Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Regin (malware)

From Wikipedia, the free encyclopedia
Sophisticated malware
Regin
Malware details
AliasesPrax, QWERTY
AuthorsNSA,GCHQ
Technical details
PlatformWindows

Regin (also known asPrax orQWERTY) is a sophisticatedmalware andhacking toolkit used by United States'National Security Agency (NSA) and its British counterpart, theGovernment Communications Headquarters (GCHQ).[1][2][3] It was first publicly revealed byKaspersky Lab,Symantec, andThe Intercept in November 2014.[4][5] The malware targets specific users ofMicrosoft Windows-based computers and has been linked to the US intelligence-gathering agencyNSA and its British counterpart, theGCHQ.[6][7][8]The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider,Belgacom.[5] Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003.[9] (The name Regin is first found on theVirusTotal website on 9 March 2011.[5]) Among computers infected worldwide by Regin, 28 percent were inRussia, 24 percent inSaudi Arabia, 9 percent each inMexico andIreland, and 5 percent in each ofIndia,Afghanistan,Iran,Belgium,Austria, andPakistan.[10]

Kaspersky has said the malware's main victims are private individuals, small businesses andtelecom companies. Regin has been compared toStuxnet and is thought to have been developed by "well-resourced teams of developers", possibly aWestern government, as a targeted multi-purpose data collection tool.[11][12][13]

According toDie Welt, security experts atMicrosoft gave it the name "Regin" in 2011, after the cunning Norse dwarfRegin.[14]

Operation

[edit]

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-termmass surveillance operations against targets.[15][16]

Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encryptedvirtual file system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely usedRC5 cipher.[16] Regin communicates over the Internet usingICMP/ping, commands embedded inHTTP cookies and customTCP andUDP protocols with acommand and control server which can control operations, upload additionalpayloads, etc.[10][12]

Identification and naming

[edit]

Symantec says that both it and Kaspersky identified the malware asBackdoor.Regin.[10] Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware.[17] On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia;[18][19] later two more variants,Regin.B andRegin.C were added. Microsoft appears to call the 64-bit variants of ReginPrax.A andPrax.B. The Microsoft entries do not have any technical information.[5] Both Kaspersky and Symantec have publishedwhite papers with information they learned about the malware.[12][13]

Known attacks and originator of malware

[edit]

German news magazineDer Spiegel reported in June 2013 that the USintelligenceNational Security Agency (NSA) had conducted online surveillance on bothEuropean Union (EU) citizens and EU institutions. The information derives fromsecret documents obtained by former NSA workerEdward Snowden. BothDer Spiegel andThe Intercept quote a secret 2010 NSA document stating that it madecyberattacks that year, without specifying the malware used, against the EU diplomatic representations inWashington, D.C. and its representations to theUnited Nations.[5][20] Signs identifying the software used as Regin were found by investigators on infected machines.

The Intercept reported that, in 2013, the UK'sGCHQ attackedBelgacom, Belgium's largest telecommunications company.[5] These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT,Der Spiegel reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in theNSA ANT catalog under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, butDer Spiegel mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network.[1]

In December 2014, German newspaperBild reported that Regin was found on aUSB flash drive used by a staff member of ChancellorAngela Merkel. Checks of all high-security laptops in theGerman Chancellery revealed no additional infections.[21]

Regin was used in October and November 2018 to hack the research and development unit ofYandex.[22]

See also

[edit]

References

[edit]
  1. ^abChristian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
  2. ^"Experts Unmask 'Regin' Trojan as NSA Tool".Spiegel.de. Retrieved9 November 2021.
  3. ^Zetter, Kim."Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer".Wired.ISSN 1059-1028. Retrieved2022-02-22.
  4. ^"Regin Revealed". Kaspersky Lab. 24 November 2014. Retrieved24 November 2014.
  5. ^abcdefMarquis-Boire, Morgan; Guarnieri, Claudio; Gallagher, Ryan (24 November 2014)."Secret Malware in European Union Attack Linked to U.S. and British Intelligence".The Intercept. The Intercept. Archived fromthe original on 29 July 2015. Retrieved24 November 2014.
  6. ^"Top German official infected by highly advanced spy trojan with NSA ties". 26 October 2015.
  7. ^Perlroth, Nicole (24 November 2014)."Symantec Discovers 'Regin' Spy Code Lurking on Computer Networks".New York Times. Retrieved25 November 2014.
  8. ^Gallagher, Ryan (13 December 2014)."The Inside Story of How British Spies Hacked Belgium's Largest Telco".The Intercept. Archived fromthe original on 17 August 2015. Retrieved13 June 2015.
  9. ^Kaspersky:Regin: a malicious platform capable of spying on GSM networks, 24 November 2014
  10. ^abc"Regin: Top-tier espionage tool enables stealthy surveillance". Symantec. 23 November 2014. Retrieved25 November 2014.
  11. ^"BBC News - Regin, new computer spying bug, discovered by Symantec".BBC News. 23 November 2014. Retrieved23 November 2014.
  12. ^abc"Regin White Paper"(PDF). Symantec. Archived fromthe original(PDF) on 7 September 2019. Retrieved23 November 2014.
  13. ^ab"Regin White Paper"(PDF). Kaspersky Lab. Retrieved24 November 2014.
  14. ^Benedikt Fuest (24 November 2014)."Ein Computervirus, so mächtig wie keines zuvor".Die Welt. Archived fromthe original on 28 November 2014.
  15. ^"Regin Malware - 'State-Sponsored' Spying Tool Targeted Govts".The Hacking Post - Latest hacking News & Security Updates. Archived fromthe original on 2017-02-18. Retrieved2014-11-24.
  16. ^ab"NSA, GCHQ or both behind Stuxnet-like Regin malware?".SC Magazine UK. scmagazineuk.com. 24 November 2014. Archived fromthe original on 16 June 2016. Retrieved25 November 2014.
  17. ^Virustotal: Detection ratio: 21 / 56
  18. ^Microsoft Malware Protection Center, click button "Malware Encyclopedia
  19. ^Microsoft Protection Center: Trojan:WinNT/Regin.A
  20. ^Poitras, Laura; Rosenbach, Marcel; Schmid, Fidelius; Stark, Holger (29 June 2013)."Attacks from America: NSA Spied on European Union Offices". Der Spiegel.
  21. ^"German government denies falling victim to cyber attack".Deutsche Welle. 29 December 2014.
  22. ^"Western Intelligence Hacked 'Russia's Google' Yandex to Spy on Accounts". Reuters. June 27, 2019. Archived fromthe original on June 29, 2019.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Regin_(malware)&oldid=1331305145"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp