Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years 143

An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
This discussion has been archived. No new comments can be posted.

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years

Comments Filter:
  • This apparently only runs on Windows.

    I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.

    Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      targeted attacks like this are OS agnostic, if the organisations they wanted to hack were running Linux or OSX then these would have been designed for that target instead.

      • targeted attacks like this are OS agnostic,

        Correct, provisionally - targeted attacks are OS agnostic - if designed to be OS agnostic.

        In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet

        Disclaimer - I have no problem with Steve Balmer throwing chairs - as long as they're heavy, and hit idiots like you. Thanks for lowering the standard.

        • Re: (Score:3, Informative)

          by Rich0 ( 548339 )

          targeted attacks like this are OS agnostic,

          Correct, provisionally - targeted attacks are OS agnostic - if designed to be OS agnostic.

          In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet

          His point was that Regin attacks Windows because the people that the authors of Regin were trying to attack run Windows.

          If the targets of Regin ran Linux, then Regin would attack Linux. Instead of using one of the dozens of Windows zero-days out there, they'd use one of the dozens of Linux zero-days out there. No, I can't cite them - they wouldn't be zero-days if I could.

          • No, I can't cite them - they wouldn't be zero-days if I could.

            Can't or wont?

          • targeted attacks like this are OS agnostic,

            Correct, provisionally. Targeted attacks are OS agnostic - if designed to be OS agnostic.

            In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet

            His point was...

            ... not what you believe it was. I quoted the specific point I was replying to.
            ...not what the thread [slashdot.org] is about
            ...not what the main article is about.

            Again - try reading before shooting your idiot mouth. It's not like you are incapable of focus or intelligent output. Perhaps you're having a bad day or it's just confirmation bias from some sort of emotional over-investment.

            It could have been part of a suite of tools that include ones for other OS. But it is not, hence it's not relevant, and like the OP in t

            • by Rich0 ( 548339 )

              I'm not saying that Reign is OS-agnostic.

              I'm saying that the people who wrote Reign are probably OS-agnostic. If their targets weren't running Windows, then Reign wouldn't target Windows.

              You're focusing on a specific piece of software, and missing the reason the software was written in the first place.

              I'm not suggesting that Reign is part of a bigger suite of hacking tools. I'm saying that Reign was written by people with brains who could target any OS they wanted to target.

              The personal attacks are not he

              • You're focusing on a specific piece of software, and missing the reason the software was written in the first place.

                I'm focusing on what I quoted in my response. You're just being a goal-shifting egotistical dick - which is not "helpful" in any context.

                • by Rich0 ( 548339 )

                  You're focusing on a specific piece of software, and missing the reason the software was written in the first place.

                  I'm focusing on what I quoted in my response.

                  You quoted, "targeted attacks like this are OS agnostic."

                  Then you said "In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic."

                  He didn't say that Regin was OS agnostic. He said that targeted attacks are OS agnostic. Heck, you can perform a targeted attack without the use of a computer at all.

                  The people who wrote Regin weren't out to break Windows. They were out to obtain information. If it was easier to obtain that information by sending in ninjas at n

    • by Anonymous Coward

      Linux may not have been a monoculture back in the 1990s, but it's not the 1990s any longer!

      All of the major distros are basically the same these days. The kernel is the same. The file system layout is the same. The package managers are either RPM or APT. Now that Debian and Ubuntu will switch or have switched, all of the major distros but Slackware (if it's even a "major" distro these days!) use or support systemd. They use pretty much the same userland software.

      If Linux really wasn't a monoculture, then se

    • I really don't understand why people run sensitive and critical stuff on Microsoft Windows.

      Because doing so saves them both time and money - and those two factors trump everything else in their decision-making tree.

    • by Anonymous Coward

      Not having monoculture is only security thru obscurity. Basically instead of putting the key in the lock and turning clockwise to unlock it is turn it counter clockwise. It does not take long to figure it out...

      In a targeted attack it is even worse.

      • by HiThere ( 15173 )

        Despite the "only security through obscurity" meme, you need to understand it, not just say it.

        There are only two types of security:
        1) security through obscurity,
        and,
        2) security through inaccessibility.
        They can, however, be intelligently combined.

        Please note that private key encryption is security through obscurity. Cutting the phone line is security through inaccessibility. Saying that "it's secure because they can't get the prime factors of that key" is security through obscurity.

        Despite the meme, secur

        • The term "security through obscurity" is usually defined to refer to obscuring the design of a system, not to key secrecy. The difference is that the secrecy of keys provide a measurable barrier to brute force attacks. This is fundamental to the design of encryption systems, since we want to formally distinguish what must be kept secret from what is revealed.

          I agree with your point about minimizing attack surfaces.

      • That meme "security through obscurity" only really applies in cases of improper reliance on "security via obscurity", once the secret is known - the system is insecure and anyone can access it.

        Examples of this would be "hand rolled encryption algorithm that we hide in a black box", "secret handshakes", "back doors which are left unlocked".
    • Re: (Score:3, Insightful)

      by exomondo ( 1725132 )

      This apparently only runs on Windows.

      A targeted attack is going to run on whatever the target uses.

      • by Threni ( 635302 )

        You've massively missed his point. Windows has long been a joke. Pop a CD in and it just runs an exe. Pop a USB key in and it just runs an exe. Other OSes are a little more discerning.

        • by Anonymous Coward

          Autoruns has been disabled on Windows for years. Try flaming with something accurate. https://support.microsoft.com/kb/967715

        • You've massively missed his point. Windows has long been a joke. Pop a CD in and it just runs an exe. Pop a USB key in and it just runs an exe. Other OSes are a little more discerning.

          Windows hasn't done what you say for years.

    • by sphealey ( 2855 )

      There's now an entire generation of IS/IT managers, directors, and CIOs who not only prefer Microsoft technology but have an active dislike of anything related to Unix(tm) - including but not limited to Linux(tm). And along with dislike comes distrust and contempt. They firmly believe that Microsoft provides superior technology, tools, and usability, and that to choose other technology is not only to make a mistake but to expose themselves to professional risk.

      You can disagree with them if you prefer (I ten

      • by alen ( 225700 )

        microsoft is one price and you get a server and tools and all the features

        a lot of other products they nickel and dime you for features, the tools to manage them, etc

        • by mspohr ( 589790 )

          Linux is one price (free) and you get a server and tools and all the features.... bonus, you are not a target for malware!

        • microsoft is one price and you get a server and tools and all the features

          That's a good one, go ahead and pull my other leg while you're trying to spin that for Microsoft.

          Microsoft licensing is a nightmare. Just look at the segments for the desktop operating system. Or try to figure out which version of MS Office you need and whether a volume license will save you money (and whether you'll be in compliance). The server-side is no different with the different restrictions on the different variants of
      • There's now an entire generation of IS/IT managers, directors, and CIOs who not only prefer Microsoft technology but have an active dislike of anything related to Unix(tm)

        I don't know how much the "actively dislike Unix" part is true, but yes, there are a lot of IT people that prefer Windows. And there are very good reasons for that. Microsoft makes some exceptionally good products in a number of areas. Here are some examples:

        • Visual Studio, probably the best IDE known to exist. I've used it and competitor
    • >>Unix (Linux) is about as far from a monoculture as you can get

      What, like Android that has linux underneath ?

    • This apparently only runs on Windows.

      I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.

      Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.

      It runs on the system the target had. How many world leaders are running linux? If it were a significant portion you can rest assured we'd start seeing these for linux as well. The fact of the matter is, if your opponent is the NSA, your OS is rather irrelevant.

    • by Kjella ( 173770 )

      Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.

      It was designed from scratch to be a multi-user system, which is neat and took Microsoft at least until UAC in 2006 to really implement. On the other hand Microsoft is the one who had a fleet of PCs that needed managing and created AD, which is the bread and butter of most corporate networks. That you can ssh in and run scripts isn't even close, I know there are third party tools to mimic some of it but there it's Microsoft that has the native advantage. And you can lock it way more down than the defaults.

      I

    • It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security

      Yes - the "dragnet" attacks tends to go after the most victims. If your attack has a certain chance of succeeding (like a social engineering attack), you'd be stupid to go after the 1% instead of the 90%. Now, in a *targeted* attack where the attacker singled out a specific victim or group of victims - the attacker will go after whatever those targets use.

      and was actually bolted on after-the-fact.

      Nope. The current strain of Windows was created from scratch with the present security model from the get-go. The security model is based on tokens and it

      • Current strain of Microsoft Windows? Which ones? There are presently 7 variants (after losing count) of Windows 8. Are they all equally secure?

        Windows 7? Vista? XPSP3 and 2003 Server?

        Are the Home versions every bit as secure as the Professional versions?

        Notice my glaring omission of NT.

        • Current strain of Microsoft Windows? Which ones?

          All of the current Windows versions are derived from Windows NT. The security model was developed for Windows NT. It is the very same extensible (through SIDs) model that has later been extended for AD and later for UAC (mandatory Integrity Control) in Windows Vista.

    • I really don't understand why people run sensitive and critical stuff on Microsoft Windows.

      What's my other option?

      You're under the mistaken assumption that people get a choice on what OS they run, as opposed to go out to major vendors with a request for proposal for, uber critical database, control system PCs, hospital records machine etc. and the vendors come back with a proposed package. You don't get a choice what package this runs on. In many cases you are given an entire PC / server setup with the package ready to go because the vendors often control the complete solution from licensing modu

    • Hmm. I think it's highly delusional to think CyberEspionage organisations aren't targetting - Windows, Linux, MacOS and FreeBSD concurrently. Probably OpenBSD too.. While I agree that Windows appears to be a gaping wide attack surface, I equally believe that the large number of people running Linux sans Virus checkers patting themselves on the back for feeling secure - are living in la la land. The same fundamental architecture underlies Linux. Stack frame over-runs, heap exploits, SMM exploits, lack of
  • I try not to let Trojans anywhere near my backdoor.

    • Re: (Score:2, Funny)

      by Greyfox ( 87712 )
      It's targetted! If we wanted to target your backdoor with a trojan, we'd give you about six beers first!
  • Among other things, they were infecting ISP machines to monitor specific customers.

    Anyway, guesses on the responsible party? China, Israel, Russia?

    • by lostmongoose ( 1094523 ) on Sunday November 23, 2014 @04:42PM (#48445645)

      Among other things, they were infecting ISP machines to monitor specific customers.

      Anyway, guesses on the responsible party? China, Israel, Russia?

      ...or USA, Britain, France, Germany...

      • by Anonymous Coward

        Germany

        Don't be ridiculous. We have the Hackerparagraph. That shit is illegal in Germany.

    • by AHuxley ( 892839 )
      Lots of nations can try. Italy had its SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
      Greece had the wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05
      Now the world is seeing more software efforts beyond the expected gov tapping hardware and software.
      So many staff around the world have done legitimate tapping for their govs and mil for generations.
      Tame computer systems, networks have crypto that is well understood and of a weak international standard. Signals intelli
    • by HiThere ( 15173 )

      Why limit it to nations? Major corporations are as capable as most countries, and only a little bit more endangered if caught.

      • Not sure how security firms conclude nation states must be behind some complex malware. It could also be a corporation. It could also be a criminal gang. It could also be some lone programmer or group of programmers doing this in their own time in order to sell the software or their services to criminals or governments. Most software is not made by governments (actually, can't think of any software) and whenever they try, they usually fail.

    • Start from the countries on the list: Russia, Saudi Arabia, Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan. The percentages added up to 100, a surprise because I would expect at least one or two percent to be "other". That makes me mistrust the figures a bit.

      "Significant" countries not on the list include: the US, Canada, Britain, Germany, Israel, Japan, Australia, France, Turkey, Yemen, Iraq, Syria or any of the smaller Gulf States such as Qatar, Bahrain, Dubai. What is also inter

  • ...they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research...

    Hello, China...

    • Hello, China...

      OTOH, when this kind of news come out, people are usually not shy about mentioning China by name. In fact, a number of 'wealthy nation-states' in Europe as well as Israel have been mentioned on occasion when it comes to spy-ware. I don't remember the US coming up very often, so by exclusion, America does seem like a likely candidate here. And why not? it isn't as if Americans, American companies or the American state departments are particularly prudish compared to others, when it comes to this sort of thin

  • ... as a geographic target is ...

  • To discover this is a Windows-only virus? That was the first thing that crossed my mind, what platform(s) are vulnerable? It sure as hell isn't clearly stated in any of the articles I read, you have to dive into the details of the Symantec white paper to notice that all the attack vectors were specific to Windows.

    And how much does the tech journalism community and the security products & services industry, from Ars to The Verge, to Symantec, get paid to hide the fact this is Yet Another Windows (onl

  • This 'highly advanced' computer worm will only work on Microsoft Windows:

    "Symantec Security Response has not obtained the Regin dropper at the time of writing. Symantec believes that once the dropper is executed on the target’s computer, it will install and execute Stage 1. It’s likely that Stage 0 is responsible for setting up various extended attributes and/or registry keys and values that hold encoded versions of stages 2, 3, and potentially stages 4 and onwards". ref [symantec.com]
    • by mspohr ( 589790 )

      If it only works on Windows, it can't be that "highly advanced"... probably just some teens in their basement. Windows is not that hard to compromise.

    • This 'highly advanced' computer worm will only work on Microsoft Windows:

      It is not a worm. It is a trojan, i.e. the user has to invite the trojan (the "dropper") inside for it to work.

      A worm is an automated infection which propagates automatically from system to system. Like the Shellshock worms, Code Red, Nimda.

      Any particular reason you chose to call it a worm, despite that it was described as a trojan in the summary as well as in TFA?

      • @benjymouse: "Any particular reason you chose to call it a worm, despite that it was described as a trojan in the summary as well as in TFA?"

        "Backdoor Regin .. bears some resemblance to .. the computer worm and trojan [arstechnica.com] that was programmed to disrupt Iran's nuclear program"
  • Yes, I RTFA (again). Any independent confirmation outside of Symantec?

  • Researchers have unearthed highly advanced malware ... spy on a wide range of international targets in diverse industries

    Oh my! Evil people are actively breaking into computers! Just imagine what they could do if they actually had the source code to what the targets run.

    It's only by using proprietary software [wikipedia.org] are we able to keep ourselves safe like this.

  • Holy mixed metaphors! "Executing the first stage triggers a domino chain...." Does it trigger a domino chain which cascades along the peaks of the shield holding the noses of the elephants in the room?
  • Analysis White Paper (Score:4, Informative)

    by Fnord666 ( 889225 ) on Sunday November 23, 2014 @11:48PM (#48447047) Journal
    Here [symantec.com] is a link to the analysis white paper about Regin published by Symantec. An interesting read and it does look very similar to Duqu in structure.
  • Highly Sophisticated; by who's standards, Symantec? What do they know about sophisticated software? Symantecs marketing department thought they would make it sound exciting by suggesting it was created by a government agency. Pathetic effort to try and boost sales of Symantec software.
  • Why is it that these major news outlets (Forbes, CNET, CNN, etc) all have articles about this new trojan/virus. They quote statistics from Symantec about the number of infect machines, and yet, not one describes how you can detect an infection. They must know. One previous post identifies a Symantec white paper describing the trojan's behavior (Here [symantec.com]). Why don't these articles describe the steps required to detect it? It's not like they're under any obligation to encourage readers to buy into Symantec's
  • The dates of the end of Regin 1 correspond roughly to the astonishing demise this GHCQ analyst [wikipedia.org]..I would put my money on the brits.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...