Regin Cyber-Spy Malware Cast Wide Net for Telecom Phone Call Data

By Wayne Rash  |  Posted 2014-11-24 Print this article Print
Regin Malware

Then the code can pull in whatever additional code, configuration information of even the next step in the infection, from the registry.

Adding to the complexity is that the initial version of the malware has apparently been withdrawn from the field, perhaps because security researchers had found it. Unfortunately for the malware writers, researchers at Kaspersky Lab and at Symantec were able to locate debris left behind when the malware was erased including a series of log files that revealed a great deal about the malware as wells as its command and control servers.

According to researchers at Kaspersky, Regin makes use of what the company calls "Communications Drones" that are able to carry messages beyond normal packet boundaries. This means drones are able to send messages to outside services from within the network so they appear to be going one place, and actually being forwarded to another. In an example given by Kaspersky, a control message may travel between a users' bank and their computer and it may also involve a third-party message in another location in another nation.

In one instance observed by Kaspersky, messages moved between the president's office in an undisclosed nation and a bank he usually deals with. But once the message is at the bank, it generates another message that goes to a control server in India. Because the second message takes place outside the president's network, his security team would never see it.

Fortunately, current malware detection software can find and remove Regin, at least until the next version is out. Malware scanning software that watches what comes into a machine should also be able to catch Regin, as long as it watches everything. The current version of Regin was downloaded through a number of methods, including Yahoo Messenger.

However, there's no reason that the initial loader can't be embedded in an email message or any place else. This means the usual vigilance about not downloading anything is still the best advice. But even that policy may not be enough if the person trying to get this installed is particularly creative.

Looking at the list of nations that have been infected, getting creative may have been essential. Right now most signs point to a state-sponsored player in the release of Regin, and it could be a collaboration between two or more states.

Researchers have uncovered fragments of information in Regin code that indicate that the writers were English speakers. So the question now is whether the Regin malware came from the U.S. or Israel, or whether they were simply made to look like that.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel