topic Re: Regin detection in General Topics

Regin detection

JRussell — Wed, 26 Nov 2014 17:01:14 GMT

Hi All,

I understand that this bit of spyware is not well understood as to it's ultimate purpose, very hard to detect and in fact, with the media converge it has had recently I am sure whoever coded this nasty has since changed it's code/behavior.

But my question is, does or is PA able to detect any such traffic from this malicious code given that it has taken the "Security experts" years to come back with their prognosis on the code in the first place. Or is this one of those things that we just have to pray to the IT deities that we never fall under the gaze of someone who is wielding such a powerful bit of spyware?

Re: Regin detection

gbogojevic — Wed, 26 Nov 2014 20:14:59 GMT

Hi,

You can find more information here Regin Malware (regin.backdoor)

Re: Regin detection

paul.stinson — Wed, 26 Nov 2014 22:24:35 GMT

i would be interested in this as well...

No access to the link you provided though......even though i am logged in..

regards

Paul

Re: Regin detection

JRussell — Thu, 27 Nov 2014 10:51:51 GMT

Thanks for the link. Although I am getting "Access to this place or content is restricted"

Could you provide a working link please?

Thanks,

James

Re: Regin detection

lewis — Thu, 27 Nov 2014 11:09:34 GMT

I am unable to get to the link also

Re: Regin detection

JRussell — Fri, 28 Nov 2014 11:03:44 GMT

Anyone have any further information on this? It seems a few people would be interested in knowing.

Re: Regin detection

Dz3015 — Fri, 28 Nov 2014 13:22:34 GMT

I'm sorry to say, after doing a little research it looks like you are out of luck for now. Researchers have yet to say how victims get infected but that the malware disguises itself as legitimate Microsoft Software. I suggest you make sure your environment is as clean as possible to cover any other exploit that may have been used to deliver it. IE. updated OS/software, updated sigs, etc.

Edit:

Here is Symantec's whitepaper on the malware, they were the ones to discover it:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

They have been unable to reproduce infection but through investigation and logs they say it can be delivered through spoofed websites and such.

Re: Regin detection

JRussell — Fri, 28 Nov 2014 14:56:07 GMT

Thanks for coming back DZ

We use WSUS to deliver any MS updates/installs that we do. So hopefully it will help protect us to a degree.

It is just strange that there is not a lot of noise being kicked up about this by AV companies.

Re: Regin detection

Dz3015 — Fri, 28 Nov 2014 15:06:50 GMT

No problem! The discovery of it is still less that a week old and given that it appears to be a well funded nation-state created malware it may take some time to fully investigate before they can release anything on a signature level to block it.