Tag Archives: duqu virus

CyberWeapons: the Regin Malware

Malware Statistics

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report .  The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software…

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases….

The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India. [ Regin have been identified also in Afghanistan, Algeria, Belgium, Brazil, Fiji, Germany,Indonesia, Iran, Kiribati, Malaysia, Pakistan, Syria]

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.  The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.  Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.  “Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Excerpt from Steven Musil Stealthy Regin malware is a ‘top-tier espionage tool’, CNET, Nov. 23, 2014

See also White paper Karspersky Lab 

Cyberattacks for Industrial Espionage, the Duqu Virus

Internet security firms have raised the specter of a new round of cyber warfare with last week’s detection of the Duqu virus – a “relative” of last year’s Stuxnet malware, which is thought to have slowed down at least one Iranian nuclear facility.  Duqu’s detection comes amid growing talk in Europe about launching pre-emptive strikes to stop cyberattacks before they happen. But the nature of malware like Duqu and Stuxnet make pre-emptive strikes unrealistic.

“The problem is you can’t really say where they come from,” Candid Wüest, a virus expert at IT security firm Symantec told Deutsche Welle.  “You need evidence about who is behind an attack before you can strike pre-emptively,” said Wüest, “but you can never be sure – you can’t attack infrastructure, or even send in a stealth bomber, because any information about a location could be a red herring.”

Malware makers can hide their tracks using spoofing, VPNs, proxy services and other means to make it look like they are based in any number of countries – when in truth they are somewhere completely different.

Wüest is one of the experts at Symantec, who is currently analyzing the source code behind Duqu. Symantec says it was alerted to the new threat on October 14 by a laboratory that has “international connections.”  Since then, Symantec’s investigations suggest that a “few hundred systems have been infected at a handful of companies,” many of which are in Europe.  Another IT security firm, McAfee, is also working on the virus. McAfee and Symantec both believe that Duqu shares strong similarities with the Stuxnet virus.

Some of its source code matches that of Stuxnet and because the Stuxnet code is not known to be available online, they say it is likely that Duqu was created by the same people or that they sold the code to another group. While it remains unclear where Stuxnet came from, the New York Times reported in January 2011 that Stuxnet was developed by the American and Israeli governments.

But there are significant differences as well between Duqu and Stuxnet.  “Duqu is not spreading like Stuxnet,” said Wüest, “Duqu was carefully placed and can be controlled remotely.”  Experts believe that Duqu has been used to target only a limited number of organizations for the specific assets.  “Its warhead is not aimed at the technology industry, it’s being used to steal information, so it’s more like industrial espionage,” Wüest added.

By contrast, Stuxnet was created to attack particular computer control systems made by the German firm Siemens.  These control systems are typically used to manage water supplies, oil rigs, power plants and other critical infrastructure.  Stuxnet infections were also found at Iranian nuclear facilities in 2010, leading some to speculate that the virus may have been designed by state actors – by governments or state security services who had wanted to disrupt Iran’s nuclear program.  A year later, Siemens spokesman Wieland Simon is keen to stress that “no customers reported any disruptions” of their control systems because of Stuxnet.

British Foreign Minister William Hague has said his country is developing an unspecified electronic weapons that could be used to defend Britain against cyber attacks or prevent them….In Germany,the Criminal Police Union (BDK) called this week for a specialized federal ministry for the Internet.  Andre Schulz, the head of the BDK, told Deutsche Welle there was no danger that such a ministry would politicize issues around cyber warfare.  “It’s a sad situation,” said Schulz, “to realize that the government considers the Chaos Computer Club as its experts on IT security – we need a centralized body and I think that would be in the interest of business too.”  The CCC revealed nearly two weeks ago that a German government tool designed to perform digital surveillance domestically, went well beyond its legal guidelines.

Wieland Simon, the Siemens spokesperson, was less than encouraging, suggesting that “no government can guarantee it can protect a country or entity against cyber attack.”  But there is still pressure for governments to do something.  “In future wars, there will be a cyber element,” said Mikko Hypponen, the chief research officer of F-Secure, a computer security firm, in an interview with Deutsche Welle. “Countries hope that if they threaten to use missiles to retaliate against a cyber attack, others will think twice about about launching one.”

Zulfikar Abbany, ‘Son of Stuxnet’ hits European computer networks, DW-World.De, Oct. 21, 2011