Regin is a form of malware attack which is currently being dreaded by the security persons in several government agencies across the world (Daly and Rengel, 2010). Efforts to track the malware have been on for the last three years. The attempts have been made in the entire world. Despite that samples were found, they all did not relate to each other. Samples of regin can be dated back to 2003; however, the exact time when the first sample appeared in the world. Some of the institutions that have been affected by the existence of regin are government institutions, telecom operators, multinational political bodies, research institutions, financial institutions and cryptographic researchers. Primarily, the attackers aim at both in collecting intelligence information and facilitating other forms of attacks. Some of the victims of the regin include Jean Jacques Quisquater, who is a renowned cryptographer. He announced the cyber intrusion which was said to be sophisticated in February, 2014. In addition, the computer system by the name Magnet of threats has also suffered the attack as well as other attacks such as Animal farm, Careto and Itaduke. Sample taken from the above two cases indicated that the malware was the regin.
The method used for initial compromise is a mystery. However, several theories have been on the existence that includes use of man at the middle attacks with zero days of browse exploits. Further, the victims had both modules and tools that were designed for lateral movement; however, no exploits has been found yet. The modules which are replication are passed to remote computer systems through sharing by the use of Windows administrative shares. They are then executed. Primarily, the technique requires administrative privileges in the network belonging to the victim. In addition, the victim machines are found to be using the Windows domain controller.
Regin is a cyber-attack platform, but despite that, researchers refer to it as a malware. The attackers aim is total remote control of the victim’s network at all possible levels. The platform is modular and it involves a number of stages. To begin with, stage 1 involves the first samples of the victim being detected in their network. This is easy since the executables exist directly on the victim’s computer system. The sample uses a unique and odd technique to load into stage 2 by the use of extended attributes of the directories in the system which has been specified in configuration block.
Further, the second stage is a 32 bit system that is implemented as a driver module. Similar to the first stage, there is an encrypted configuration block module. In this case, the block consists of the names of two directories in the system that holds the third stage in the extended attributes. In addition, it consists of a registry value which may hold the third stage when EA’S are missing. In return, the second stage involves loading of resultant binaries in the memory which carries out the validation of PE file and that is an entry point in system threads. In addition, the stage has codes that have the ability to remove the startup code when signaled to act by stage three. It is important to note that the stage has the ability to eliminate all the regin stages from the computer system and hence cleaning up the machine. The stage also consists of the 64 bit system which loads encrypted block for the next stage from the physical disks. Then, the code decompresses the block into an algorithm after which the code investigates whether the next code is a Windows module. Is so, it loads and makes executions (Sweeney, 2007).
The stage three is a 32 bit and is known as kernel mode manager. It implements as driver module which provides basic functionality for the malicious framework. In this stage, the encrypted files are acted on including loading of additional plug-in. Further, the work of the malware is initiated in this stage. In addition, stage four is referred to as a dispatcher module. The stage involves implementation of internal plug in. The dispatcher is also responsible in the execution of the difficult tasks that the malware engages in. In other words the dispatcher can be said to be the brain that runs the entire stages.
There are some strategies that would deal with the malware. The details concerning the malware have been made public. There are signatures that can be used to identify the execution of regin on common files. Therefore, computer system users should aim to either prevent executions that are not known from installed or an easier way of identifying the execution of files as soon as they are made. In addition, there should be continuous monitoring of network traffic and identification of traffic which is not normal (Ravitch, 2013).
In a situation whereby the computer system has already been attacked by the malware, there are some tools that have been created to effectively remove the malware. Spy hunter is one such tool. It starts by scanning the system and the hard drives. Secondly, it updates its malware detection on daily basis and this enables one to easily and quickly notice the regin. Another way of eliminating regin is manually deleting the malware. The exercise however requires adequate knowledge and skills related to computers.
In conclusion, it is clear that regin is a malware that is targeting high profiles. Its operation is active and it is likely that regin has been upgraded to a more sophisticated version. The ability of the malware to access and being able to monitor networks is the unusual aspect of the malware. Despite that the GSM networks have entities that can be able to track the culprits, some individuals with the ability are said to engage in the attacks.
References
Daly, K. N., & Rengel, M. (2010). Norse mythology A to Z. New York: Chelsea House Publishers.
Ravitch, D. (2013). Reign of error: The hoax of the privatization movement and the danger to America’s public schools.
Sweeney, M. A. (2007). I & II Kings: A commentary. Louisville, Ky. [u.a.: Westminster John Knox Press.
