Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years 143
An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
Microsoft Windows only (Score:2, Insightful)
This apparently only runs on Windows.
I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.
Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.
Re: (Score:3)
You are correct, poorly trained admins will net poorly secured systems with the same or similar horrible mistakes.
However, you are glossing over what was actually said in order to make those statements as if it was some overriding truth. The problem is that windows exposes to much of the underlying systems to programs running so exploits in power point or outlook can infect the entire machine kernel and spread to the servers via internal network support infrastructure (domain controller functions). Now much
Re: (Score:2)
Competent system administration, service pack management, e-mail security measures, effective firewall administration, and strictly enforced limitations on what an employee can access via the internet can substantially reduce the impact of even the most serious application related exploits. The majority of malware today uses social engineering as it's attack vector but there are ways to prevent this in any company willing to invest in employee training and creating specific guidelines that even the most com
Re: (Score:1)
The first rule of security is:
_Do not do anything on a computer that has network capability_.
I've been told that Windows2000 was the last version of Windows that did not require calling home at least once a year, in order to function correctly.
I know that Windows7 point blank refuses to run if it hasn't called home in the last 180 days.
Re:Microsoft Windows only (Score:4, Interesting)
Maybe you missed all the critical remote code execution vulns Microsoft announced just this month.
https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx [microsoft.com]
Four of the bulletins above are listed as critical remote execution. Two of them (schannel and OLE vulns) are very bad. The IE bulletin says it resolves 17 privately identified bugs.
As the previous poster said, Microsoft has placed convenience over security for many years now. They have improved dev processes a lot, but as you can see, many security folks still view MS as a liability.
Not to stray too far from the point, but I hope Linux distros arent repeating Microsoft's mistakes with feature-laden packages like systemd and its ilk. Tons of new features in an inchoate software package with no security audits? That is how Microsoft got its reputation for insecurity.
Re: (Score:3)
You're implying you've read the Ubuntu vuln announcements for November. Why don't you explain to the class which of these are remote code execution vulns?
http://www.ubuntu.com/usn/ [ubuntu.com]
Maybe you can pick the worst one and explain why it's worse than Microsoft's schannel vuln.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
You sure seem to have missed the point. The AC poster (you?) already lost the argument, whether he responds or not.
I made my point with questions, and the point was that none of the Ubuntu security notices were anywhere near as serious as Microsoft's schannel or OLE vulns.
Unless I missed something in the Ubuntu bulletins, none of those vulns were even suspected of being remote code execution vulns. The AC poster was flat-out wrong in his assessment that the Ubuntu notice had more vulns, and especially wro
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Insightful)
targeted attacks like this are OS agnostic, if the organisations they wanted to hack were running Linux or OSX then these would have been designed for that target instead.
Re: (Score:2)
targeted attacks like this are OS agnostic,
Correct, provisionally - targeted attacks are OS agnostic - if designed to be OS agnostic.
In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet
Disclaimer - I have no problem with Steve Balmer throwing chairs - as long as they're heavy, and hit idiots like you. Thanks for lowering the standard.
Re: (Score:3, Informative)
targeted attacks like this are OS agnostic,
Correct, provisionally - targeted attacks are OS agnostic - if designed to be OS agnostic.
In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet
His point was that Regin attacks Windows because the people that the authors of Regin were trying to attack run Windows.
If the targets of Regin ran Linux, then Regin would attack Linux. Instead of using one of the dozens of Windows zero-days out there, they'd use one of the dozens of Linux zero-days out there. No, I can't cite them - they wouldn't be zero-days if I could.
Re: (Score:1)
No, I can't cite them - they wouldn't be zero-days if I could.
Can't or wont?
Re: (Score:3)
targeted attacks like this are OS agnostic,
Correct, provisionally. Targeted attacks are OS agnostic - if designed to be OS agnostic.
In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet
His point was...
... not what you believe it was. I quoted the specific point I was replying to.
...not what the thread [slashdot.org] is about
...not what the main article is about.
Again - try reading before shooting your idiot mouth. It's not like you are incapable of focus or intelligent output. Perhaps you're having a bad day or it's just confirmation bias from some sort of emotional over-investment.
It could have been part of a suite of tools that include ones for other OS. But it is not, hence it's not relevant, and like the OP in t
Re: (Score:2)
I'm not saying that Reign is OS-agnostic.
I'm saying that the people who wrote Reign are probably OS-agnostic. If their targets weren't running Windows, then Reign wouldn't target Windows.
You're focusing on a specific piece of software, and missing the reason the software was written in the first place.
I'm not suggesting that Reign is part of a bigger suite of hacking tools. I'm saying that Reign was written by people with brains who could target any OS they wanted to target.
The personal attacks are not he
Re: (Score:2)
You're focusing on a specific piece of software, and missing the reason the software was written in the first place.
I'm focusing on what I quoted in my response. You're just being a goal-shifting egotistical dick - which is not "helpful" in any context.
Re: (Score:2)
You're focusing on a specific piece of software, and missing the reason the software was written in the first place.
I'm focusing on what I quoted in my response.
You quoted, "targeted attacks like this are OS agnostic."
Then you said "In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic."
He didn't say that Regin was OS agnostic. He said that targeted attacks are OS agnostic. Heck, you can perform a targeted attack without the use of a computer at all.
The people who wrote Regin weren't out to break Windows. They were out to obtain information. If it was easier to obtain that information by sending in ninjas at n
Linux is a monoculture. (Score:2, Informative)
Linux may not have been a monoculture back in the 1990s, but it's not the 1990s any longer!
All of the major distros are basically the same these days. The kernel is the same. The file system layout is the same. The package managers are either RPM or APT. Now that Debian and Ubuntu will switch or have switched, all of the major distros but Slackware (if it's even a "major" distro these days!) use or support systemd. They use pretty much the same userland software.
If Linux really wasn't a monoculture, then se
Re: Linux is a monoculture. (Score:2)
Re: (Score:2)
This is what their reaction used to be when we talked about switching Windows servers' operating system to Linux. "Linux? No! Wtf is Linux?"
Re: Linux is a monoculture. (Score:2)
Do your 10 other choices come with vendor support (canonical) and predictable release cycles?
Re: (Score:2)
I really don't understand why people run sensitive and critical stuff on Microsoft Windows.
Because doing so saves them both time and money - and those two factors trump everything else in their decision-making tree.
Re: (Score:2)
No, because the same would be true if they developed on top of stock OS X or Red Hat Linux.
Using someone else's platform as your base saves development time and money. It doesn't mean it's a smart move, but time and cost considerations seem to be all anyone cares about these days.
Re: (Score:2)
Dude, Windows admins are 1/5th the price of a good Unix admin. It is a lot cheaper. you can just hire anyone with a MSFT cert and be done with it at a bargain basement price.
No they will not be competent, not even have a clue about stability and security, but that does not matter.
Re: (Score:1)
Not having monoculture is only security thru obscurity. Basically instead of putting the key in the lock and turning clockwise to unlock it is turn it counter clockwise. It does not take long to figure it out...
In a targeted attack it is even worse.
Re: (Score:3)
Despite the "only security through obscurity" meme, you need to understand it, not just say it.
There are only two types of security:
1) security through obscurity,
and,
2) security through inaccessibility.
They can, however, be intelligently combined.
Please note that private key encryption is security through obscurity. Cutting the phone line is security through inaccessibility. Saying that "it's secure because they can't get the prime factors of that key" is security through obscurity.
Despite the meme, secur
Re: (Score:2)
The term "security through obscurity" is usually defined to refer to obscuring the design of a system, not to key secrecy. The difference is that the secrecy of keys provide a measurable barrier to brute force attacks. This is fundamental to the design of encryption systems, since we want to formally distinguish what must be kept secret from what is revealed.
I agree with your point about minimizing attack surfaces.
Re: (Score:2)
Examples of this would be "hand rolled encryption algorithm that we hide in a black box", "secret handshakes", "back doors which are left unlocked".
Re: (Score:3, Insightful)
This apparently only runs on Windows.
A targeted attack is going to run on whatever the target uses.
Re: (Score:1)
You've massively missed his point. Windows has long been a joke. Pop a CD in and it just runs an exe. Pop a USB key in and it just runs an exe. Other OSes are a little more discerning.
Re: (Score:1)
Autoruns has been disabled on Windows for years. Try flaming with something accurate. https://support.microsoft.com/kb/967715
Re: (Score:2)
You've massively missed his point. Windows has long been a joke. Pop a CD in and it just runs an exe. Pop a USB key in and it just runs an exe. Other OSes are a little more discerning.
Windows hasn't done what you say for years.
Re: (Score:2)
There's now an entire generation of IS/IT managers, directors, and CIOs who not only prefer Microsoft technology but have an active dislike of anything related to Unix(tm) - including but not limited to Linux(tm). And along with dislike comes distrust and contempt. They firmly believe that Microsoft provides superior technology, tools, and usability, and that to choose other technology is not only to make a mistake but to expose themselves to professional risk.
You can disagree with them if you prefer (I ten
Re: (Score:2)
microsoft is one price and you get a server and tools and all the features
a lot of other products they nickel and dime you for features, the tools to manage them, etc
Re: (Score:2)
Linux is one price (free) and you get a server and tools and all the features.... bonus, you are not a target for malware!
Re: (Score:2)
That's a good one, go ahead and pull my other leg while you're trying to spin that for Microsoft.
Microsoft licensing is a nightmare. Just look at the segments for the desktop operating system. Or try to figure out which version of MS Office you need and whether a volume license will save you money (and whether you'll be in compliance). The server-side is no different with the different restrictions on the different variants of
Re: (Score:2)
I don't know how much the "actively dislike Unix" part is true, but yes, there are a lot of IT people that prefer Windows. And there are very good reasons for that. Microsoft makes some exceptionally good products in a number of areas. Here are some examples:
Re: (Score:1)
You could also throw in that the combination of Powershell and Windows Server allows the machine to run "headless"
Re: (Score:1)
Re: (Score:2)
>>Unix (Linux) is about as far from a monoculture as you can get
What, like Android that has linux underneath ?
Re: (Score:2)
This apparently only runs on Windows.
I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.
Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.
It runs on the system the target had. How many world leaders are running linux? If it were a significant portion you can rest assured we'd start seeing these for linux as well. The fact of the matter is, if your opponent is the NSA, your OS is rather irrelevant.
Re: (Score:2)
Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.
It was designed from scratch to be a multi-user system, which is neat and took Microsoft at least until UAC in 2006 to really implement. On the other hand Microsoft is the one who had a fleet of PCs that needed managing and created AD, which is the bread and butter of most corporate networks. That you can ssh in and run scripts isn't even close, I know there are third party tools to mimic some of it but there it's Microsoft that has the native advantage. And you can lock it way more down than the defaults.
I
Re: (Score:2)
It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security
Yes - the "dragnet" attacks tends to go after the most victims. If your attack has a certain chance of succeeding (like a social engineering attack), you'd be stupid to go after the 1% instead of the 90%. Now, in a *targeted* attack where the attacker singled out a specific victim or group of victims - the attacker will go after whatever those targets use.
and was actually bolted on after-the-fact.
Nope. The current strain of Windows was created from scratch with the present security model from the get-go. The security model is based on tokens and it
Re: Microsoft Windows only (Score:1)
Current strain of Microsoft Windows? Which ones? There are presently 7 variants (after losing count) of Windows 8. Are they all equally secure?
Windows 7? Vista? XPSP3 and 2003 Server?
Are the Home versions every bit as secure as the Professional versions?
Notice my glaring omission of NT.
Re: (Score:2)
Current strain of Microsoft Windows? Which ones?
All of the current Windows versions are derived from Windows NT. The security model was developed for Windows NT. It is the very same extensible (through SIDs) model that has later been extended for AD and later for UAC (mandatory Integrity Control) in Windows Vista.
Re: (Score:2)
I really don't understand why people run sensitive and critical stuff on Microsoft Windows.
What's my other option?
You're under the mistaken assumption that people get a choice on what OS they run, as opposed to go out to major vendors with a request for proposal for, uber critical database, control system PCs, hospital records machine etc. and the vendors come back with a proposed package. You don't get a choice what package this runs on. In many cases you are given an entire PC / server setup with the package ready to go because the vendors often control the complete solution from licensing modu
Re: (Score:1)
Re: (Score:2)
Shell shock is not malware, it's a bug in Bash that can possibly be exploited if you have exposed Bash to the outside world through some poorly implemented service.
Yeah. Like Apache.
Backdoor Trojans? (Score:2)
I try not to let Trojans anywhere near my backdoor.
Re: (Score:2, Funny)
Nation uses malware to spy on ISP Customers... (Score:2)
Among other things, they were infecting ISP machines to monitor specific customers.
Anyway, guesses on the responsible party? China, Israel, Russia?
Re:Nation uses malware to spy on ISP Customers... (Score:5, Insightful)
Among other things, they were infecting ISP machines to monitor specific customers.
Anyway, guesses on the responsible party? China, Israel, Russia?
...or USA, Britain, France, Germany...
Re: (Score:1)
Germany
Don't be ridiculous. We have the Hackerparagraph. That shit is illegal in Germany.
Re: (Score:2)
Greece had the wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05
Now the world is seeing more software efforts beyond the expected gov tapping hardware and software.
So many staff around the world have done legitimate tapping for their govs and mil for generations.
Tame computer systems, networks have crypto that is well understood and of a weak international standard. Signals intelli
Re: (Score:2)
Why limit it to nations? Major corporations are as capable as most countries, and only a little bit more endangered if caught.
Re: (Score:1)
Not sure how security firms conclude nation states must be behind some complex malware. It could also be a corporation. It could also be a criminal gang. It could also be some lone programmer or group of programmers doing this in their own time in order to sell the software or their services to criminals or governments. Most software is not made by governments (actually, can't think of any software) and whenever they try, they usually fail.
Re: (Score:1)
Stuxnet.
You "can't think of" software used by govt to spy? (Score:1)
Re: (Score:2)
Start from the countries on the list: Russia, Saudi Arabia, Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan. The percentages added up to 100, a surprise because I would expect at least one or two percent to be "other". That makes me mistrust the figures a bit.
"Significant" countries not on the list include: the US, Canada, Britain, Germany, Israel, Japan, Australia, France, Turkey, Yemen, Iraq, Syria or any of the smaller Gulf States such as Qatar, Bahrain, Dubai. What is also inter
Re: Hello FVEY (Score:1)
Perpetual decay \snicker \ha \haw
Remember ANYTHING about the 50s, 60s and 70s, son? You have things SO MUCH BETTER NOW than way back in the day. Computerized checkbooks, reliable transportation, telephone,... ..., Electricity, Internet. Need I go on? Polio and Smallpox Vaccines,... ..., imaging technology that puts X-ray Films from Polaroid to shame.
The decay you believe in is a figment of your imagination. Visit a third world county sometime and see what value your "wealth of knowledge" has in the rea
Three Letter Agencies? (Score:2)
...they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research...
Hello, China...
Re: (Score:2)
Hello USA , Hello UK, Hello any of the usual suspects.
Hello any country with resources that wants to make one of the above countries look bad by framing them and then "discovering" new malware in the wild.
Re: (Score:1)
Hello USA , Hello UK, Hello any of the usual suspects. Why are Americans so blind to the fact their nation does this shit to?
USA has not yet been caught using its intelligence apparatus with a major aim of industrial espionage, as opposed to its state interests. It should be doing that as a matter of game theory, to incentivize a phased and negotiated reduction in attacks, but I haven't seen evidence that it does. But there is a great deal of evidence of state-sponsored attacks coming out of China against many, many American institutions.
It doesn't mean the USA doesn't do it--but it does make China a more likely suspect.
Re: (Score:2)
Hello, China...
OTOH, when this kind of news come out, people are usually not shy about mentioning China by name. In fact, a number of 'wealthy nation-states' in Europe as well as Israel have been mentioned on occasion when it comes to spy-ware. I don't remember the US coming up very often, so by exclusion, America does seem like a likely candidate here. And why not? it isn't as if Americans, American companies or the American state departments are particularly prudish compared to others, when it comes to this sort of thin
Conspicuously absent ... (Score:2)
How far do you have to read? (Score:2)
To discover this is a Windows-only virus? That was the first thing that crossed my mind, what platform(s) are vulnerable? It sure as hell isn't clearly stated in any of the articles I read, you have to dive into the details of the Symantec white paper to notice that all the attack vectors were specific to Windows.
And how much does the tech journalism community and the security products & services industry, from Ars to The Verge, to Symantec, get paid to hide the fact this is Yet Another Windows (onl
Re: (Score:2)
It's possible there are other versions. But that's not my point. The version that has been discovered and documented runs on Windows, a fact that is probably deliberately not made clear in the articles.
Highly advanced computer worm? (Score:1)
"Symantec Security Response has not obtained the Regin dropper at the time of writing. Symantec believes that once the dropper is executed on the target’s computer, it will install and execute Stage 1. It’s likely that Stage 0 is responsible for setting up various extended attributes and/or registry keys and values that hold encoded versions of stages 2, 3, and potentially stages 4 and onwards". ref [symantec.com]
Re: (Score:1)
If it only works on Windows, it can't be that "highly advanced"... probably just some teens in their basement. Windows is not that hard to compromise.
Re: (Score:2)
This 'highly advanced' computer worm will only work on Microsoft Windows:
It is not a worm. It is a trojan, i.e. the user has to invite the trojan (the "dropper") inside for it to work.
A worm is an automated infection which propagates automatically from system to system. Like the Shellshock worms, Code Red, Nimda.
Any particular reason you chose to call it a worm, despite that it was described as a trojan in the summary as well as in TFA?
Re: (Score:1)
"Backdoor Regin
Re: (Score:2)
That's not a palindrome [wikipedia.org]. niger is a Latin adjective meaning black. Please note the single 'g'.
Niger (or anagram) is spelled with only one "g"....
Oh, I see what you did there, honky!
Symantec only? (Score:1)
Yes, I RTFA (again). Any independent confirmation outside of Symantec?
I don't NEEED no stickin' source code.... (Score:2)
Researchers have unearthed highly advanced malware ... spy on a wide range of international targets in diverse industries
Oh my! Evil people are actively breaking into computers! Just imagine what they could do if they actually had the source code to what the targets run.
It's only by using proprietary software [wikipedia.org] are we able to keep ourselves safe like this.
Scrambled Like Chickens with Their Eggs in a Bunch (Score:1)
Analysis White Paper (Score:4, Informative)
Marketing (Score:2)
Detection? (Score:2)
Gareth Williams (Score:1)