Posts Tagged ‘ malware ’


Traces of Regin malware may date back to 2006

Written by admin
November 24th, 2014

Regin was known about for some time by the security industry, according to Symantec

Malware that Symantec says was probably developed by a nation state may have been used for as long as eight years, a length of time that underscores the challenges the security industry faces in detecting advanced spying tools.

On Sunday, the computer security company published a 22-page report and blog post on the Regin malware, which it described as a powerful cyberespionage platform that can be customized depending on what type of data is sought.

It was predominantly targeted at telecoms companies, small businesses and private individuals, with different modules customized for stealing particular kinds of information. Symantec found about 100 entities infected with Regin in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan

A first version of Regin was active between 2008 and 2011. Symantec began analyzing a second version of Regin about a year ago that had been forwarded by one of its customers, said Liam O’Murchu, a Symantec researcher, in a phone interview Sunday.

But there are forensic clues that Regin may have been active as far back as 2006. In fact, Symantec didn’t actually give Regin its name. O’Murchu said Symantec opted to use that name since it had been dubbed that by others in the security field who have known about it for some time.

If Regin does turn out to be 8 years old, the finding would mean that nation states are having tremendous success in avoiding the latest security products, which doesn’t bode well for companies trying to protect their data. Symantec didn’t identify who it thinks may have developed Regin.

Symantec waited almost a year before publicly discussing Regin because it was so difficult to analyze. The malware has five separate stages, each of which is dependent on the previous stage to be decrypted, O’Murchu said. It also uses peer-to-peer communication, which avoids using a centralized command-and-control system to dump stolen data, he said.

It’s also unclear exactly how users become infected with Regin. Symantec figured out how just one computer became infected so far, which was via Yahoo’s Messenger program, O’Murchu said.

It is possible the user fell victim to social engineering, where a person is tricked into clicking on a link sent through Messenger. But O’Murchu said it is more likely that Regin’s controllers knew of a software vulnerability in Messenger itself and could infect the person’s computer without any interaction from the victim.

“The threat is very advanced in everything it does on the computer,” O’Murchu said. “We imagine these attacks have quite advanced methods for getting it installed.”

Telecom companies have been particularly hard hit by Regin. Some of the companies have been infected by Regin in multiple locations in multiple countries, Symantec found.

The attackers appear to have sought login credentials for GSM base stations, which are the first point of contact for a mobile device to route a call or request data. Stealing administrator credentials could have allowed Regin’s masters to change settings on the base station or access certain call data.

Regin’s other targets included the hospitality, airline and ISP industries, as well as government.

“We do not think [Regin] is a criminal type of enterprise,” O’Murchu said. “It’s more along the lines of espionage.”


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

NSS Labs recently released the results and analysis from its latest Browser Security Comparative Analysis Report, which evaluated the ability of eight leading browsers — Apple Safari, Google Chrome, Kingsoft Liebao, Microsoft Internet Explorer, Mozilla Firefox, Opera, Qihoo 360 Safe Browser, and Sogou Explorer — to block against socially engineered malware (SEM). The use of social engineering to distribute malware continues to account for the bulk of cyber attacks against both consumers and enterprises, thereby making a browser’s ability to protect against these kinds of attacks an important criterion for personal or corporate use.

Microsoft Internet Explorer continues to outperform other browsers. With an average block rate of 99.9 percent, the highest zero-hour block rate, fastest average time to block, and highest consistency of protection over time percentages, Internet Explorer leads in all key test areas.

Google Chrome remained in the top three, but its average block rate fell significantly to 70.7 percent, down from 83.17 percent in the previous test.

Cloud-based endpoint protection (EPP) file scanning provides substantial defenses when integrated with the browser. Kingsoft Liebao browser utilizes the same cloud-based file scanning system used by Kingsoft antivirus and had the second highest overall block rate at 85.1 percent, ahead of Chrome by almost 15 percentage points.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Google’s Safe Browsing API does not provide adequate SEM protection. Apple Safari and Mozilla Firefox both utilize the Google Safe Browsing API and were the two lowest performing browsers in this latest test. Both also saw significant drops of around 6 percent in their average block rates — Safari from 10.15 percent to 4.1 percent and Firefox from 9.92 percent to 4.2 percent.

Chinese browsers tested for the first time prove viable. This year, three browsers from China were included in testing for the first time, and Kingsoft’s Liebao browser jumped ahead of Google Chrome with an overall protection rate of 85.1 percent. Sogou Explorer had the fourth highest average block rate at 60.1 percent.

Commentary: NSS Labs Research Director Randy Abrams
“Selecting a browser with robust socially engineered malware protection is one of the most critical choices consumers and enterprises can make to protect themselves. Microsoft’s SmartScreen Application Reputation technology continues to provide Internet Explorer the most effective protection against socially engineered malware,” said Randy Abrams, Research Director at NSS Labs. “This year NSS added three browsers from China. The Kingsoft Liebao browser displaced Chrome from second place by using a combination of URL filtering with the cloud-based file scanning technology that Kingsoft uses for their antivirus product. Sogou Explorer, another browser from China, was the only other tested browser to exceed 50 percent protection against socially engineered malware. Firefox and Safari failed to achieve five percent effectiveness and leave less technical users at considerable risk.”

NSS Labs recommendations
Learn to identify social engineering attacks in order to maximize protection against SEM and other social engineering attacks.
Use caution when sharing links from friends and other trusted contacts, such as banks. Waiting just one day before clicking on a link can significantly reduce risk.
Enterprises should review current security reports when selecting a browser. Do not assume the browser market is static.