Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

No ordinary mobile attack: The Regin menace

Kim Crawley | Dec. 4, 2014
When you read about security attacks involving mobile network technology, typically they're incidents that target mobile devices used by consumers.

When you read about security attacks involving mobile network technology, typically they're incidents that target mobile devices used by consumers.

All kinds of malware has been found over the years that targets iOS and Android. Isolate the malicious files, wait for antivirus software to acquire signatures a day or so after a zero-day is discovered, run it, reboot your device, you're all set.

That's not what Regin is, oh no. Regin is the story of a global cyberattack mechanism on a massive scale. Hold on to your seats, because I'm going to take you on a bumpy ride.

Something Smells Like Duqu

To the uninitiated, Duqu is a trojan that was binded to Microsoft Word files. It exploits a vulnerability that existed in Windows' win32k.sys True Type Font parsing engine. Its obfuscated code is among the reasons why researchers at Kaspersky, F-Secure, and Symantec believe it may have been developed by the team behind the ever notorious Stuxnet worm. A chilling parallel is how Stuxnet's kernel driver, mrxcls.sys, is so similar to Duqu's kernel driver, jmient7.sys, that it triggered F-Secure's signatures to identify Duqu as Stuxnet. It appeared to be developed with the aid of Visual Studio 2008's C compiler.

Duqu is spyware that fingerprints for vulnerability and system configuration data to aid in attacking industrial SCADAs. Duqu wasn't designed to have a destructive effect, it was just programmed to sit in the kernel and application layer in Windows machines and snoop.

Duqu was discovered in September 2011. Months later, sometime in spring 2012, Kaspersky Lab held a conference for security researchers to discuss Duqu. A researcher (who Kaspersky hasn't identified) said that he noticed patterns in Duqu's behavior that reminded him of something else. He mentioned a malware attack that he and his colleagues have been stumped by for years, Regin.

Regin's Genesis and Platform

Malware researchers aren't yet certain as to when Regin debuted. There are logs with timestamps dating back to 2003 which may have indicated it, that's still being analyzed.

But according to Kaspersky, Regin is too complex to simply be labeled as malware. It's more accurate to say that Regin involves malware. Regin is a highly sophisticated cyberattack platform.

So far, according to Symantec, Regin has been found to attack computers in the following countries, that I've listed in order of infection frequency: Russia, Saudi Arabia, Ireland, Mexico, India, Pakistan, Belgium, Austria, Afghanistan, and Iran. Inevitably, if it hasn't already, Regin will attack other parts of the world very soon.

Typically, a Regin attack starts by targeting a Windows client or server. It executes in a sequence of five stages.

  • Stage 1- The first stage is usually the only component that can be found on a victim's Windows machine as malware. A number of Dynamic Link Libraries have been found as the first stage of Regin. For example, wshnetc.dll was found on a machine in Belgium, and wsharp.dll was found on a machine in Germany. The purpose of Regin's stage one malware is to load the second stage.
  • Stage 2- The second stage behaves differently, according to whether it has attacked a 32-bit Windows machine or a 64-bit Windows machine. In a 32-bit machine, it runs as a driver module, in kernel mode. Regin may be attacking your 32-bit Windows if you find %SYSTEMROOT%/system32/nsreg1.dat, bssec3.dat, or msrdc64.dat in your registry files. In a 64-bit machine, instead of writing the second stage where it may be more easily detected, such as in the registry, it's written at the end of the last partition on the targeted HDD, usually an NTFS file system. Instead of kernel mode, it runs in user mode, likely because operating in the 64-bit Windows kernel makes its activity easier to detect. The 64-bit stage two loader is a portable DLL, which is rather sneaky. In both the 32- and 64-bit stage two loaders, it enters a system as encrypted code, and it's decrypted by a hardcoded RC5 key.
  • Stage 3- The third stage of a Regin attack occurs only in 32-bit Windows. It operates an encrypted virtual file system, and loads lots of plugins. The driver module for stage three is usually a system file named vmem.sys.
  • Stage 4- In the fourth stage in both 32-bit and 64-bit attacks, a dispatcher module runs, disp.dll. The fourth stage is the most intensive and crucial component of Regin. It provides APIs that run the entire platform. It operates within a virtual file system, with everything encrypted. Kaspersky has identified 24 different stage four VFSes so far. They're typically written and used in various locations, which can differ from one Regin infection to another.
  • Stage 5- As long as the Regin attack isn't stopped in stage four, stage five is when Regin actually spies on your systems. Keyloggers run, data is stolen, screenshots are taken, and traffic is intercepted.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.