Regin (spy software)

from Wikipedia, the free encyclopedia

Regin is a spy software that received a lot of media coverage in November 2014. The software companies Kaspersky Lab and Symantec both published documents in which Regin is analyzed. In addition to individuals, Regin has specifically spied out authorities, telecommunications companies and research companies. Russia and Saudi Arabia were particularly affected , but also countries in Western Europe, including Germany and Austria . The name was given to the software by Microsoft security experts, based on the dwarf of the same name from Nordic mythology . In January 2015 it became known that Regin is an NSA tool used by the " Five Eyes " intelligence agencies .

construction

Regin attacks computers that use Microsoft Windows as their operating system. The routes of infection have not yet been fully clarified; the basic software is probably first brought to the target computer using zero-day exploits or man-in-the-middle attacks . Once the infection has occurred, the software builds up in five stages: Stage 1 is a driver that is the only one available as a file. It loads other drivers that are encrypted and distributed either as an alternative data stream , in the Windows registry or in unallocated hard disk areas. Level 2 loads another driver, level 3, which starts the actual malware framework and sets up a virtual file system. Level 4 is a module manager, which then executes and reloads from the level 5 virtual file system, a customized selection of around 50 modules for spying. These modules communicate with the outside world using the ICMP diagnostic protocol , their own TCP / UDP application protocols or as an HTTP cookie (e.g. camouflaged as a session ID ).

The high complexity of the espionage software allows the conclusion that state secret services are the clients and operators. The US NSA and the British GCHQ are named as candidates in the media . According to Spiegel research in January 2015, there are “hardly any doubts”.

history

Regin first became active around 2008. Parts of the software seem to have been created in 2003. In 2011 Regin was withdrawn from the network and reappeared in a new version in 2013.

The Belgian telephone provider Belgacom , the Belgian cryptographer Jean-Jacques Quisquater , the EU Commission in Brussels and, at the end of 2014, a head of division in the German Federal Chancellery, became known publicly as victims of the espionage software . In the latter case, the Federal Prosecutor's Office initiated further investigations against unknown persons.

G Data CyberDefense and IT security expert Florian Roth with Loki ("Scanner for Simple Indicators of Compromise") offered the first approaches to detecting the virus .

Web links

Individual evidence

  1. a b Regin: Top-tier espionage tool enables stealthy surveillance . SymantecSecurity Response, Version 1.0, November 24, 2014
  2. a b The Regin Platform: Nation-State Ownage of GSM Networks ( Memento of the original from November 27, 2014 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. . Kaspersky Lab Report, Version 1.0, November 24, 2014 @1@ 2Template: Webachiv / IABot / securelist.com
  3. Benedikt Fuest: A computer virus, as powerful as none before. In: Welt Online. November 24, 2014, accessed January 2, 2014 .
  4. a b Marcel Rosenbach , Hilmar Schmundt and Christian Stöcker: SPIEGEL publication: Experts unmask Trojan "Regin" as an NSA tool. In: Spiegel Online. January 27, 2015, accessed January 27, 2015 .
  5. a b Espionage software: US and British are said to have developed the Regin Trojan . Spiegel Online , November 25, 2014
  6. a b Kim Zetter: Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer . Wired , November 24, 2014 (English)
  7. Spy software on computer in the Chancellery . Die Zeit , December 29, 2014
  8. "After the investigation into the bugging attack on the cell phone of Chancellor Angela Merkel (CDU), which has since been discontinued, this would be the second case in Germany in connection with the NSA affair." ( AFP message )
  9. Spy Trojans: Free check tool for Regin infections - heise Security