Security experts say Regin virus could be nastier than Stuxnet
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 25, 2014
A recently discovered but highly advanced and destructive malware instance said to be as sophisticated and potentially nastier than the famous Stuxnet and Duqu viruses has has been detected.
"Regin" has security researchers opining it may be nastier than both in fact. Regin malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this huge complexity.
The malware targets organizations in the telecommunications, energy and health sectors. Symantec malware reversers found attackers have foisted Regin on targets using mixed attack vectors including one unconfirmed zero-day in Yahoo Messenger.
"To be sure, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen," Symantec's researchers wrote.
Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers and private individuals.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover their tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.
Symantec didn't name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011, with a since-decommissioned version of the malware that re-surfaced after 2013.
About half of those targeted were private individuals and small business, and about 23.4 percent were telco backbone operators.
Hospitality, energy, airline and research organizations round out the remainder in about equal measure.
Russia and Saudi Arabia soaked up half of the total attacks, followed by Mexico and Ireland at nine percent each.
"Its design makes it highly suited for persistent, long term surveillance operations against targets," the Symantec researchers wrote.
The highly-complex malware was comparable only to Stuxnet and Duqu, the researchers said in the report-- Regin: Top-tier espionage tool and many of its elements were undiscovered.
Overall, Regin can install many highly customized payloads including remote access trojans to swipe keystrokes and screenshots, tools to glean information on various processes and memory utilization, and others to recover deleted files.
Specialist modules were found monitoring Microsoft Internet Information Services network traffic, parsing mail from Exchange databases, and collecting administration traffic for mobile base station controllers.
Regin's authors encrypted data blocks after the stage one vector. The stage zero dropper probably responsible for setting extended attributes and registry keys that held encoded data of subsequent stages was not found.
Researchers found some 64-bit versions that were different from the 32-bit variant in the use of file names and modifications to stage one as a kernel mode driver. Stages three and five of 64-bit versions were not found at this time.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!