Attacks/Breaches
12/4/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Why Regin Malware Changes Threatscape Economics

Never before have attackers been able to deploy a common malware platform and configure it as necessary with low-cost, quick-turnaround business logic apps.

Recently, Symantec and Kaspersky Lab released research on an advanced persistent threat (APT) dubbed Regin. Symantec focused on the software’s technical sophistication, its use as an espionage tool, and indications of nation-state origins. Kaspersky concentrated on victimology, the attackers’ objectives, and the compromise of at least one cellular communications network. Impressive (or terrifying, depending on your point of view) as these attributes are, Regin’s real impact on the threatscape is programmatic in nature: Regin fundamentally shifts the economics and timelines of APT development and deployment in the attackers’ favor.

Unlike other APTs, Regin is not a self-contained software package. It’s an evolutionary design, mirroring general software design trends. Historically, software was developed in a monolithic manner. Applications were completely encapsulated and independent from other applications. They contained all the logic necessary to complete any function required. While they might function reliably, monolithic applications were neither easy nor inexpensive to adapt and maintain. Due to their tightly coupled architecture, a minor change in one portion of the codebase often had an impact on other components. This results in lengthy and costly regression testing, repair, and re-engineering phases. Additionally, due to its specialized nature, it is generally difficult to reuse a monolithic program’s components in other development projects.

The answer to monolithic architecture’s inherent shortcomings was modular software architecture. Here, a program’s functionality is divided along logical boundaries into discrete, interchangeable components, each of which executes a specific part of the overall functionality. Typically, modules use well-defined standards to communicate. As long as compliance with the standard is maintained, a module’s internal mechanics can be modified, or the entire module swapped out with another, without affecting the program’s overall functionality. For conceptual purposes, think of Lego® bricks. As long as the studs on top and the hollows on the bottom (the interfaces) are of the proper dimensions, the bricks will snap together, regardless of internal composition or external shape.

It’s all about SOA
The most sophisticated and versatile instantiation of the modular architecture concept is found in a class of products known as service oriented architecture (SOA) middleware platforms. These platforms provide application developers with a set of composable infrastructure components that manage critical functionality between the specific business logic the developer is seeking to implement and the data on which the logic is acting. The platform’s components may provide a combination of capabilities such as (but not limited to) data transport, transformation and mediation, asynchronous communication, data access, identity management, data analytics, application execution, and real-time event processing and analysis.

Developers take advantage of SOA middleware platforms by using them to create versatile and reusable application infrastructures. If properly designed and implemented, an application infrastructure is agnostic to both the business logic that it supports and the data that it processes. As a result, the same infrastructure that is used to support a cellular telephone network can form the basis for a military command-and-control application or an automated concert venue ticketing capability. All that needs to be created are the specific business application modules and data sources. While neither of those is a trivial endeavor, they represent a far smaller resource investment (e.g., time, personnel, funding) than developing both the infrastructural and business logic every time a new capability is desired.

Regin, as Kaspersky and Symantec noted, is not a malware payload in and of itself. Rather, it is a malware platform onto which the attacker can deploy specific business logic to achieve mission objectives. In other words, unlike earlier generations of malware or espionage tools, Regin can be tailored after deployment to exploit targets of opportunity.

[Find out more about Regin in Newly Revealed Cyber Espionage Attack 'More Complex' Than Stuxnet, Flame.]

It’s worth a quick look at the Regin architecture to see how this works. As noted in the reports, Regin loads in five stages. Of these, the fourth stage (called the dispatcher library by Kaspersky and the user framework by Symantec) is the core of the Regin framework, managing complex tasks such as the application programming interface (API) supporting plug-in integration, communications, storage, and data transport. In middleware terms, this is Regin’s application infrastructure. Stage five (Kaspersky: Plug-ins, Symantec: Payload Module) is a tailorable collection of business logic apps, ranging from keyloggers to email message extractors and cellular network command and control utilities.

Taking an architectural page from the SOA middleware book, Regin’s creators have fundamentally altered threatscape economics. Using Regin’s “malicious middleware” paradigm, attackers need not reinvent the wheel each time an APT is generated for a new target. Instead, they can deploy a common platform (Regin), and configure it as necessary with relatively low-cost, quick-turnaround business logic apps. This model provides tremendous economic and temporal efficiencies for the attacker that shorten decision cycle times, thus increasing difficulty for cyber defenders.

By technically addressing the programmatic and economic side of the malware development lifecycle, Regin represents a leap forward in sophistication, planning, and effectiveness. Extensible, composable, and modular malware, it seems, is here to stay. Defenders, up your game.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/5/2014 | 9:56:01 AM
Re: A whitelisting policy in your future
"Regin" certainly raises the stakes for enterprise security. Raising awareness is obviously the first step, but the challenges necessary to defeat these advance threats are daunting, to say the least.....
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/5/2014 | 8:55:04 AM
A whitelisting policy in your future
It is new threats like this that give me more ammunition to fight for comprehensive application whitelisting policies and procedures for our enterprise.
I believe that whitelisting of application and code execution will become the new normal practice for most organizations in the not so distant future simply because of the new technical tactics demonstrated by the Regin exploitation platform.

Great article - including the reference article by Kelly Jackson Higgins.
ChrisR796
50%
50%
ChrisR796,
User Rank: Apprentice
12/4/2014 | 7:45:44 PM
Mal-middleware
Excellent post thanks.

 

Doesn't the common architecture/codebase also allow security vendors to deploy protections for Regin based malware?

I know I'm missing something, seems far too simple.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.