DV Hardware - bringing you the hottest news about processors, graphics cards, Intel, AMD, NVIDIA, hardware and technology!

   Home | News submit | News Archives | Reviews | Articles | Howto's | Advertise
 
DarkVision Hardware - Daily tech news
November 16, 2018 
Main Menu
Home
Info
News archives
Articles
Howto
Reviews
 

Who's Online
There are currently 177 people online.

 

Latest Reviews
Arctic BioniX F120 and F140 fans
Jaybird Freedom 2 wireless sport headphones
Ewin Racing Champion gaming chair
Zowie P-TF Rough mousepad
Zowie FK mouse
BitFenix Ronin case
Ozone Rage ST headset
Lamptron FC-10 SE fan controller
 

Follow us
RSS
 

Sophisticated nation-state trojan went undetected since 2008

Posted on Monday, November 24 2014 @ 16:59:26 CET by


UPDATE - 19:44 CET: Intercept claims US and British intelligence agencies were behind these attacks:
The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.



Security researchers from Symantec announced the discovery of "Regin", a highly sophisticated piece of malware that stayed under the radar for at least six years. Symantec says everything points to Regin being a primary cyberespionage tool of a nation state, but who's doing the spying remains a mystery.

Regin uses a multi-stage attack system, each stage is encrypted and none by themselves are revealing about the overall attack. The trojan uses a custom-made encrypted virtual file system as well as other non-standard techniques as a means of stealth. Symantec believes many components of Regin remain undiscovered but discovered that there are two variants of Regin. Initial attacks were committed between 2008 and 2011, after which the malware disappeared until the arrival of an updated, 64-bit Regin 2.0 trojan in 2013.
Symantec has not found a stage 3 for the 2.0 version, which may be explained by the fact that the 1.0 stage 3 is a device driver, and installing device drivers on 64-bit Windows surreptitiously is a difficult proposition even, it would seem, for the most sophisticated of attackers.

Symantec's description in their threat database of the threat, where they call it Backdoor.Trojan.GR, indicates that it was detected and protection provided on December 12, 2013. Presumably they did not know what they had until much more recently, and retrospective analysis revealed the true nature of the threat and its use prior years.

Even so, there is still much about Regin that they do not understand. They have, for example, not identified a reproducible infection vector, and these may have been customized for attacks. There are also "dozens of Regin payloads," providing for all the usual things like password stealing, captured screens, stolen files — including deleted files — and more.
Regin explained

A look at a chart of Regin infections by country reveal just over half of all infections targeted Russia and Saudi Arabia. Ireland and Mexico both accounted for 9 percent of attacks, while the remaining 30 percent of attacks was split evenly between India, Afghanistan, Iran, Belgium, Austria and Pakistan.

Regin by country infections

Source: ZD Net



 



 

DV Hardware - Privacy statement
All logos and trademarks are property of their respective owner.
The comments are property of their posters, all the rest © 2002-2018 DM Media Group bvba