Today’s malware of the moment, something called Regin, has just made the news because of an announcement by security researchers at Symantec. But it’s important to know that the only thing that’s new is Symantec’s announcement. Regin has actually been around for years, perhaps as long as a decade.
In fact, I’d heard from senior security executives about some state-sponsored malware they were trying to get a handle on during meetings at CeBIT in 2013. At the time nobody was really sure exactly what this cyber-spy malware did, where it came from or what its intended purpose might be.
Most of that is still true. But it turns out that the original reason why the much-discussed Regin malware may have been created was as a way to get call data from GSM phone networks. The National Security Agency has admitted to gathering such call data from voice networks and by all accounts is still gathering it.
But what makes Regin unique is not so much what it does, but rather how it works. What Regin (short for reg–in or “in registry”) provides is a platform that can be used to load nearly anything that you’re likely to want for information gathering. Researchers have found a wide variety of intelligence-gathering functions in the malware, including key logging, network sniffing and password stealing, according to Liam Murchu, senior development manager for Symantec Security Response.
“It’s a sophisticated platform for delivering modules onto computers,” Murchu told eWEEK. “Each victim gets different modules.” He noted that one thing that’s very unusual is that Regin has been used to attack a variety of targets including telecom companies, airlines, hotels and government agencies. But according to research by Kaspersky Lab, it was initially aimed at telephone networks.
Regin is also unusual in the means by which it loads itself into the Windows computer that’s hosting it and in how it avoids detection. While the initial loader exists as a device driver or application on the hard disk of the target computer, the rest of the executable code exists in two places that aren’t always checked. One is in the portions of Windows Extended Attribute code that were originally written to support Microsoft’s long-abandoned collaboration with OS/2.
The second area is in the Windows Registry on infected computers. The registry is a database on Windows computers that keeps track of the resources and configuration of installed software. The sequence appears to be that the initial loader gets the rest of its code from where it’s stored in the Extended Attributes.
Regin Cyber-Spy Malware Cast Wide Net for Telecom Phone Call Data
Then the code can pull in whatever additional code, configuration information of even the next step in the infection, from the registry.
Adding to the complexity is that the initial version of the malware has apparently been withdrawn from the field, perhaps because security researchers had found it. Unfortunately for the malware writers, researchers at Kaspersky Lab and at Symantec were able to locate debris left behind when the malware was erased including a series of log files that revealed a great deal about the malware as wells as its command and control servers.
According to researchers at Kaspersky, Regin makes use of what the company calls “Communications Drones” that are able to carry messages beyond normal packet boundaries. This means drones are able to send messages to outside services from within the network so they appear to be going one place, and actually being forwarded to another. In an example given by Kaspersky, a control message may travel between a users’ bank and their computer and it may also involve a third-party message in another location in another nation.
In one instance observed by Kaspersky, messages moved between the president’s office in an undisclosed nation and a bank he usually deals with. But once the message is at the bank, it generates another message that goes to a control server in India. Because the second message takes place outside the president’s network, his security team would never see it.
Fortunately, current malware detection software can find and remove Regin, at least until the next version is out. Malware scanning software that watches what comes into a machine should also be able to catch Regin, as long as it watches everything. The current version of Regin was downloaded through a number of methods, including Yahoo Messenger.
However, there’s no reason that the initial loader can’t be embedded in an email message or any place else. This means the usual vigilance about not downloading anything is still the best advice. But even that policy may not be enough if the person trying to get this installed is particularly creative.
Looking at the list of nations that have been infected, getting creative may have been essential. Right now most signs point to a state-sponsored player in the release of Regin, and it could be a collaboration between two or more states.
Researchers have uncovered fragments of information in Regin code that indicate that the writers were English speakers. So the question now is whether the Regin malware came from the U.S. or Israel, or whether they were simply made to look like that.