Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Tue, Dec 2nd 2014 4:21am — Tim Cushing

Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.

Mashable looked into the malware further and received some surprising replies from security analysts as to why there's been little to no discussion of Regin up to this point.

Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.

[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For [Ronald] Prins [of Fox IT], the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."

And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.

It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?

We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.

At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: malware, regin, security, security research
Companies: fox it, kaspersky, symantec

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 2 Dec 2014 @ 5:07am

If security researchers can find such malware, so can other agencies, like other government spying agencies, and they will exploit at least its presence for their own purposes.
[ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 5:15am

And people pay these companies for what, a warm cozy feeling?
[ link to this | view in chronology ]
- Anonymous Coward, 2 Dec 2014 @ 2:48pm
  
  Re:
  Well that is what they do for the TSA.*
  
  *: With the restriction that you must be a complete idiot for it to work.
  [ link to this | view in chronology ]
Steven, 2 Dec 2014 @ 5:41am

" . . . but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world."

Rather than being a side effect, isn't that the program's intended goal?
[ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 5:43am

The NSA and GHCQ are now in the business of training terrorists and non-allied foreign governments how to compromise computers. Sony seems to have been subject to the results within the past week. I hope Microsoft has plans for some other business when the rest of the world drops them. Of course, since it is windows that seems to be the system to compromise, we will probably be feeling the backlash of these actions for years to come.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Dec 2014 @ 6:57am
  
  Sony
  Isn't Sony the company that distributed rootkits through their DVD's ?
  
  Kind of ironic, don't you think ?
  [ link to this | view in chronology ]
- Blackfiredragon13 (profile), 2 Dec 2014 @ 7:05am
  
  Re:
  And that's because windows is the most popular series of operating systems out there by leagues over Mac and Linux. Last time I checked pretty much every atm out there uses windows xp, though there's an undoubtable push to change it over to a more recent os since support for xp's been cut.
  [ link to this | view in chronology ]
- tqk (profile), 2 Dec 2014 @ 7:32am
  
  Schaudenfreud.
  I hope Microsoft has plans for some other business when the rest of the world drops them.
  
  Last I heard, they have a plan to migrate (a la MacOS -> OSX) to a more secure base system.
  
  I am looking forward to watching all the corporate IT managers who've painted their companies into corners standardizing on a proprietary monoculture. One that I worked with couldn't wait to replace their Unix servers with Windows servers. I think still working on it.
  
  Imagine what it's going to cost to climb back out of the hole you've been digging your company into for the last twenty years. "You get what you pay for" or "Schaudenfreud", call it what you will, it's going to be an entertaining horror flick.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 5:49am

You're most likely correct in stating security companies were withholding public disclosure of Regin. Probably because these companies realized that Regin is most likely another nation-state malware created by the West, like Stuxnet. I believe Regin's trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.

Another possible reason why they may have withheld information, is due to how encrypted and stealthy Regin is. With malware this stealthy, it's only a matter of time until the authors modify Regin enough so it can no longer be detected by antivirus signatures and heuristics.

Malware authors usually check their software against sites like VirusTotal.com to make sure it's undetectable before deploying it.

It's still interesting that security companies stayed tight lipped about Regin for so long. Especially Kaspersky, which is headquartered in Moscow, Russia. I almost get the sense these security companies were keeping their signature detections for Regin a secret. So Regin's authors would believe their malware was still undetectable, and therefore wouldn't modify it to avoid detection.

Then if a high paying customer complains about system problems and hires Symantec or Kaspersky. Their private (non-public) virus definition signatures for Regin would still detect it.

On other words. It looks to me like Symantec and Kaspersky were attempting to slow down Regin's authors from modifying their malware. By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers.

Once the signatures become public. Regin morphs and becomes undetectable to Symantec and Kaspersky all over again.
[ link to this | view in chronology ]
- beltorak (profile), 2 Dec 2014 @ 6:07am
  
  Re:
  > I believe Regin's trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.
  
  Uhhh... get your facts straight at least:
  
  > [Stuxnet's] device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan.
  
  The rest of your post is pretty solid speculation as far as it goes; but I disagree in that I think Regin's usefulness is pretty much done. Doubtless the five-eyes have a completely new strain we haven't heard of yet. Likely several new strains.
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Dec 2014 @ 6:36am
  
  Re:
  "By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers."
  
  Given Regin's root-kit nature, it would be neccessary to scan for it outside the system anyway.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 6:21am

How quickly we forget. It should come as no surprise that Symantec would keep this knowledge a secret when years ago, Peter Norton (then in charge), said they would gladly turn a blind eye to Carnivore, a federal surveillance program. The patently compromised mindset of these companies has not improved over time.
[ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 6:39am

> We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead.

This is EXACTLY what Microsoft has been doing and KEEPS DOING:

http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firm s.html

Microsoft probably knew about its 20 years old remote execution bug for IIS servers, but sat on it until a third party also found out about it and "alerted Microsoft". At that point Microsoft had to reveal it, because they know the third party would make it public eventually anyway.
[ link to this | view in chronology ]
Rich Kulawiec, 2 Dec 2014 @ 7:46am

If your security strategy relies on AV software...
...then you are doomed, because AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before -- and which has been vetted against every AV product on the planet -- shows up.
[ link to this | view in chronology ]
- John Fenderson (profile), 2 Dec 2014 @ 8:46am
  
  Re: If your security strategy relies on AV software...
  This. AV software is rear-guard action. It is important, but relying on it as your primary defense is only slightly better than having no defense at all.
  
  That said...
  
  "AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before"
  
  This is not entirely true. Very good AV software does more than just look for signatures of known virii. It also taps into and observes system behavior and flags unknown software that exhibits behaviors that virii must engage in to do their thing. Still not perfect, but such software does a rather good job at spotting previously unseen infections.
  
  I am unaware of any free AV software that is so comprehensive, though. I am not familiar with every AV product on the planet, but to the best of my knowledge, this is functionality you have to pay for.
  [ link to this | view in chronology ]
  - Rich Kulawiec, 2 Dec 2014 @ 3:52pm
    
    Re: Re: If your security strategy relies on AV software...
    Sure, behavioral-based methods might spot a virus that hasn't been seen before...
    
    ...unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn't caught. Which is what competent and careful authors would do.
    
    And: all AV strategies rely on the presumption that the AV software will detect malware before the malware disables the AV. Given the long, long history of miserable failure rates in AV, and given the fact that NONE of them caught Stuxnet or Flame, I think that presumption is now in the category of "wishful thinking".
    [ link to this | view in chronology ]
    - John Fenderson (profile), 3 Dec 2014 @ 8:53am
      
      Re: Re: Re: If your security strategy relies on AV software...
      "...unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn't caught. Which is what competent and careful authors would do"
      
      Which is why I said it wasn't perfect and AV software should not be your end-all and be-all of protection. It's a rear-guard action.
      
      However, writing code to evade behavioral analysis is actually very, very difficult to do. It can be done, but it requires a degree of skill that is above what most virus authors are capable of.
      [ link to this | view in chronology ]
Just Another Anonymous Troll, 2 Dec 2014 @ 10:55am

Welcome to a new era of fear
This is the true power of the surveillance state, not to censor unpopular opinions but to block them from being shared in the first place due to fear. I think we can all agree that whoever released this first would probably get targeted to no end by the NSA, FBI, etc. People generally don't feel 'comfortable' with releasing information a surveillance state does not like when that surveillance state has zip in the oversight department and a blatant disregard for the Constitution.
[ link to this | view in chronology ]
That One Guy (profile), 2 Dec 2014 @ 1:25pm

So two companies who claim to be in the business of protecting their customers, intentionally turned a blind eye to malware, simply because of the probable source.

Yeah, I cannot think of a quicker way to destroy your reputation and the reputation of your product than something like this. They've shown that they will sit back and let threats that they know about continue on, if they think doing something about those threats will step on some sensitive toes.
[ link to this | view in chronology ]
- John Fenderson (profile), 2 Dec 2014 @ 2:28pm
  
  Re:
  This behavior is much more common than you might think.
  [ link to this | view in chronology ]
Pronounce (profile), 2 Dec 2014 @ 3:25pm

The Paranoid Have Claimed Backdoors to MS' Software for Years
Who would be surprised to learn that Microsoft is in collusion with U.S. and British security agencies. Is it any wonder then that German communities and China are looking for Windows alternatives?

It is a fine argument to say that MS wants to appeal to US and UK economies, but what about the economies of the rest of the world? Losing China is a huge financial hit, but maybe MS will pull a Ford Motor Company ploy and buy China tech companies.
[ link to this | view in chronology ]
Anonymous Coward, 2 Dec 2014 @ 3:53pm

Re: If your security strategy relies on AV software...
The malware must still get into the OS, and if it is virtualized or booted from a live cd it can't infect the host system.
[ link to this | view in chronology ]
Joe, 3 Dec 2014 @ 8:34am

website security concerns
Security concerns are real for all of us and we now don't know exactly which are friendly and which are not. Should we really attempt to make a distinction between various types of malware, good or bad?
[ link to this | view in chronology ]
Crystal, 8 Apr 2015 @ 10:00am

You know it would be nice if a TV series in today's society would keep a marriage bond the way it should be and show how strong two people can be bringing their love together and not have adultery in the picture!
[ link to this | view in chronology ]