Slashdot Mirror
Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years
An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
This apparently only runs on Windows.
I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.
Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.
If you're a zombie and you know it, bite your friend!
I try not to let Trojans anywhere near my backdoor.
Among other things, they were infecting ISP machines to monitor specific customers.
Anyway, guesses on the responsible party? China, Israel, Russia?
Making more friends?
Linux may not have been a monoculture back in the 1990s, but it's not the 1990s any longer!
All of the major distros are basically the same these days. The kernel is the same. The file system layout is the same. The package managers are either RPM or APT. Now that Debian and Ubuntu will switch or have switched, all of the major distros but Slackware (if it's even a "major" distro these days!) use or support systemd. They use pretty much the same userland software.
If Linux really wasn't a monoculture, then security incidents like the ones involving bash and OpenSSL earlier this year wouldn't have been as widespread as they were.
Not using systemd was the one thing that differentiated Debian and Ubuntu from Fedora, CentOS, RHEL, openSUSE, and the other distros. Now Debian and Ubuntu are basically clones of those other systems. The main different now is whether you type "apt-get" or "yum" to install packages! That's no difference at all, really.
The BSDs are the only family of OSes where there's some diversity left. But even they are still very similar in many ways.
...they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research...
Hello, China...
If you want news from today, you have to come back tomorrow.
It little behooves the best of us to comment on the rest of us.
Huh huh. Heh heh.
To discover this is a Windows-only virus? That was the first thing that crossed my mind, what platform(s) are vulnerable? It sure as hell isn't clearly stated in any of the articles I read, you have to dive into the details of the Symantec white paper to notice that all the attack vectors were specific to Windows.
And how much does the tech journalism community and the security products & services industry, from Ars to The Verge, to Symantec, get paid to hide the fact this is Yet Another Windows (only) vulnerability?
This 'highly advanced' computer worm will only work on Microsoft Windows:
"Symantec Security Response has not obtained the Regin dropper at the time of writing. Symantec believes that once the dropper is executed on the target’s computer, it will install and execute Stage 1. It’s likely that Stage 0 is responsible for setting up various extended attributes and/or registry keys and values that hold encoded versions of stages 2, 3, and potentially stages 4 and onwards". ref
Symantec sense of humor for us to read it backward?
As if a "wealthy nation-state" has no clue about *nix. Furthermore, it "likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets." Are you really going to bet that they don't have a *nix version???
Goddammit, mod this up.
This [man|woman|dolphin|AI|cool, dispassionate intelligence from Sirius] is our last, best hope against the unholy scourge of that Jon Katz spawn known as Bennett Haselton.
Yo Mama!
Yes, I RTFA (again). Any independent confirmation outside of Symantec?
When stuxnet (engineered by israel and the US) is mentioned in TFA? Are you playing dumb? That's aside from the hefty lists of internal hacking tools leakes by snowden, be it from the NSA or their british buddies.
Researchers have unearthed highly advanced malware ... spy on a wide range of international targets in diverse industries
Oh my! Evil people are actively breaking into computers! Just imagine what they could do if they actually had the source code to what the targets run.
It's only by using proprietary software are we able to keep ourselves safe like this.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
At least they're using protection.
The former NSA contractor Edward Snowden described the Five Eyes (FVEY) as a "supra-national intelligence organisation that doesn't answer to the laws of its own countries"
1 Cox, James (December 2012). "Canada and the Five Eyes Intelligence Community". Canadian Defence and Foreign Affairs Institute.
2 "Five Eyes". United States Army Combined Arms Center. Archived from the original on 18 January 2014. Retrieved 18 January 2014.
3 "PKI Interoperability with FVEY Partner Nations on the NIPRNet". United States Department of the Navy. Archived from the original on 18 January 2014. Retrieved 18 January 2014.
4 Asser, Martin (6 July 2000). "Echelon: Big brother without a cause?". BBC. Retrieved 28 January 2014.
5 "Q&A: What you need to know about Echelon". BBC. 29 May 2001. Retrieved 28 January 2014.
6 "Snowden-Interview: Transcript". Norddeutscher Rundfunk. 26 January 2014. Retrieved 28 January 2014.
7 Ball, James (20 November 2013). "US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data". The Guardian. Retrieved 18 January 2014.
8 MacAskill, Ewen (2 December 2013). "Revealed: Australian spy agency offered to share data about ordinary citizens". The Guardian. Retrieved 18 January 2014.
9 Watt, Nicholas (10 June 2013). "NSA 'offers intelligence to British counterparts to skirt UK law'". The Guardian. Retrieved 19 January 2014.
10 British spy agency taps cables, shares with U.S. NSA â" Guardian, Reuters, 21 June 2013. Retrieved 18 January 2014.
11 McGregor, Richard (13 December 2013). "Intelligence: The all-seeing eyes". Financial Times. Retrieved 27 January 2014.
12 Perry, Nick (16 July 2013). "5-nation spy alliance too vital for leaks to harm". Associated Press. Retrieved 27 January 2014.
13 Farrell, Paul (2 December 2013). "History of 5-Eyes â" explainer". The Guardian. Retrieved 27 January 2014.
14 Norton-Taylor, Richard (25 June 2010). "Not so secret: deal at the heart of UK-US intelligence". The Guardian. Retrieved 27 January 2014.
15 Aldrich, Richard (24 June 2010). "Allied code-breakers co-operate â" but not always". The Guardian. Retrieved 25 June 2010.
16 "Q&A: What you need to know about Echelon". BBC. 29 May 2001.
17 Norton-Taylor, Richard (19 June 2010). "GCHQ by Richard Aldrich, Securing the State by David Omand". The Guardian. Retrieved 30 January 2014. "The US was especially keen on GCHQ's station in Hong Kong, particularly during the Vietnam war"
18 Campbell, Duncan (25 July 2000). "Inside Echelon". Heise Online. Retrieved 19 December 2013.
19 Jones, George (13 Mar 2002). "How France helped us win Falklands war". The Daily Telegraph.
20 Milliken, Robert (23 February 1994). "Canberra spy link to MI6 alleged". The Independent.
21 "Norsk lyttestasjon viktig brikke i Falklandskrigen" (in Norwegian). Norwegian Broadcasting Corporation. 21 May 2002.
22 Sanchez, Raf (19 August 2013). "British diplomats tried to suppress details of SIS role in Iran coup". The Daily Telegraph. Retrieved 27 January 2014.
23 Risen, James (16 April 2000). "Secrets Of History: The C.I.A. in Iranâ"A special report. How a Plot Convulsed Iran in '53 (and in '79)". The New York Times. Retrieved 22 August 2013.
24 "Declassified Documents Reveal CIA Role In 1953 Iranian Coup". NPR. 1 September 2013. Retrieved 27 January 2014.
25 Merica, Dan (20 August 2013). "In declassified document, CIA acknowledges role in '53 Iran coup". CNN. Retrieved 27 January 2014.
26 Corera, Gordon (2 April 2013). "MI6 and the death of Patrice Lumumba". BBC. Retrieved 2 February 2014.
27 DeYoung, Karen; Walter Pincus (27 June 2007). "CIA Releases Files On Past Misdeeds". The Washington Post. Retrieved 2 February 2014. "A one-paragraph memo recounts planning for a "project involving the assassination of Patrice Lumumba, then premier of the Republic of Congo."
28 "CIA details Cold War skulduggery". BBC. 26 June 2007. Retrieved 2 February 2014.
29 McDo
Holy mixed metaphors! "Executing the first stage triggers a domino chain...." Does it trigger a domino chain which cascades along the peaks of the shield holding the noses of the elephants in the room?
This was the work of Reggin Toggaf.
NSA will have had access to the notification before the announcement and will have simply changed the salting details, filenames etc..
It's become a joke, my Android devices run more spyware than their target apps, my Windows machines are just malware heaven and I'm reduced to even double checking my Linux system.
Here is a link to the analysis white paper about Regin published by Symantec. An interesting read and it does look very similar to Duqu in structure.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Perpetual decay \snicker \ha \haw
Remember ANYTHING about the 50s, 60s and 70s, son? You have things SO MUCH BETTER NOW than way back in the day. Computerized checkbooks, reliable transportation, telephone,... ..., Electricity, Internet. Need I go on? Polio and Smallpox Vaccines,... ..., imaging technology that puts X-ray Films from Polaroid to shame.
The decay you believe in is a figment of your imagination. Visit a third world county sometime and see what value your "wealth of knowledge" has in the real world. \Pity.
Highly Sophisticated; by who's standards, Symantec? What do they know about sophisticated software? Symantecs marketing department thought they would make it sound exciting by suggesting it was created by a government agency. Pathetic effort to try and boost sales of Symantec software.
"Also, Symantec has not revealed key information about the command and control infrastructure (CnC) used by the attackers to manage infected computers. Its technical paper highlights that the C&C used four transport protocols to communicate between infected computers and its command servers but, unlike similar recent reports from rivals FireEye and Kaspersky, Symantec has not revealed the IP addresses and web domains used by the attackers, which if known could suggest the origin of the attackers." FROM -> http://www.cso.com.au/article/...
See that quote & WHY I said what I did due to it (ran into it yesterday in fact): Article's of that nature, or the .pdf, MINUS lists of the C&C Servers used (by IP address for firewalls, or by host-domain name for custom hosts files) are USELESS to myself - why?
* THEY'RE NOT PROVIDING THE TRULY "CRUCIAL INFORMATION" NEEDED TO BLOCK THESE THREATS IS WHY, OMITTING THE C&C SERVERS THIS THING USES...!
(Pretty self-explanatary right there, as to my subject-line above...)
APK
P.S.=> Complaint on MY part? Absolutely - not directed YOUR way though (more to Symantec really for omitting that information for afaik NO good reason)... apk
So what now? Thank you, master, for painting our cage golden?
Why is it that these major news outlets (Forbes, CNET, CNN, etc) all have articles about this new trojan/virus. They quote statistics from Symantec about the number of infect machines, and yet, not one describes how you can detect an infection. They must know. One previous post identifies a Symantec white paper describing the trojan's behavior (Here). Why don't these articles describe the steps required to detect it? It's not like they're under any obligation to encourage readers to buy into Symantec's bloated anti-virus products.
My UID is prime!
2 tools can do this as it uses "pciclass.sys" (driver), boot up to Recovery Console, remove it using listsvc (to see if it's in fact there 1st, of course) & then use the DISABLE command on it - done.
(That'd be for 2000/XP/Server 2003 - Win7 & beyond have similar bootup console mode tools also, & doing so booting up from the install media (CD/DVD) assures a non-corruptable read-only environs to do it from as well...)
* That cripples the kernelmode portion (the "effective ingredient"...)
The usermode portion(s), if any? Ok: Now, *IF* there's usermode componentry too (& there will be most likely)? Those you can "take out" using ProcessExplorer altering its default view of NO lower pane visible (you'd make it so via its options), making it visible, & switching to DLL View there - & it'll show those even when they're "hidden"...
APK
P.S.=> ProcessExplorer's your pal too - & it's superior to taskmgr.exe in 1 respect: It can reveal those parts hiding or rather, "riding" along attached beneath, say, explorer.exe as a .DLL extension, for instance (which *many* malware do to evade detection))... apk
The dates of the end of Regin 1 correspond roughly to the astonishing demise this GHCQ analyst..I would put my money on the brits.
The world is getting back to the point where sensitive corporate communications may need to be done in person, with records of what was said (if any) kept on non-networked computers or in a locked file cabinet.
You already see this happening in businesses, but it's because people and companies don't want to create a paper trail that can be subpoenaed, not because they are afraid of a hacker or government-backed spy snooping at their records.
It's quite simple, if your company and clients use Windows/Office then you are often forced to use it, or you run the risk of losing "contact" with them.