
Regin: Top-tier espionage tool enables stealthy surveillance - r721
http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
======
MatthiasP
The list of infected countries might tell us a thing about the attacker:

Russia and Saudi Arabia at the top: classical US intelligence targets.
Pakistan and Afghanistan: Likely anti-islamists effort. Austria, Belgium,
Iran: Opec, IEAE, tons of EU-institutions - someone who wants better intel
about the nuclear talks with Iran?

Ireland, Mexico, India: Hard to find political reasons for those countries,
but if you look at it economically: Ireland is the main hub for US companies
into the EU, Mexico is a neighbouring country to the US, India: rival to China

My totally far-fetched guess would be that this trojan comes from the NSA or
the GCHQ, I don't see China caring that much about Saudi Arabia and AfPak.

~~~
tptacek
It's funny to me that we posit attackers building malware of such
sophistication that they can only be nation-state in stature, while at the
same time supposing that they know so little about the AV industry that they
could be revealed by a heat map of the countries their malware was spotted in.

How about: it's Russia, Russia doesn't care about infecting hosts in its own
country (in fact, they may prefer to do so; those might be their targets),
and, while Russia surely does have an aggressive program of intrusions into
the US [and China], they don't use this particular piece of malware to execute
it?

I have no reason to believe it's Russia. I just think: that story is as
plausible as the others being tossed around this thread.

If I have a bias about the origin being the US, hand to God, it's that I'd
like to believe my tax dollars can pay for better malware than this. I have,
for what it's worth to the thread, absolutely no doubt in my mind that the US
has _stuff like this_ in the field.

I'd really like to believe it was Latvia.

~~~
znowi
Expectedly, tptacek is all over the infosec thread, arrogantly dissuading the
public from the notion of a possible involvement of the US intelligence
community :)

~~~
NickPollard
Actually he's attempting to dissuade people from leaping to conclusions based
on little-to-no data and their own biases.

He doesn't say it's not the US, he just says that the data is not enough to
support that conclusion.

It might be time for another HN article on Bayes' Theorem.

------
natch
[Edit: I missed the PDF whitepaper before writing this comment. It doesn't
answer all my questions bit I'll give them credit for a really nice detailed
whitepaper.]

This article makes me very suspicious of Symantec. How long have they known
about this, really? Are they just releasing this information now as a
marketing reaction to recent discoveries by competing firms?

The vaguely written timeline says in passive voice that Regin has been
observed since 2008. By who? Why are we just hearing about it now? I wouldn't
blame them for keeping some discoveries quiet for a while so they can do some
stealth research, but the timing here really smells like they are being PR
driven instead of being driven by doing what's best for the overall security
community.

What would inspire much more confidence would be a story of how this was
discovered, and how the discovery and research played out, as we have seen for
some other malware. Instead this looks like they have know about this for a
long time, and now for reasons they aren't going to disclose, they have
decided, or have been given permission, to reveal some of what they know.

~~~
nikcub
> Why are we just hearing about it now?

Once malware is identified properly antivirus firms will usually go through
their detection archives and pull out earlier hits.

The reason why they don't see them sooner is because they get tends to
hundreds of thousands of new threats each week and don't have time to go
through each one.

Mikko from F-Secure also reported on Twitter that they found Regin[0]. The
same thing happen with Stuxnet, and just about every other malware - it is why
these firms will keep and check the archives of new detected threats.

As for your general suspicions, this is endemic with infosec since there is a
natural conflict of interest where those doing the research and reporting on
it are also selling solutions.

If it makes you feel any less suspicious, the research departments within
these antivirus firms are generally isolated from parts of the companies
involved in sales and marketing. They are usually small teams that just go out
and publish information on cool things they find - although there is often a
race to be the _first_ to dissect and publish the details of new malware
(which is why you wouldn't sit on knowledge of a new threat).

[0]
[https://twitter.com/mikko/status/536624310035939328](https://twitter.com/mikko/status/536624310035939328)

~~~
yuhong
_The same thing happen with Stuxnet, and just about every other malware - it
is why these firms will keep and check the archives of new detected threats._

My favorite is how Stuxnet was discovered just after Win2000 ended support.

So what made Symantec, McAfee, etc so horrible BTW?

------
vezzy-fnord
On a less related note, beyond the shiny GUI layer, just how advanced is
today's antivirus software anyway?

Do they still primarily rely on signature detection? I know that modern
systems also perform what's broadly titled "heuristic analysis", but I'm not
sure what that specifically entails. Is there any form of system call tracing,
sandboxing, file monitoring or what?

~~~
SCHiM
Heuristics look at what a process is doing. For example, a very simple
heuristic rule may look like this:

if a process does the following:

    
    
       Open another .exe file then
    
          Writes to that .exe file
    
             Close that .exe file
    

Then it's a virus.

Such 'rules' are then used by the detection engine of the anti-virus software,
if a program triggers any of these rules it is often labeled as a 'generic'
Trojan or virus. Often this tracking is achieved by 'hooking' syscalls of your
operating system. But some anti-virus programs also employ emulation and/or
sandboxing. Comodo is an example that does sandboxing.

Recent developments in anti-virus are what's called 'host-based protection'.
Instead of relying on blacklists, such as heuristics and signatures, a custom
made 'profile'(whitelist) of the host is made which looks at which
applications are installed and what they should be doing. For example: your
browser should never attempts to start another process. If it does it means
something is wrong.

Such host based approaches can detect unknown threats/exploits as they happen.
If your browser is exploited and tries to download and execute malware, the
system will detect it because it was previously established that your browser
has no business starting other applications.

------
jmartinpetersen
This is equally fascinating and terrifying. The infection vector is still
unknown, and they haven't even been able to recover the 64 bit version.

Neither China nor the USA is among the ten countries with most infections.

~~~
huhtenberg
The infection vector is most certainly dynamic and varies by case and with
time. Just need a fresh zeroday to make target machine execute the dropper.

------
lifeisstillgood
>>> Its capabilities and the level of resources behind Regin indicate that it
is one of the main cyberespionage tools used by a nation state.

Wow. Just wow.

It should not surprise us, but I wonder what the reaction was when people
first realised telephones could be and were being tapped?

~~~
schoen
I remember enjoying this blog post on AT&T's amicus brief in the _Olmstead_
case:

[https://www.eff.org/deeplinks/2007/08/how-ma-bell-fought-
you...](https://www.eff.org/deeplinks/2007/08/how-ma-bell-fought-your-
privacy-80-years-ago)

The most awesome comment from AT&T was that "this telephone system offers a
means of espionage to which general warrants and writs of assistance were the
puniest instruments of tyranny and oppression".

~~~
lifeisstillgood
This is pretty good for the 1920's

[I]t is better that a few criminals escape than that the privacies of life of
all the people be exposed to the agents of the government, who will act at
their own discretion, the honest and the dishonest, unauthorized and
unrestrained by courts

Yes.

------
tptacek
_and alternative encryption in the form of a variant of RC5, which isn’t
commonly used_

RC5 is uncommon because it's a crappy old 1990s cipher. If its use is
suggestive of anything, it's probably cryptographic incompetence.

~~~
alister
Let's not jump to conclusions. If Symantec's characterization of the
sophistication of this malware is accurate, then surely they could have
afforded some crypto expertise.

First, can we agree that any encryption algorithm better than a Caesar cipher
is good enough _for this particular application_? That's because nobody who's
analyzing this malware is going to bother with cryptanalysis because there's
an easier approach. The encrypted data has to get decrypted before it runs.
Therefore, you watch the execution with a debugger until it gets decrypted and
executed, and then just capture the plaintext data (and the key if you want).

Given that resisting serious cryptanalysis is off the table, I can suggest
several reasons for RC5:

\- It has much smaller code size (500 bytes vs 15000 for AES).

\- It's less vulnerable to fingerprinting. That is, anti-virus software might
have checks for AES but not RC5. The malware writer would _know_ this because
they actually tested their malware against all the anti-virus products and
found that none of them have signature or heuristic checks for RC5 but do
against AES. (I'm just fleshing out the thought; I don't know if AV software
checks for AES and RC5.)

\- AES runs faster than RC5 in general, but maybe the particular platform or
instruction set for this malware makes RC5 faster.

~~~
tptacek
I'm having trouble parsing this comment. Your suggestion is that the author is
sophisticated _and that 's why they chose RC5_? RC5 is a broken 1990s cipher.
If the authors wanted to minimize code size, they'd have used a native stream
cipher, not a 64-bit block cipher.

I'm also having trouble with the idea that the author of this trojan might be
GCHQ or NSA (or sponsored by them), but that cryptanalytic techniques from the
late 1970s are off the table.

~~~
alister
> _the author is sophisticated and that 's why they chose RC5_

I'm saying that because the author is sophisticated, they know that the
strength of the algorithm doesn't matter (so long as it's not something
ridiculously simple).

DES, AES, RC5, RC6, whatever. They're all good enough because Symantec (or
whoever is analyzing the malware) is going to get the plaintext no matter
what. Symantec is not going to do any cryptanalysis whatsoever. Symantec is
going to run the sample malware in a debugger and watch it get decrypted. The
malware _must_ decrypt itself in order to run.

~~~
AlyssaRowan
The malware must decrypt _the parts_ that it runs. (There's an obfuscation
technique that's apparently quite strong in existence, but it produces
gigabyte executables for simple 5-condition if statements you can brute force
by hand, so it's ludicrously impractical.)

This could be worse. It could have encrypted routines for which the commands
are the decryption keys. It doesn't appear to be particularly polymorphic. If
there's a BIOS/PCI dropper, it's (sadly) long gone here.

------
datashovel
I think the thing that's most frightening here is that those who created this
thing have had 6 years to iterate and improve on the design before being
discovered, so what has been found may just be the tip of the iceberg.

------
r721
"As always, attribution is difficult with cases like this. Our belief is that
this malware, for a change, isn't coming from Russia or China."

[https://www.f-secure.com/weblog/archives/00002766.html](https://www.f-secure.com/weblog/archives/00002766.html)

"Securelist - Regin: Nation-state ownage of GSM networks"

[http://securelist.com/blog/research/67741/regin-nation-
state...](http://securelist.com/blog/research/67741/regin-nation-state-ownage-
of-gsm-networks/)

------
Spearchucker
Amazing how Symantec use this to push their software rather than providing
even a clue to determining whether you're infected or not. Never miss an
opportunity to cash in, I suppose.

~~~
sandstrom
There are some details in the whitepaper.

I don't think this post comes off as an attempt to make more money.

Rather, I think it's applaudable that they release information on threats from
governments (and not only traditional spyware/virus).

Since this is (probably) built by a government, one can be certain that a
government somewhere (presumably Western, given the infected countries) is
upset about the release. And they didn't cave in to that, which is good.

~~~
ealexhudson
I would guess they didn't cave because no Government has registered their
upset at this. If they did, it would be pretty clear which Government it was -
making me think the Government in question has few levers to pull against
Symantec.

~~~
billyhoffman
I disagree. Symantec is one of the few companies on the planet that has had to
deal with this exact situation before: Stuxnet.

By late 2010, Synametic had come to the conclusion that Stuxnet was most
probably a joint US/Israeli malware project, designed to disrupt Iran's quest
for a nuclear bomb. [1]

Just try and imagine that the gravity of that moment. They had stumbled into
an international covert action involving weapons of mass destruction. I mean
the closest thing I can even compare this with is fiction (the "too many
secrets"/"using the magic box" scene in the movie Sneakers). But this wasn't
fiction, and Symantec researchers and management had to decide what to do.

They could have just shut up and said nothing. After all they were a US
company, forbidden by law to even to do business in Iran. But they didn't do
that. Rightly or wrongly, they published their findings in a whitepaper and
told the world about it.

I think Synmantec has earned the benefit of the doubt when dealing with state
sponsored malware.

[1] [http://www.wired.com/2011/07/how-digital-detectives-
decipher...](http://www.wired.com/2011/07/how-digital-detectives-deciphered-
stuxnet/all/)

------
jonah
How are these things named?

Is "Regin" or "Stuxnet" a string somewhere? Do the researchers make the names
up?

(And, what do the creators think of the name their tool is given vs. what they
called it.)

~~~
nikcub
Stuxnet: named for files .stub (where config was stored) and mrxnet.sys (main
driver), by Microsoft

Duqu: named for the "~DQ-" temporary files it created, by researchers in
Hungary who found it and wrote report

Flame: is from a routine called "InstallFlame", so the malware name is likely
same between discoverers and writers.

The naming convention is usually to find a unique identifier used in the
malware. Portmanteau's are common. We often don't find out what the writers
name was, although both Stuxnet and Flame were part of Operation Olympic
Games[0]

[0]
[http://en.wikipedia.org/wiki/Operation_Olympic_Games](http://en.wikipedia.org/wiki/Operation_Olympic_Games)

------
mooneater
Nice story.

But this is HN: Now how do we ensure our servers are unaffected?

~~~
throwawayaway
Looking at the PDF it appears that it's Windows specific.

~~~
rsync
Exactly. I read through the page twice trying to simply determine "is this
interesting to me at all".

No, it's not. As usual, you can thwart "nation state" malware by simply not
running Windows.

Wake me when there's malware for FreeBSD (seriously - it would change my
world).

~~~
jmartinpetersen
I'm sorry, but this seems incredibly naive. Stuff like this, which is
apparently used against designated targets, surfaces because Symantec and
similar companies casts an incredibly wide net looking for odd stuff in the
wild.

Few does this at a large scale for Linux, and I guess nobody does it for
FreeBSD. But just because noone has caught sophisticated malware from a nation
state in the wild doesn't mean it isn't there. So even if the code doesn't
apply to you, the determination this shows from the attacker, would if you
have something to hide.

Do you seriously expect the NSA (or their chinese counter parts) just to give
up and go home if a target they are interested in happens to use something
else than Windows?

~~~
rsync
No, no ... certainly running a non-windows OS does not protect you from the
actual nation-state.

But the takeaway here is how we should update our threat levels and paranoia
levels as a result of this new knowledge.

In this case, as usual, it appears to be "not much".

------
rookonaut
So... Symantec found this years ago. New version is out. Symantec is allowed
to publish the "news"...

------
tempodox
That kind of information should be published by the CIA, FBI, NSA, ...
themselves instead of destroying Democracy with their secret gag orders. “I'm
not allowed to say that I'm not allowed to say anything”. Can it still get
worse than it already is? Any random terrorist is more honorable than the
Feds. At least they're not lying about being terrorists.

------
junto
No five eyes in that list.

