Regin is the latest piece of scary government-made malware

The year was 2010. South Africans were rejoicing at having hosted a successful football World Cup tournament and security researchers at Symantec’s Culver City office in California were digging into what turned out to be the most sophisticated malware ever created – and what was likely the first ever piece of weaponised code executed by one nation on another – Stuxnet.

Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

Four years later, yet another football spectacular has come and gone, and researchers from Symantec have been busy digging through more malware, almost certainly built by an intelligence agency with the resources of a government behind it, and capable of far greater, and scarier, things than Stuxnet ever was.

The new malware, called Regin, first appeared in files dating back to 2008 before being deleted from infected systems in 2011. Regin reappeared in a slightly altered version in 2013 and has attacked vastly different industries from aviation to telecoms, and even a host of private individuals and has been spotted in ten or more countries with Russia and Saudi Arabia having the largest number of infections.

Regin, like Stuxnet before it, is a multi-stage malware that uses the initial infection to install several new modules that can each perform different tasks. There are dozens of modules detected so far by Symantec with capabilities that “include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”

Unlike most malware, Regin is stealthy having been designed from the outset to be as near to undetectable as possible so that it could (most plausibly) be used for monitoring information assets and sending back data for several years after infection. It secures almost all of its data “as encrypted data blobs” which leaves all but the most minimal traces of its infection for scrutiny.

Scariest of all is that even though Symantec has been pouring over the files for the better part of a year, they still haven’t been able to identify the source of infection, nor have they been able to understand how a computer is infected with Regin in the first place.

The team are hoping that the release of their finding will prompt more researchers to come forward with their evidence so that a better picture can be built to understand it.

[Source – Symantec, Via – re/code]


About Author


Related News