Following the recent news of the highly-sophisticated Regin malware being discovered, there has been some talk of this being the most advanced malware ever seen.
I contacted computer scientist, and anti-virus guru, Fred Cohen to ask what he thought of Regin, which he simply responded to by saying: “I don’t think of it.”
I asked him if this is the greatest designed piece of attack material or something mirroring other efforts. Cohen said: “Or is it the latest media hype surrounding longstanding attacks on information technology and systems?”
Perhaps Fred had a valid point; have we hyped up this threat to scare people with the research?
Unconvinced by what he had seen was Tomer Weingarten, CEO of SentinelOne. He said that Regin appears to display a lot of similar techniques used by a previously known malware, called Turla, which was used in a Government campaign. But one thing which bothered him about Regin is that the malware kernel driver was not signed to bypass Microsoft PatchGuard in the 64bit version of Windows.
He said: “To bypass PatchGuard, malware needs a genuine security certificate. This has only been seen in malware a handful of times, and only in the most advanced attacks – Stuxnet is one example. This could imply that Regin is the work of a smaller Government which is not as technologically sophisticated as top tier nation states.”
I asked Weingarten if the modules are straightforward and are the claims of sophistication rather exaggerated. He said: “Some portions of the modules are sophisticated (especially if we consider this goes back to 2011 or so), like the persistence and obfuscation code.
“That being said, in the past there have been cases of malware using EVFS and the loading and communications mechanisms described in Regin.’Zero Access’ malware is one example. The modules themselves – like password stealing, keylogging and screen capture are fairly straightforward. It does seem a little bit overhyped.”
I asked Steve Lord, technical director at Mandalorian, what he thought of the claims with him having looked at the reports around Regin and describing it as “beautiful”. He agreed about the sophistication of some of the modules, but if you listen to what malware researchers say, nobody has the full set of modules.
He said: “The peerless nature of the malware and virtual file system are pretty innovative. Whoever’s behind it has a lot of resources and the expert skills to pull this off in a highly controlled and structured manner.”
Weingarten further claimed that the most innovative elements of Regin that he had seen were in the “carrier” code used to install the malware, and in the persistence code which uses encrypted virtual file systems.
He did say that the command and control (C&C) communications were also sophisticated and designed to conceal outgoing traffic. “However, once the malware is installed, the payloads themselves (the “modules”) are straightforward and display the same actions and level of sophistication seen in everyday malware, such as screen grabbing, password stealing, etc.”
Lord said that, from what he had seen from other vendors, Regin deliberately uses multi-stage techniques to hide itself and even major malware researchers lack a full picture.
I asked him what he thought about the claims that “to bypass PatchGuard, malware needs a genuine
security certificate”, and he said that obtaining a genuine certificate is more likely to be achievable by nation states where the states are more capable of influencing vendors.
“Of course, when that doesn’t work it’s sometimes easier to resort to hacking a legitimate certificate, as happened when Iranians found that connections to their Gmail accounts were being intercepted and replaced with certificates stolen from defunct Dutch registrar Diginotar,” he said.
“The Flame malware famously abused one of Microsoft’s certificates. The absence of a legitimate signed certificate isn’t uncommon, nor is it an indicator of a particular nation state’s activities.”
With news this week of Sony Pictures, FIN4 and Wiper, it is easy to forget about the impact and I can recall the persistent coverage opportunities that were presented by Stuxnet and Flame. Was Regin media hype or a genuine threat? Time will tell and if we are still talking about its capabilities influencing future malware campaigns, then we will know that there is more than hype.
