Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years

← Back to Stories (view on slashdot.org)

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years

Posted by samzenpus on Sunday November 23, 2014 @09:15AM from the protect-ya-neck dept.

An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

14 of 143 comments (clear)

Min score:

Reason:

Sort:

Microsoft Windows only by innocent_white_lamb · 2014-11-23 09:28 · Score: 2, Insightful

This apparently only runs on Windows.
I really don't understand why people run sensitive and critical stuff on Microsoft Windows. (I'm not trying to be a troll.) It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security, and was actually bolted on after-the-fact.
Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.

--
If you're a zombie and you know it, bite your friend!
1. Re:Microsoft Windows only by Anonymous Coward · 2014-11-23 09:36 · Score: 2, Insightful
  
  targeted attacks like this are OS agnostic, if the organisations they wanted to hack were running Linux or OSX then these would have been designed for that target instead.
2. Re:Microsoft Windows only by exomondo · 2014-11-23 10:02 · Score: 2, Insightful
  
  This apparently only runs on Windows.
  A targeted attack is going to run on whatever the target uses.
3. Re:Microsoft Windows only by sumdumass · 2014-11-23 10:38 · Score: 2
  
  You are correct, poorly trained admins will net poorly secured systems with the same or similar horrible mistakes.
  However, you are glossing over what was actually said in order to make those statements as if it was some overriding truth. The problem is that windows exposes to much of the underlying systems to programs running so exploits in power point or outlook can infect the entire machine kernel and spread to the servers via internal network support infrastructure (domain controller functions). Now much has been done in more recent versions to limit this but it still remains true for the most part.
  Part of this is because programmers write bad code to sell cheap software to people who are familiar with the ease of use of windows. In fact, this is likely why it is the most common OS out there- because it is so easy to write software and do things in that people see it as just working. Its that layer of ease which makes it easy to be exploited. Almost every anti-virus company out there worth a salt, will have complex (and sometimes simple) methods of virus removal you can look up and follow for when a virus gets past their products. It is simply impossible to completely secure windows or linux and still have a usable machine but it is easier to limit vulnerabilities on a linux or Mac system currently. This could change if they get more popular or do something stupid in the future or if malware writers decide to focus more and more on these smaller platforms. This is also why Adobe and Java was such a target for the longest of times. Cross platform and complete access.
4. Re:Microsoft Windows only by HiThere · 2014-11-23 10:43 · Score: 2
  
  Despite the "only security through obscurity" meme, you need to understand it, not just say it.
  There are only two types of security:
  1) security through obscurity,
  and,
  2) security through inaccessibility.
  They can, however, be intelligently combined.
  Please note that private key encryption is security through obscurity. Cutting the phone line is security through inaccessibility. Saying that "it's secure because they can't get the prime factors of that key" is security through obscurity.
  Despite the meme, security through obscurity is widely and properly used. What's wrong if false obscurity, which is common. If you don't properly assess just how obscure your secret is, then you have a security failure.
  So having a monoculture is reduced security, because that means that there are a much larger number of entities seeking to discover the secret...and any breach in security cannot be easily contained. If you don't have a monoculture, then a single breach cannot be as widely damaging, and is thus also less valuable to find. This is a sort of network effect.
  OTOH, a diverse community means that more effort needs to be devoted to security, because each branch is a separate thing to be maintained. So it's not all benefit or all loss, it's a mixture.
  FWIW, I choose not to have flash installed on my system, despite the fact that it would have some utility, because I consider that the weakness that it presents is not worth the benefit. The ability of refuse to have such a service installed allows increased security...at a cost. For some people the cost is higher than they are willing to pay. This reduction of the attack surface is a form of security through obscurity mixed with security through inaccessibility, i.e., I have become inaccessible to some forms of attact, and I have reduced my visibility to many attackers.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
5. Re:Microsoft Windows only by Rich0 · 2014-11-23 12:37 · Score: 2, Informative
  
  targeted attacks like this are OS agnostic,
  Correct, provisionally - targeted attacks are OS agnostic - if designed to be OS agnostic.
  In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet
  His point was that Regin attacks Windows because the people that the authors of Regin were trying to attack run Windows.
  If the targets of Regin ran Linux, then Regin would attack Linux. Instead of using one of the dozens of Windows zero-days out there, they'd use one of the dozens of Linux zero-days out there. No, I can't cite them - they wouldn't be zero-days if I could.
6. Re:Microsoft Windows only by bouldin · 2014-11-23 13:49 · Score: 3, Interesting
  
  Maybe you missed all the critical remote code execution vulns Microsoft announced just this month.
  https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx
  Four of the bulletins above are listed as critical remote execution. Two of them (schannel and OLE vulns) are very bad. The IE bulletin says it resolves 17 privately identified bugs.
  As the previous poster said, Microsoft has placed convenience over security for many years now. They have improved dev processes a lot, but as you can see, many security folks still view MS as a liability.
  Not to stray too far from the point, but I hope Linux distros arent repeating Microsoft's mistakes with feature-laden packages like systemd and its ilk. Tons of new features in an inchoate software package with no security audits? That is how Microsoft got its reputation for insecurity.
7. Re:Microsoft Windows only by bouldin · 2014-11-24 03:14 · Score: 2
  
  You're implying you've read the Ubuntu vuln announcements for November. Why don't you explain to the class which of these are remote code execution vulns?
  http://www.ubuntu.com/usn/
  Maybe you can pick the worst one and explain why it's worse than Microsoft's schannel vuln.
8. Re:Microsoft Windows only by Demonoid-Penguin · 2014-11-24 13:11 · Score: 2
  
  targeted attacks like this are OS agnostic,
  Correct, provisionally. Targeted attacks are OS agnostic - if designed to be OS agnostic.
  In the case of Regin (did you even read the lead before shooting your idiot mouth?) it is not OS agnostic. It affects Windows only. So does Stuxnet
  His point was...
  ... not what you believe it was. I quoted the specific point I was replying to.
  ...not what the thread is about
  ...not what the main article is about.
  Again - try reading before shooting your idiot mouth. It's not like you are incapable of focus or intelligent output. Perhaps you're having a bad day or it's just confirmation bias from some sort of emotional over-investment.
  It could have been part of a suite of tools that include ones for other OS. But it is not, hence it's not relevant, and like the OP in this thread - the opposite of "informative".
  Nowhere have I made any statement about any OS being more or less secure than another.
9. Re:Microsoft Windows only by bouldin · 2014-11-24 14:42 · Score: 2
  
  You sure seem to have missed the point. The AC poster (you?) already lost the argument, whether he responds or not.
  I made my point with questions, and the point was that none of the Ubuntu security notices were anywhere near as serious as Microsoft's schannel or OLE vulns.
  Unless I missed something in the Ubuntu bulletins, none of those vulns were even suspected of being remote code execution vulns. The AC poster was flat-out wrong in his assessment that the Ubuntu notice had more vulns, and especially wrong that it had more remotely exploitable vulns. I called him out on his bullshit, but at the same time threw him a softball so he could respond if he cared to actually read up and have a reasonable reply.
  Sometimes there are people on Slashdot who do seek out intelligent discourse. I was leaving that possibility open, but certainly not holding my breath for it.
Nation uses malware to spy on ISP Customers... by Etherwalk · 2014-11-23 09:34 · Score: 2

Among other things, they were infecting ISP machines to monitor specific customers.
Anyway, guesses on the responsible party? China, Israel, Russia?
1. Re:Nation uses malware to spy on ISP Customers... by lostmongoose · 2014-11-23 09:42 · Score: 5, Insightful
  
  Among other things, they were infecting ISP machines to monitor specific customers.
  Anyway, guesses on the responsible party? China, Israel, Russia?
  ...or USA, Britain, France, Germany...
Linux is a monoculture. by Anonymous Coward · 2014-11-23 09:37 · Score: 2, Informative

Linux may not have been a monoculture back in the 1990s, but it's not the 1990s any longer!
All of the major distros are basically the same these days. The kernel is the same. The file system layout is the same. The package managers are either RPM or APT. Now that Debian and Ubuntu will switch or have switched, all of the major distros but Slackware (if it's even a "major" distro these days!) use or support systemd. They use pretty much the same userland software.
If Linux really wasn't a monoculture, then security incidents like the ones involving bash and OpenSSL earlier this year wouldn't have been as widespread as they were.
Not using systemd was the one thing that differentiated Debian and Ubuntu from Fedora, CentOS, RHEL, openSUSE, and the other distros. Now Debian and Ubuntu are basically clones of those other systems. The main different now is whether you type "apt-get" or "yum" to install packages! That's no difference at all, really.
The BSDs are the only family of OSes where there's some diversity left. But even they are still very similar in many ways.
Analysis White Paper by Fnord666 · 2014-11-23 16:48 · Score: 3, Informative

Here is a link to the analysis white paper about Regin published by Symantec. An interesting read and it does look very similar to Duqu in structure.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables