End of November, three major antivirus vendors released details about what they deemed the most sophisticated virus ever discovered. But to call Regin a virus is somewhat underestimating its capabilities. Such is its sophistication, it would be more appropriate to refer to it as a compromise platform that allows its authors, probably backed by one or more nation states, to gather intelligence through a variety of methods.
While Regin’s victims appear to have been limited to governmental, research, financial, mobile phone service providers, and academic institutions in certain countries, its complexity and proficiency in gathering information, and going undetected for long periods of time, should concern us all.
There are five stages to the installation process, starting with a Windows service or driver. More code is then installed, cleverly hidden and encrypted in NTFS Extended Attributes, or the registry on devices with FAT/FAT32 volumes; or at the end of the last disk partition on 64-bit systems.
The 32-bit version has a third stage, using a driver to create virtual file systems (VFSes) in which files are encrypted to hide Regin’s activities. There’s no 64-bit third stage, and the fourth stage’s dispatcher module is loaded directly. The usermode dispatcher DLL forms Regin’s core, and provides the basis for interacting with VFSes, running plugins, cryptography and network functions.
The final stage is a series of plugins used to gather data, just some of which from an extensive list include:
- HTTP/SMTP/SMB credentials sniffer
- Keylogger and clipboard sniffer
- User logon and impersonation
- User and domain name sniffer
- Network share enumeration and manipulation
- Windows Event Log reader
- NDIS filter
- Code injection and hooking
- Microsoft Exchange Server data extraction
To avoid detection, network traffic is encrypted between Regin’s victims and the attacker. It also establishes a peer-to-peer network on compromised networks, limiting the amount of data that needs to be sent back to the attacker, again helping to evade detection.
The modules needed for the first stage on 64-bit systems are signed by fake certificates, appearing to come from Microsoft and Broadcom to make them look genuine. By inserting a Certification Authority (CA) into the certificate chain on each device, Regin’s files are trusted by the local system.
This is important, because adding a CA certificate is a change that can be detected, while many of Regin’s other activities are harder to uncover. And unlike changes to the Windows registry and file system, modifications to the certificate store are seldom, making it easy to audit.
The initial compromise method is unknown, but Regin used administrative shares to move around networks, and was found on Active Directory domain controllers, suggesting it’s likely that employees with administrative privileges were unwittingly targeted by web or email-based exploits.
So how could you prevent a threat like Regin infecting your network security?
- Deploy 64-bit Windows and remove administrative privileges from users
- Use Just Enough Administration (JEA)
- Implement application whitelisting
- Audit critical system configuration on servers and end-user devices
- Don’t rely on antivirus and firewalls alone