The list of infected countries might tell us a thing about the attacker:
Russia and Saudi Arabia at the top: classical US intelligence targets.
Pakistan and Afghanistan: Likely anti-islamists effort.
Austria, Belgium, Iran: Opec, IEAE, tons of EU-institutions - someone who wants better intel about the nuclear talks with Iran?
Ireland, Mexico, India: Hard to find political reasons for those countries, but if you look at it economically: Ireland is the main hub for US companies into the EU, Mexico is a neighbouring country to the US, India: rival to China
My totally far-fetched guess would be that this trojan comes from the NSA or the GCHQ, I don't see China caring that much about Saudi Arabia and AfPak.
It's funny to me that we posit attackers building malware of such sophistication that they can only be nation-state in stature, while at the same time supposing that they know so little about the AV industry that they could be revealed by a heat map of the countries their malware was spotted in.
How about: it's Russia, Russia doesn't care about infecting hosts in its own country (in fact, they may prefer to do so; those might be their targets), and, while Russia surely does have an aggressive program of intrusions into the US [and China], they don't use this particular piece of malware to execute it?
I have no reason to believe it's Russia. I just think: that story is as plausible as the others being tossed around this thread.
If I have a bias about the origin being the US, hand to God, it's that I'd like to believe my tax dollars can pay for better malware than this. I have, for what it's worth to the thread, absolutely no doubt in my mind that the US has stuff like this in the field.
Attribution is always thorny - but yes, targeting metadata does match those possible conclusions.
Quite a bit of the other information in the 'technical report' (which isn't as technical as I would like) does seem eerily reminiscent of what we know about the CHIMNEYPOOL framework, and (to some extent) FOXACID. A little overengineered, and a little sloppy in places - and that's everything I'd expect from a pork barrel remote intrusion tool with serious dollars thrown at it.
Go on, match it up and see what tallies! Assume "Stage 0" is the VALIDATOR egg (or a cousin), which is memory-resident, never touches disk, and fetches the rest, and work from there.
In particular, I'd single out as particularly telling the 7a69-CRC ICMP filled with string-literal (and very English) shit, and… a 20-round variant of RC5? That has a strong smell of hamburger to it, although I'd wonder if the analysts perhaps mistook it for RC6, or if this is perhaps an earlier version?
Yes, at first blush, this may indeed be NSA malware!
Are the samples available for analysis, Symantec? Inquiring minds want to take a closer look at this creature, and you have piqued my interest. My email won't be hard to find. Deadlists are fine. https://keybase.io/akr
And a very fat finger points at the US/UK because if they were simply present in statistically normal quantities in the samples they would be amongst the largest of the groups encountered. The fact that they are not suggests a conscious decision not to target those countries, likely emanating from a law rather than from a desire.
If this were done by China then the US would be represented strongly.
[Edit: I missed the PDF whitepaper before writing this comment. It doesn't answer all my questions bit I'll give them credit for a really nice detailed whitepaper.]
This article makes me very suspicious of Symantec. How long have they known about this, really? Are they just releasing this information now as a marketing reaction to recent discoveries by competing firms?
The vaguely written timeline says in passive voice that Regin has been observed since 2008. By who? Why are we just hearing about it now? I wouldn't blame them for keeping some discoveries quiet for a while so they can do some stealth research, but the timing here really smells like they are being PR driven instead of being driven by doing what's best for the overall security community.
What would inspire much more confidence would be a story of how this was discovered, and how the discovery and research played out, as we have seen for some other malware. Instead this looks like they have know about this for a long time, and now for reasons they aren't going to disclose, they have decided, or have been given permission, to reveal some of what they know.
Once malware is identified properly antivirus firms will usually go through their detection archives and pull out earlier hits.
The reason why they don't see them sooner is because they get tends to hundreds of thousands of new threats each week and don't have time to go through each one.
Mikko from F-Secure also reported on Twitter that they found Regin[0]. The same thing happen with Stuxnet, and just about every other malware - it is why these firms will keep and check the archives of new detected threats.
As for your general suspicions, this is endemic with infosec since there is a natural conflict of interest where those doing the research and reporting on it are also selling solutions.
If it makes you feel any less suspicious, the research departments within these antivirus firms are generally isolated from parts of the companies involved in sales and marketing. They are usually small teams that just go out and publish information on cool things they find - although there is often a race to be the first to dissect and publish the details of new malware (which is why you wouldn't sit on knowledge of a new threat).
which looks unrelated to the point of being incorrect.
also quite strange that they say in the PDF it's a kernel mode driver, as my understanding is that windows 7 & co do not allow those to be installed if they are unsigned. EDIT: The pdf covers this later on:
> The 64-bit version of Regin’s Stage 1 (wshnetc.dll) is no longer a kernel mode driver, as drivers under 64-bit Windows
must be signed. Instead, Stage 1 is a user mode DLL loaded as a Winsock helper when the computer is starting
up.
Well people are sending suspicious files to the AV vendors all the time, so Symantec may have found the backdoor a lot later and then found it existing in their DBs.
On a less related note, beyond the shiny GUI layer, just how advanced is today's antivirus software anyway?
Do they still primarily rely on signature detection? I know that modern systems also perform what's broadly titled "heuristic analysis", but I'm not sure what that specifically entails. Is there any form of system call tracing, sandboxing, file monitoring or what?
Heuristics look at what a process is doing. For example, a very simple heuristic rule may look like this:
if a process does the following:
Open another .exe file then
Writes to that .exe file
Close that .exe file
Then it's a virus.
Such 'rules' are then used by the detection engine of the anti-virus software, if a program triggers any of these rules it is often labeled as a 'generic' Trojan or virus. Often this tracking is achieved by 'hooking' syscalls of your operating system. But some anti-virus programs also employ emulation and/or sandboxing. Comodo is an example that does sandboxing.
Recent developments in anti-virus are what's called 'host-based protection'. Instead of relying on blacklists, such as heuristics and signatures, a custom made 'profile'(whitelist) of the host is made which looks at which applications are installed and what they should be doing. For example: your browser should never attempts to start another process. If it does it means something is wrong.
Such host based approaches can detect unknown threats/exploits as they happen. If your browser is exploited and tries to download and execute malware, the system will detect it because it was previously established that your browser has no business starting other applications.
A lot of modern malware prevention focuses on monitoring network traffic. Rather than rely on a single machine to self-report its health, technologies monitor the main channel of infection and data transmission, which is communication with the internet.
Examples:
- FireEye
- OpenDNS (where I work)
- Palo Alto Networks
- ZScalar
Case in point - at OpenDNS, we can often identify signs of infection (e.g. communication with DGA domains) before pinpointing the particular malware involved.
Signature based antivirus, as in "after the fact"-heuristics, remains the most useful. Because, as advanced as the other methods may be, their usefulness remains limited by their public existence. Any malware writer checks their creations against VirusTotal and change it as long as anything flags.
The most awesome comment from AT&T was that "this telephone system offers a means of espionage to which general warrants and writs of assistance were the puniest instruments of tyranny and oppression".
Let's not jump to conclusions. If Symantec's characterization of the sophistication of this malware is accurate, then surely they could have afforded some crypto expertise.
First, can we agree that any encryption algorithm better than a Caesar cipher is good enough for this particular application? That's because nobody who's analyzing this malware is going to bother with cryptanalysis because there's an easier approach. The encrypted data has to get decrypted before it runs. Therefore, you watch the execution with a debugger until it gets decrypted and executed, and then just capture the plaintext data (and the key if you want).
Given that resisting serious cryptanalysis is off the table, I can suggest several reasons for RC5:
- It has much smaller code size (500 bytes vs 15000 for AES).
- It's less vulnerable to fingerprinting. That is, anti-virus software might have checks for AES but not RC5. The malware writer would know this because they actually tested their malware against all the anti-virus products and found that none of them have signature or heuristic checks for RC5 but do against AES. (I'm just fleshing out the thought; I don't know if AV software checks for AES and RC5.)
- AES runs faster than RC5 in general, but maybe the particular platform or instruction set for this malware makes RC5 faster.
I think the thing that's most frightening here is that those who created this thing have had 6 years to iterate and improve on the design before being discovered, so what has been found may just be the tip of the iceberg.
Amazing how Symantec use this to push their software rather than providing even a clue to determining whether you're infected or not. Never miss an opportunity to cash in, I suppose.
I don't think this post comes off as an attempt to make more money.
Rather, I think it's applaudable that they release information on threats from governments (and not only traditional spyware/virus).
Since this is (probably) built by a government, one can be certain that a government somewhere (presumably Western, given the infected countries) is upset about the release. And they didn't cave in to that, which is good.
Stuxnet: named for files .stub (where config was stored) and mrxnet.sys (main driver), by Microsoft
Duqu: named for the "~DQ-" temporary files it created, by researchers in Hungary who found it and wrote report
Flame: is from a routine called "InstallFlame", so the malware name is likely same between discoverers and writers.
The naming convention is usually to find a unique identifier used in the malware. Portmanteau's are common. We often don't find out what the writers name was, although both Stuxnet and Flame were part of Operation Olympic Games[0]
Yes, generally malware is named by the researchers who found it - often even if the creators obviously named it otherwise. I wouldn't be surprised if "Regin" was a reference to how the researchers found big chunks of it tucked away in the registry, or something like that.
For example, there's a reference to the name "Myrtus" in Stuxnet, which was (I think) probably the name its creators gave it (and may point to its Israeli origin)?
"In Nordic mythology, the name Regin is associated with a violent dwarf who is corrupted by greed. It is unclear how the Regin malware first got its name, but the name appeared for the first time on the VirusTotal website on March 9th 2011."
Double meaning or coincidence? e.g. did the authors of this piece just google "Regin" and find out about this dwarf?
That kind of information should be published by the CIA, FBI, NSA, ... themselves instead of destroying Democracy with their secret gag orders. “I'm not allowed to say that I'm not allowed to say anything”. Can it still get worse than it already is? Any random terrorist is more honorable than the Feds. At least they're not lying about being terrorists.
[+] [-] MatthiasP|11 years ago|reply
Russia and Saudi Arabia at the top: classical US intelligence targets. Pakistan and Afghanistan: Likely anti-islamists effort. Austria, Belgium, Iran: Opec, IEAE, tons of EU-institutions - someone who wants better intel about the nuclear talks with Iran?
Ireland, Mexico, India: Hard to find political reasons for those countries, but if you look at it economically: Ireland is the main hub for US companies into the EU, Mexico is a neighbouring country to the US, India: rival to China
My totally far-fetched guess would be that this trojan comes from the NSA or the GCHQ, I don't see China caring that much about Saudi Arabia and AfPak.
[+] [-] tptacek|11 years ago|reply
How about: it's Russia, Russia doesn't care about infecting hosts in its own country (in fact, they may prefer to do so; those might be their targets), and, while Russia surely does have an aggressive program of intrusions into the US [and China], they don't use this particular piece of malware to execute it?
I have no reason to believe it's Russia. I just think: that story is as plausible as the others being tossed around this thread.
If I have a bias about the origin being the US, hand to God, it's that I'd like to believe my tax dollars can pay for better malware than this. I have, for what it's worth to the thread, absolutely no doubt in my mind that the US has stuff like this in the field.
I'd really like to believe it was Latvia.
[+] [-] AlyssaRowan|11 years ago|reply
Quite a bit of the other information in the 'technical report' (which isn't as technical as I would like) does seem eerily reminiscent of what we know about the CHIMNEYPOOL framework, and (to some extent) FOXACID. A little overengineered, and a little sloppy in places - and that's everything I'd expect from a pork barrel remote intrusion tool with serious dollars thrown at it.
Go on, match it up and see what tallies! Assume "Stage 0" is the VALIDATOR egg (or a cousin), which is memory-resident, never touches disk, and fetches the rest, and work from there.
In particular, I'd single out as particularly telling the 7a69-CRC ICMP filled with string-literal (and very English) shit, and… a 20-round variant of RC5? That has a strong smell of hamburger to it, although I'd wonder if the analysts perhaps mistook it for RC6, or if this is perhaps an earlier version?
Yes, at first blush, this may indeed be NSA malware!
Are the samples available for analysis, Symantec? Inquiring minds want to take a closer look at this creature, and you have piqued my interest. My email won't be hard to find. Deadlists are fine. https://keybase.io/akr
[+] [-] throwawayaway|11 years ago|reply
http://arstechnica.com/tech-policy/2013/11/uk-spies-continue...
[+] [-] jacquesm|11 years ago|reply
If this were done by China then the US would be represented strongly.
[+] [-] higherpurpose|11 years ago|reply
[+] [-] mobiuscog|11 years ago|reply
Any big tech company investing in industrial espionage. It's not as if they don't have the development staff.
[+] [-] notastartup|11 years ago|reply
[+] [-] natch|11 years ago|reply
This article makes me very suspicious of Symantec. How long have they known about this, really? Are they just releasing this information now as a marketing reaction to recent discoveries by competing firms?
The vaguely written timeline says in passive voice that Regin has been observed since 2008. By who? Why are we just hearing about it now? I wouldn't blame them for keeping some discoveries quiet for a while so they can do some stealth research, but the timing here really smells like they are being PR driven instead of being driven by doing what's best for the overall security community.
What would inspire much more confidence would be a story of how this was discovered, and how the discovery and research played out, as we have seen for some other malware. Instead this looks like they have know about this for a long time, and now for reasons they aren't going to disclose, they have decided, or have been given permission, to reveal some of what they know.
[+] [-] nikcub|11 years ago|reply
Once malware is identified properly antivirus firms will usually go through their detection archives and pull out earlier hits.
The reason why they don't see them sooner is because they get tends to hundreds of thousands of new threats each week and don't have time to go through each one.
Mikko from F-Secure also reported on Twitter that they found Regin[0]. The same thing happen with Stuxnet, and just about every other malware - it is why these firms will keep and check the archives of new detected threats.
As for your general suspicions, this is endemic with infosec since there is a natural conflict of interest where those doing the research and reporting on it are also selling solutions.
If it makes you feel any less suspicious, the research departments within these antivirus firms are generally isolated from parts of the companies involved in sales and marketing. They are usually small teams that just go out and publish information on cool things they find - although there is often a race to be the first to dissect and publish the details of new malware (which is why you wouldn't sit on knowledge of a new threat).
[0] https://twitter.com/mikko/status/536624310035939328
[+] [-] throwawayaway|11 years ago|reply
which looks unrelated to the point of being incorrect.
also quite strange that they say in the PDF it's a kernel mode driver, as my understanding is that windows 7 & co do not allow those to be installed if they are unsigned. EDIT: The pdf covers this later on:
> The 64-bit version of Regin’s Stage 1 (wshnetc.dll) is no longer a kernel mode driver, as drivers under 64-bit Windows must be signed. Instead, Stage 1 is a user mode DLL loaded as a Winsock helper when the computer is starting up.
[+] [-] final|11 years ago|reply
[+] [-] vezzy-fnord|11 years ago|reply
Do they still primarily rely on signature detection? I know that modern systems also perform what's broadly titled "heuristic analysis", but I'm not sure what that specifically entails. Is there any form of system call tracing, sandboxing, file monitoring or what?
[+] [-] SCHiM|11 years ago|reply
if a process does the following:
Then it's a virus.Such 'rules' are then used by the detection engine of the anti-virus software, if a program triggers any of these rules it is often labeled as a 'generic' Trojan or virus. Often this tracking is achieved by 'hooking' syscalls of your operating system. But some anti-virus programs also employ emulation and/or sandboxing. Comodo is an example that does sandboxing.
Recent developments in anti-virus are what's called 'host-based protection'. Instead of relying on blacklists, such as heuristics and signatures, a custom made 'profile'(whitelist) of the host is made which looks at which applications are installed and what they should be doing. For example: your browser should never attempts to start another process. If it does it means something is wrong.
Such host based approaches can detect unknown threats/exploits as they happen. If your browser is exploited and tries to download and execute malware, the system will detect it because it was previously established that your browser has no business starting other applications.
[+] [-] philip1209|11 years ago|reply
Examples:
- FireEye
- OpenDNS (where I work)
- Palo Alto Networks
- ZScalar
Case in point - at OpenDNS, we can often identify signs of infection (e.g. communication with DGA domains) before pinpointing the particular malware involved.
[+] [-] xorcist|11 years ago|reply
[+] [-] jmartinpetersen|11 years ago|reply
Neither China nor the USA is among the ten countries with most infections.
[+] [-] huhtenberg|11 years ago|reply
[+] [-] final|11 years ago|reply
[+] [-] lifeisstillgood|11 years ago|reply
Wow. Just wow.
It should not surprise us, but I wonder what the reaction was when people first realised telephones could be and were being tapped?
[+] [-] schoen|11 years ago|reply
https://www.eff.org/deeplinks/2007/08/how-ma-bell-fought-you...
The most awesome comment from AT&T was that "this telephone system offers a means of espionage to which general warrants and writs of assistance were the puniest instruments of tyranny and oppression".
[+] [-] digi_owl|11 years ago|reply
[+] [-] spacefight|11 years ago|reply
Outrage?
[+] [-] tptacek|11 years ago|reply
RC5 is uncommon because it's a crappy old 1990s cipher. If its use is suggestive of anything, it's probably cryptographic incompetence.
[+] [-] alister|11 years ago|reply
First, can we agree that any encryption algorithm better than a Caesar cipher is good enough for this particular application? That's because nobody who's analyzing this malware is going to bother with cryptanalysis because there's an easier approach. The encrypted data has to get decrypted before it runs. Therefore, you watch the execution with a debugger until it gets decrypted and executed, and then just capture the plaintext data (and the key if you want).
Given that resisting serious cryptanalysis is off the table, I can suggest several reasons for RC5:
- It has much smaller code size (500 bytes vs 15000 for AES).
- It's less vulnerable to fingerprinting. That is, anti-virus software might have checks for AES but not RC5. The malware writer would know this because they actually tested their malware against all the anti-virus products and found that none of them have signature or heuristic checks for RC5 but do against AES. (I'm just fleshing out the thought; I don't know if AV software checks for AES and RC5.)
- AES runs faster than RC5 in general, but maybe the particular platform or instruction set for this malware makes RC5 faster.
[+] [-] xnull2guest|11 years ago|reply
[+] [-] nikcub|11 years ago|reply
and it's been undetected for 7 years, so what does that tell you?
[+] [-] datashovel|11 years ago|reply
[+] [-] r721|11 years ago|reply
https://www.f-secure.com/weblog/archives/00002766.html
"Securelist - Regin: Nation-state ownage of GSM networks"
http://securelist.com/blog/research/67741/regin-nation-state...
[+] [-] Spearchucker|11 years ago|reply
[+] [-] sandstrom|11 years ago|reply
I don't think this post comes off as an attempt to make more money.
Rather, I think it's applaudable that they release information on threats from governments (and not only traditional spyware/virus).
Since this is (probably) built by a government, one can be certain that a government somewhere (presumably Western, given the infected countries) is upset about the release. And they didn't cave in to that, which is good.
[+] [-] jmartinpetersen|11 years ago|reply
[+] [-] jonah|11 years ago|reply
Is "Regin" or "Stuxnet" a string somewhere? Do the researchers make the names up?
(And, what do the creators think of the name their tool is given vs. what they called it.)
[+] [-] nikcub|11 years ago|reply
Duqu: named for the "~DQ-" temporary files it created, by researchers in Hungary who found it and wrote report
Flame: is from a routine called "InstallFlame", so the malware name is likely same between discoverers and writers.
The naming convention is usually to find a unique identifier used in the malware. Portmanteau's are common. We often don't find out what the writers name was, although both Stuxnet and Flame were part of Operation Olympic Games[0]
[0] http://en.wikipedia.org/wiki/Operation_Olympic_Games
[+] [-] AlyssaRowan|11 years ago|reply
For example, there's a reference to the name "Myrtus" in Stuxnet, which was (I think) probably the name its creators gave it (and may point to its Israeli origin)?
[+] [-] jonah|11 years ago|reply
"In Nordic mythology, the name Regin is associated with a violent dwarf who is corrupted by greed. It is unclear how the Regin malware first got its name, but the name appeared for the first time on the VirusTotal website on March 9th 2011."
Double meaning or coincidence? e.g. did the authors of this piece just google "Regin" and find out about this dwarf?
[0] https://firstlook.org/theintercept/2014/11/24/secret-regin-m...
[+] [-] mooneater|11 years ago|reply
But this is HN: Now how do we ensure our servers are unaffected?
[+] [-] throwawayaway|11 years ago|reply
[+] [-] rookonaut|11 years ago|reply
[+] [-] tempodox|11 years ago|reply
[+] [-] junto|11 years ago|reply