Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons
from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept
Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.Mashable looked into the malware further and received some surprising replies from security analysts as to why there's been little to no discussion of Regin up to this point.
Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.
[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.
For [Ronald] Prins [of Fox IT], the reason is completely different.
"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."
It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?
We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.
At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: malware, regin, security, security research
Companies: fox it, kaspersky, symantec
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Rather than being a side effect, isn't that the program's intended goal?
[ link to this | view in thread ]
[ link to this | view in thread ]
Another possible reason why they may have withheld information, is due to how encrypted and stealthy Regin is. With malware this stealthy, it's only a matter of time until the authors modify Regin enough so it can no longer be detected by antivirus signatures and heuristics.
Malware authors usually check their software against sites like VirusTotal.com to make sure it's undetectable before deploying it.
It's still interesting that security companies stayed tight lipped about Regin for so long. Especially Kaspersky, which is headquartered in Moscow, Russia. I almost get the sense these security companies were keeping their signature detections for Regin a secret. So Regin's authors would believe their malware was still undetectable, and therefore wouldn't modify it to avoid detection.
Then if a high paying customer complains about system problems and hires Symantec or Kaspersky. Their private (non-public) virus definition signatures for Regin would still detect it.
On other words. It looks to me like Symantec and Kaspersky were attempting to slow down Regin's authors from modifying their malware. By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers.
Once the signatures become public. Regin morphs and becomes undetectable to Symantec and Kaspersky all over again.
[ link to this | view in thread ]
Re:
Uhhh... get your facts straight at least:
> [Stuxnet's] device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan.
The rest of your post is pretty solid speculation as far as it goes; but I disagree in that I think Regin's usefulness is pretty much done. Doubtless the five-eyes have a completely new strain we haven't heard of yet. Likely several new strains.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Given Regin's root-kit nature, it would be neccessary to scan for it outside the system anyway.
[ link to this | view in thread ]
This is EXACTLY what Microsoft has been doing and KEEPS DOING:
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firm s.html
Microsoft probably knew about its 20 years old remote execution bug for IIS servers, but sat on it until a third party also found out about it and "alerted Microsoft". At that point Microsoft had to reveal it, because they know the third party would make it public eventually anyway.
[ link to this | view in thread ]
Sony
Kind of ironic, don't you think ?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Schaudenfreud.
Last I heard, they have a plan to migrate (a la MacOS -> OSX) to a more secure base system.
I am looking forward to watching all the corporate IT managers who've painted their companies into corners standardizing on a proprietary monoculture. One that I worked with couldn't wait to replace their Unix servers with Windows servers. I think still working on it.
Imagine what it's going to cost to climb back out of the hole you've been digging your company into for the last twenty years. "You get what you pay for" or "Schaudenfreud", call it what you will, it's going to be an entertaining horror flick.
[ link to this | view in thread ]
If your security strategy relies on AV software...
[ link to this | view in thread ]
Re: If your security strategy relies on AV software...
That said...
"AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before"
This is not entirely true. Very good AV software does more than just look for signatures of known virii. It also taps into and observes system behavior and flags unknown software that exhibits behaviors that virii must engage in to do their thing. Still not perfect, but such software does a rather good job at spotting previously unseen infections.
I am unaware of any free AV software that is so comprehensive, though. I am not familiar with every AV product on the planet, but to the best of my knowledge, this is functionality you have to pay for.
[ link to this | view in thread ]
Welcome to a new era of fear
[ link to this | view in thread ]
Yeah, I cannot think of a quicker way to destroy your reputation and the reputation of your product than something like this. They've shown that they will sit back and let threats that they know about continue on, if they think doing something about those threats will step on some sensitive toes.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
*: With the restriction that you must be a complete idiot for it to work.
[ link to this | view in thread ]
The Paranoid Have Claimed Backdoors to MS' Software for Years
It is a fine argument to say that MS wants to appeal to US and UK economies, but what about the economies of the rest of the world? Losing China is a huge financial hit, but maybe MS will pull a Ford Motor Company ploy and buy China tech companies.
[ link to this | view in thread ]
Re: Re: If your security strategy relies on AV software...
...unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn't caught. Which is what competent and careful authors would do.
And: all AV strategies rely on the presumption that the AV software will detect malware before the malware disables the AV. Given the long, long history of miserable failure rates in AV, and given the fact that NONE of them caught Stuxnet or Flame, I think that presumption is now in the category of "wishful thinking".
[ link to this | view in thread ]
Re: If your security strategy relies on AV software...
[ link to this | view in thread ]
website security concerns
[ link to this | view in thread ]
Re: Re: Re: If your security strategy relies on AV software...
Which is why I said it wasn't perfect and AV software should not be your end-all and be-all of protection. It's a rear-guard action.
However, writing code to evade behavioral analysis is actually very, very difficult to do. It can be done, but it requires a degree of skill that is above what most virus authors are capable of.
[ link to this | view in thread ]
[ link to this | view in thread ]