Regin Malware / Spyware is Made in the West

This morning Symantec’s Sian John spoke on the Radio 4 Today Programme about a new piece of malware that is infecting computers. It is called Regin and it is so advanced that Symantec are still unsure what it can and can’t do. It is thought to have been developed by a Western government.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware.” – Symantec, 2014.

Sian John told John Humphrys that the software had some signatures that suggested it was developed by a western country. It is speculated that a government organisation could be behind the software.

Like all malware it embeds itself on a computer to carry out specific tasks, although unlike other malware this seems to be capable of performing many different tasks, one of which certainly appears to be information gathering.

It encrypts all data that it sends so that Symantec are still not entirely sure what information it is gathering, although Sian John did mention keystrokes (possibly login/password details) and email interception.

By the sounds of it, if this is sitting on your computer a government or corporation out there knows everything about you.

Sian John did suggest that this is more likely to be an advanced espionage tool and it has been found on machines on business networks.

“Targets include private companies, government entities and research institutes. Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.”  Symantec, 2014.

So far most attacks have been on Saudi Arabia, Russia, Mexico and Ireland, with India, Afghanistan, Iran, Belgium, Austria and Pakistan also making it into the top 10 affected countries.

What does it do?

As mentioned, we do know that it can read emails, monitor phone calls and copy files. Sian John described it as a modular piece of malware that has many functions that can be switched on and off as required.

“The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.” Symantec, 2014.

This makes phone hacking look like child’s play – somebody out there is able to listen in on any phone call, read any email and copy documents from any computer that has been infected. The big question is, who? And of course, what is to stop a criminal organisation from doing the same?

Symantec have written about it on their blog, read Regin: Top-tier espionage tool enables stealthy surveillance (Symantec, 2014) to learn more.

For more detailed analysis read their Security Response document, Version 1.0 – November 24, 2014 (pdf).

Leave a Reply

Your email address will not be published. Required fields are marked *