This article originally appeared at The WHIR
Data collection and spying continues to make news with a never before seen complex surveillance software called Regin. A report released Monday by Symantec says, “The level of sophistication and complexity of Regin suggests that the development of this threat could have taken well-resourced teams of developers many months or years to develop and maintain.” This level of investment in software designed to stealthily collect data is indicative of a nation state.
“We are probably looking at some sort of western agency,” said Orla Cox, director of security response at Symantec to Financial Times. “Sometimes there is virtually nothing left behind – no clues. Sometimes an infection can disappear completely almost as soon as you start looking at it, it’s gone.”
Regin software is different than a traditional advanced persistent threat (APTs) and trojans. Usually APTs collect intellectual property with Regin continuously monitors a targeted organization or individual and collects all kinds of data. What this software can do goes well beyond the malware used in the JP Morgan, Kmart, Dairy Queen and Home Depot attacks. Payloads include:
- Capturing screenshots
- Taking control of the mouse’s point and click functions
- Stealing passwords
- Monitoring network traffic including monitoring traffic to Microsoft Internet Information Services (IIS) web Servers
- Gathering information on processes and memory use
- Scans and retrieves deleted files
- Collect administration traffic for mobile telephony base station controllers
- Parsing mail from Exchange databases
Symantec first began to explore this threat in fall 2013 when they found several in the wild affecting a variety of targets. Version 1.0 was used from 2008 to 2011, version 2.0 has been used from 2013 onward but may have been used earlier.
The software is designed to hide the data it’s stealing and most of the time is not written to disk. A computer can be affected in a variety of ways. Targets may be tricked into visiting a spoofed website where the threat is installed by the browser. At least one infection originated in a Yahoo! instant message. Known infection files are usbclass.sys (version 1.0) and adpu160.sys (version 2.0).
There is no specific industry being targeted, the attacks have included several different types of organizations, government systems and research institutes. Almost half of the targets were small businesses and individuals. Russia and Saudi Arabia were the countries most affected by Regin, 28 and 24 percent respectively.The US does not appear to be affected.
“We believe Regin is not coming from the usual suspects. We don’t think Regin was made by Russia or China,” Mikko Hypponen, chief research officer at F-Secure, told the Guardian. His company first spied Regin hiding on a Windows server inside a customer’s IT infrastructure in Northern Europe.
This article originally appeared at: http://www.thewhir.com/web-hosting-news/unknown-government-using-advanced-hacking-spyware-attack-russia-saudi-arabia
