Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Who’s going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it’s a non-‘Five Eyes’ country involved, there’s usually no hesitation. But the recent exposure of Regin malware’s NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.

Mashable looked into the malware further and received some surprising replies from security analysts as to why there’s been little to no discussion of Regin up to this point.

Symantec’s [Vikram]Thakur said that they had been investigating Regin since last year, but only felt “comfortable” publishing details of it now.

[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for “several years” but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For [Ronald] Prins [of Fox IT], the reason is completely different.

“We didn’t want to interfere with NSA/GCHQ operations,” he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to “global security.”

And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the “Five Eyes” countries. Microsoft — whose software the malware was disguised as — has refused to comment.

It’s no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn’t be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU’s chief technologist pointed out, there’s no faster way to “destroy” your company’s reputation as a “provider of trustworthy security consulting services.” Who’s going to want to hire someone that won’t tell you your data and communications are compromised until it feels it’s “safe” to do so?

We already know that any security holes discovered (or purchased) by intelligence agencies won’t be turned over to affected companies until they’ve been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn’t be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.

At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There’s an entire industry that does nothing but find exploits and sell them to intelligence agencies — only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware’s origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.

Filed Under: , , ,
Companies: fox it, kaspersky, symantec

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons”

Subscribe: RSS Leave a comment
Anonymous Coward says:

The NSA and GHCQ are now in the business of training terrorists and non-allied foreign governments how to compromise computers. Sony seems to have been subject to the results within the past week. I hope Microsoft has plans for some other business when the rest of the world drops them. Of course, since it is windows that seems to be the system to compromise, we will probably be feeling the backlash of these actions for years to come.

tqk (profile) says:

Re: Schaudenfreud.

I hope Microsoft has plans for some other business when the rest of the world drops them.

Last I heard, they have a plan to migrate (a la MacOS -> OSX) to a more secure base system.

I am looking forward to watching all the corporate IT managers who’ve painted their companies into corners standardizing on a proprietary monoculture. One that I worked with couldn’t wait to replace their Unix servers with Windows servers. I think still working on it.

Imagine what it’s going to cost to climb back out of the hole you’ve been digging your company into for the last twenty years. “You get what you pay for” or “Schaudenfreud”, call it what you will, it’s going to be an entertaining horror flick.

Anonymous Coward says:

You’re most likely correct in stating security companies were withholding public disclosure of Regin. Probably because these companies realized that Regin is most likely another nation-state malware created by the West, like Stuxnet. I believe Regin’s trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.

Another possible reason why they may have withheld information, is due to how encrypted and stealthy Regin is. With malware this stealthy, it’s only a matter of time until the authors modify Regin enough so it can no longer be detected by antivirus signatures and heuristics.

Malware authors usually check their software against sites like to make sure it’s undetectable before deploying it.

It’s still interesting that security companies stayed tight lipped about Regin for so long. Especially Kaspersky, which is headquartered in Moscow, Russia. I almost get the sense these security companies were keeping their signature detections for Regin a secret. So Regin’s authors would believe their malware was still undetectable, and therefore wouldn’t modify it to avoid detection.

Then if a high paying customer complains about system problems and hires Symantec or Kaspersky. Their private (non-public) virus definition signatures for Regin would still detect it.

On other words. It looks to me like Symantec and Kaspersky were attempting to slow down Regin’s authors from modifying their malware. By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers.

Once the signatures become public. Regin morphs and becomes undetectable to Symantec and Kaspersky all over again.

beltorak (profile) says:

Re: Re:

I believe Regin’s trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.

Uhhh… get your facts straight at least:

> [Stuxnet’s] device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan.

The rest of your post is pretty solid speculation as far as it goes; but I disagree in that I think Regin’s usefulness is pretty much done. Doubtless the five-eyes have a completely new strain we haven’t heard of yet. Likely several new strains.

Anonymous Coward says:

> We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead.

This is EXACTLY what Microsoft has been doing and KEEPS DOING:

Microsoft probably knew about its 20 years old remote execution bug for IIS servers, but sat on it until a third party also found out about it and “alerted Microsoft”. At that point Microsoft had to reveal it, because they know the third party would make it public eventually anyway.

John Fenderson (profile) says:

Re: If your security strategy relies on AV software...

This. AV software is rear-guard action. It is important, but relying on it as your primary defense is only slightly better than having no defense at all.

That said…

“AV software is guaranteed to fail when you’ll need it the most. Like, say, when a new virus that it’s never seen before”

This is not entirely true. Very good AV software does more than just look for signatures of known virii. It also taps into and observes system behavior and flags unknown software that exhibits behaviors that virii must engage in to do their thing. Still not perfect, but such software does a rather good job at spotting previously unseen infections.

I am unaware of any free AV software that is so comprehensive, though. I am not familiar with every AV product on the planet, but to the best of my knowledge, this is functionality you have to pay for.

Rich Kulawiec (profile) says:

Re: Re: If your security strategy relies on AV software...

Sure, behavioral-based methods might spot a virus that hasn’t been seen before…

…unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn’t caught. Which is what competent and careful authors would do.

And: all AV strategies rely on the presumption that the AV software will detect malware before the malware disables the AV. Given the long, long history of miserable failure rates in AV, and given the fact that NONE of them caught Stuxnet or Flame, I think that presumption is now in the category of “wishful thinking”.

John Fenderson (profile) says:

Re: Re: Re: If your security strategy relies on AV software...

“…unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn’t caught. Which is what competent and careful authors would do”

Which is why I said it wasn’t perfect and AV software should not be your end-all and be-all of protection. It’s a rear-guard action.

However, writing code to evade behavioral analysis is actually very, very difficult to do. It can be done, but it requires a degree of skill that is above what most virus authors are capable of.

Just Another Anonymous Troll says:

Welcome to a new era of fear

This is the true power of the surveillance state, not to censor unpopular opinions but to block them from being shared in the first place due to fear. I think we can all agree that whoever released this first would probably get targeted to no end by the NSA, FBI, etc. People generally don’t feel ‘comfortable’ with releasing information a surveillance state does not like when that surveillance state has zip in the oversight department and a blatant disregard for the Constitution.

That One Guy (profile) says:

So two companies who claim to be in the business of protecting their customers, intentionally turned a blind eye to malware, simply because of the probable source.

Yeah, I cannot think of a quicker way to destroy your reputation and the reputation of your product than something like this. They’ve shown that they will sit back and let threats that they know about continue on, if they think doing something about those threats will step on some sensitive toes.

Pronounce (profile) says:

The Paranoid Have Claimed Backdoors to MS' Software for Years

Who would be surprised to learn that Microsoft is in collusion with U.S. and British security agencies. Is it any wonder then that German communities and China are looking for Windows alternatives?

It is a fine argument to say that MS wants to appeal to US and UK economies, but what about the economies of the rest of the world? Losing China is a huge financial hit, but maybe MS will pull a Ford Motor Company ploy and buy China tech companies.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...