Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.

Mashable looked into the malware further and received some surprising replies from security analysts as to why there's been little to no discussion of Regin up to this point.
Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.

[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For [Ronald] Prins [of Fox IT], the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."
And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.

It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?

We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.

At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.

Filed Under: malware, regin, security, security research
Companies: fox it, kaspersky, symantec


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 2 Dec 2014 @ 5:07am

    If security researchers can find such malware, so can other agencies, like other government spying agencies, and they will exploit at least its presence for their own purposes.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 5:15am

    And people pay these companies for what, a warm cozy feeling?

    reply to this | link to this | view in chronology ]

  • identicon
    Steven, 2 Dec 2014 @ 5:41am

    " . . . but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world."

    Rather than being a side effect, isn't that the program's intended goal?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 5:43am

    The NSA and GHCQ are now in the business of training terrorists and non-allied foreign governments how to compromise computers. Sony seems to have been subject to the results within the past week. I hope Microsoft has plans for some other business when the rest of the world drops them. Of course, since it is windows that seems to be the system to compromise, we will probably be feeling the backlash of these actions for years to come.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2014 @ 6:57am

      Sony

      Isn't Sony the company that distributed rootkits through their DVD's ?

      Kind of ironic, don't you think ?

      reply to this | link to this | view in chronology ]

    • icon
      Blackfiredragon13 (profile), 2 Dec 2014 @ 7:05am

      Re:

      And that's because windows is the most popular series of operating systems out there by leagues over Mac and Linux. Last time I checked pretty much every atm out there uses windows xp, though there's an undoubtable push to change it over to a more recent os since support for xp's been cut.

      reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 2 Dec 2014 @ 7:32am

      Schaudenfreud.

      I hope Microsoft has plans for some other business when the rest of the world drops them.

      Last I heard, they have a plan to migrate (a la MacOS -> OSX) to a more secure base system.

      I am looking forward to watching all the corporate IT managers who've painted their companies into corners standardizing on a proprietary monoculture. One that I worked with couldn't wait to replace their Unix servers with Windows servers. I think still working on it.

      Imagine what it's going to cost to climb back out of the hole you've been digging your company into for the last twenty years. "You get what you pay for" or "Schaudenfreud", call it what you will, it's going to be an entertaining horror flick.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 5:49am

    You're most likely correct in stating security companies were withholding public disclosure of Regin. Probably because these companies realized that Regin is most likely another nation-state malware created by the West, like Stuxnet. I believe Regin's trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.

    Another possible reason why they may have withheld information, is due to how encrypted and stealthy Regin is. With malware this stealthy, it's only a matter of time until the authors modify Regin enough so it can no longer be detected by antivirus signatures and heuristics.

    Malware authors usually check their software against sites like VirusTotal.com to make sure it's undetectable before deploying it.

    It's still interesting that security companies stayed tight lipped about Regin for so long. Especially Kaspersky, which is headquartered in Moscow, Russia. I almost get the sense these security companies were keeping their signature detections for Regin a secret. So Regin's authors would believe their malware was still undetectable, and therefore wouldn't modify it to avoid detection.

    Then if a high paying customer complains about system problems and hires Symantec or Kaspersky. Their private (non-public) virus definition signatures for Regin would still detect it.

    On other words. It looks to me like Symantec and Kaspersky were attempting to slow down Regin's authors from modifying their malware. By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers.

    Once the signatures become public. Regin morphs and becomes undetectable to Symantec and Kaspersky all over again.

    reply to this | link to this | view in chronology ]

    • icon
      beltorak (profile), 2 Dec 2014 @ 6:07am

      Re:

      > I believe Regin's trojan software driver was even signed with valid Microsoft keys, just like Stuxnet was.

      Uhhh... get your facts straight at least:

      > [Stuxnet's] device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan.

      The rest of your post is pretty solid speculation as far as it goes; but I disagree in that I think Regin's usefulness is pretty much done. Doubtless the five-eyes have a completely new strain we haven't heard of yet. Likely several new strains.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2014 @ 6:36am

      Re:

      "By keeping antivirus signatures for Regin a secret, and only using the private detection signatures in limited situations for high paying customers."

      Given Regin's root-kit nature, it would be neccessary to scan for it outside the system anyway.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 6:21am

    How quickly we forget. It should come as no surprise that Symantec would keep this knowledge a secret when years ago, Peter Norton (then in charge), said they would gladly turn a blind eye to Carnivore, a federal surveillance program. The patently compromised mindset of these companies has not improved over time.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 6:39am

    > We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead.

    This is EXACTLY what Microsoft has been doing and KEEPS DOING:

    http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firm s.html

    Microsoft probably knew about its 20 years old remote execution bug for IIS servers, but sat on it until a third party also found out about it and "alerted Microsoft". At that point Microsoft had to reveal it, because they know the third party would make it public eventually anyway.

    reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 2 Dec 2014 @ 7:46am

    If your security strategy relies on AV software...

    ...then you are doomed, because AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before -- and which has been vetted against every AV product on the planet -- shows up.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 2 Dec 2014 @ 8:46am

      Re: If your security strategy relies on AV software...

      This. AV software is rear-guard action. It is important, but relying on it as your primary defense is only slightly better than having no defense at all.

      That said...

      "AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before"

      This is not entirely true. Very good AV software does more than just look for signatures of known virii. It also taps into and observes system behavior and flags unknown software that exhibits behaviors that virii must engage in to do their thing. Still not perfect, but such software does a rather good job at spotting previously unseen infections.

      I am unaware of any free AV software that is so comprehensive, though. I am not familiar with every AV product on the planet, but to the best of my knowledge, this is functionality you have to pay for.

      reply to this | link to this | view in chronology ]

      • identicon
        Rich Kulawiec, 2 Dec 2014 @ 3:52pm

        Re: Re: If your security strategy relies on AV software...

        Sure, behavioral-based methods might spot a virus that hasn't been seen before...

        ...unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn't caught. Which is what competent and careful authors would do.

        And: all AV strategies rely on the presumption that the AV software will detect malware before the malware disables the AV. Given the long, long history of miserable failure rates in AV, and given the fact that NONE of them caught Stuxnet or Flame, I think that presumption is now in the category of "wishful thinking".

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 3 Dec 2014 @ 8:53am

          Re: Re: Re: If your security strategy relies on AV software...

          "...unless the authors tested it against those exact methods using that exact AV software in order to make sure it wasn't caught. Which is what competent and careful authors would do"

          Which is why I said it wasn't perfect and AV software should not be your end-all and be-all of protection. It's a rear-guard action.

          However, writing code to evade behavioral analysis is actually very, very difficult to do. It can be done, but it requires a degree of skill that is above what most virus authors are capable of.

          reply to this | link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 2 Dec 2014 @ 10:55am

    Welcome to a new era of fear

    This is the true power of the surveillance state, not to censor unpopular opinions but to block them from being shared in the first place due to fear. I think we can all agree that whoever released this first would probably get targeted to no end by the NSA, FBI, etc. People generally don't feel 'comfortable' with releasing information a surveillance state does not like when that surveillance state has zip in the oversight department and a blatant disregard for the Constitution.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 2 Dec 2014 @ 1:25pm

    So two companies who claim to be in the business of protecting their customers, intentionally turned a blind eye to malware, simply because of the probable source.

    Yeah, I cannot think of a quicker way to destroy your reputation and the reputation of your product than something like this. They've shown that they will sit back and let threats that they know about continue on, if they think doing something about those threats will step on some sensitive toes.

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 2 Dec 2014 @ 3:25pm

    The Paranoid Have Claimed Backdoors to MS' Software for Years

    Who would be surprised to learn that Microsoft is in collusion with U.S. and British security agencies. Is it any wonder then that German communities and China are looking for Windows alternatives?

    It is a fine argument to say that MS wants to appeal to US and UK economies, but what about the economies of the rest of the world? Losing China is a huge financial hit, but maybe MS will pull a Ford Motor Company ploy and buy China tech companies.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2014 @ 3:53pm

    Re: If your security strategy relies on AV software...

    The malware must still get into the OS, and if it is virtualized or booted from a live cd it can't infect the host system.

    reply to this | link to this | view in chronology ]

  • identicon
    Joe, 3 Dec 2014 @ 8:34am

    website security concerns

    Security concerns are real for all of us and we now don't know exactly which are friendly and which are not. Should we really attempt to make a distinction between various types of malware, good or bad?

    reply to this | link to this | view in chronology ]

  • identicon
    Crystal, 8 Apr 2015 @ 10:00am

    You know it would be nice if a TV series in today's society would keep a marriage bond the way it should be and show how strong two people can be bringing their love together and not have adultery in the picture!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.