Regin, A Thoroughly Developed Malware

Regin, A Thoroughly Developed Malware

Stuxnet, Duqu, Flame, Wiper, what all of these have in common, apart from the fancy names, is a place of honour in the all-time Hall Of Fame of malicious computer programs (if there would ever be such a thing). Just recently, what is considered by the malware analysts at Symantec to be more sophisticated than Stuxnet, “Regin” promises to teach us what a well-developed malware piece really looks like.

What makes this “Regin” threat so big is what it does once it gets itself on the machine. Most of the malware pieces these days go for one target, some of them better than others, but they usually have one target that they go after. We know about Zeus, for example, which is all about getting banking details out of victims’ computers and, more recently, mobile devices. We know about Stuxnet, which was created for a specific nuclear facility, with a specific set of components and extremely specific things to fiddle with. All those malicious worms were good at one thing and only one. As Symantec experts have discovered, “Regin” is much more than a worm designed with one goal in mind: it’s a Swiss army knife.

The process through which “Regin” gets itself installed on the compromised host is divided in 6 parts with each of them being carefully prepared to be as stealthy as possible. Although the initial dropper hasn’t been found yet, there is suspicion that there are multiple ways through which “Regin” can get itself installed on the host machine, one of them being a zero-day vulnerability in Yahoo! Messenger. After “Regin” has been dropped on the system, the installation process begins with the only part that is clearly visible (i.e., unencrypted) in the entire process. All the following steps are taken on encrypted parts, each of them being decrypted before being used.

The amount of configurable payloads and settings is something that has been seen before only on threats like Stuxnet and Flame. “Regin” has the possibility of being specifically designed for a certain job, payloads can be added or removed, controlled or left dormant. The amount of work put into this is beyond the powers of an ad-hoc hacker group. The experts at Symantec reckon that “the development of this threat could have taken well-resourced teams of developers many months or years to develop and maintain.” Some of the possible payloads include rootkits, network packet capture, password stealers, system information gatherer, but many more options are available.

Considering the active period of “Regin” was between 2008 and 2011, with a bit of activity during 2013 as well, it would be unrealistic to believe that the development of it has stopped, but rather a more evolved version could be in the wild. The growth in computing power, potential and skills over the past years has surely enabled even more sophisticated tools to be used, but do we even dare to think how sophisticated they are right now?


Read the original report from Symantec here.