workings. Very strange indeed.

    1. Marshalltown

      Re: Peculiar targeting...

      Actually, the targeting - more than the code quality - suggests a nation origin. Telecom and power dispatch systems in workings, as well as encryption experts, paints a very specific picture. Presumably with adequate knowledge of those areas you can 1) disrupt power distribution over nay geographic scale; 2) disrupt or intercept commuications over any geographic scale, and 3) encrypt securely, or potentially decrypt encrypted information with proper information regarding how the data was encrypted.

  14. Primus Secundus Tertius

    Exobiology

    Project Seti has looked in the wrong place for ET life. It turns out they have been looking at us.

    The cunning part is how they get their results back to Alpha Centauri, or the Andromeda galaxy.

    Why the secrecy? Remember that when the first pulsar was discovered, and was thought to be an ET clock signal, the facts were kept secret for six months. The lamest excuses were given when things were published.

    1. Arbiter

      Mulder?

      Is that you?

  15. segillum

    Where's Simon?

    I detect the hand of the BOFH and the PFY in here somewhere...

  16. PNGuinn
    Alert

    ........ – and in the Windows Registry

    Systemd - NUKE IT FROM SPAACE - it's the only way!

    1. Bloakey1

      Re: ........ – and in the Windows Registry

      More likely would be to look in the MI5/6 or GCHQ registry.

    2. Cipher
      Trollface

      Re: ........ – and in the Windows Registry

      And be sure to turn out the blinkenlights...

  17. Alastair Booker
    Mushroom

    Unlikely to be a corporate job, as others have pointed out the return on investment just wouldn't be there and the size of the team required would mean leaks and a loss of secrecy almost immediately. The resultant publicity would be a disaster. Only a nation state or a very dedicated and small team could keep a secret like this. I'd rule out a small private team as why would they write this with unclear benefits and not just go for the money with more traditional spyware, ransom-ware etc?

    It's looking like cyber-warfare practice by the Russians or the Americans to be, power & telecoms would be the best targets for disruption.

    1. Cipher
      Big Brother

      Smells like a 5 Eyes operation. Everything we know, and its not much, points in that direction:

      No known C&C server in a 5 Eyes nation

      No known targets in a 5 Eyes nation

      1. FrankAlphaXII

        While I'm silghtly inclined to agree, the only thing wrong with that is that there have been no samples from Iraq or other places of Five Eyes interest. If it was Five Eyes, you'd better bet your ass there'd be targets in Iraq, Russia, Ukraine, Cuba, Quebec, the United States, the UK, and China and quite a number of them.

        However, with Fiji, Kiribati and Indonesia being targeted, it does seem a bit Aus/NZ-ish. That could be just to throw people off though, it's not really possible to say until more samples are found.

        Might also be France or China, see my comment above.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like