AV Firms Defend Regin Alert Timing

Vendors Could Have Issued Warnings Sooner, Critics Allege
AV Firms Defend Regin Alert Timing

Anti-virus firms have been defending the timing of their disclosure of the technical capabilities of powerful Regin espionage malware. Some information security experts have criticized F-Secure, Kaspersky Lab and Symantec for not more quickly issuing public warnings about the malware, which experts say has sophisticated capabilities that rival those of Stuxnet and Flame (see Regin Espionage Malware: 8 Key Issues).

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

Symantec released the first detailed technical report into Regin on Nov. 23, leading to fellow anti-virus vendors F-Secure and Kaspersky Lab quickly following suit.

Some anti-virus vendors, however, have known about the existence of Regin for at least several years. Kaspersky Lab says it first began to hear about Regin in the spring of 2012, when it was tipped off to malware that resembled Duqu. F-Secure says it found the first related sample in 2009, which dates from 2008, but only became concerned after seeing a more advanced version debut in 2013. Symantec says it first began giving Regin a serious look in the fall of 2013.

But it wasn't until this week that all three firms released related reports, saying Regin's code complexity and attack sophistication means it is likely the work of a state-sponsored attacker. "Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies," a Symantec spokeswoman tells Information Security Media Group.

While all three firms say they could only guess at the identity of Regin's sponsor - and declined to do so - some information security experts suggest that the United States and the United Kingdom, perhaps working together, should be on the shortlist of suspects. Several news reports suggest the malware may have been used to hack Belgian telecommunications firm Belgacom as well as the European Parliament. And some reports suggest those campaigns were run by the National Security Agency and GCHQ, which are respectively U.S. and U.K. intelligence agencies (see Espionage Malware Alert Sounded).

Did AV Vendors Delay?

The delay between discovery and disclosure - and the suggestion that Regin is a full-ledged, nation-state-crafted advanced persistent threat, perhaps authored by U.S. and U.K. cyberweapons teams - have led to questions about what anti-virus vendors knew, when they knew it, and whether they should have sounded related alerts sooner. "Why wait so long to talk about it?" asks Jeremiah Grossman, interim CEO of website security firm WhiteHat Security.

"Most anti-viruses started actually detecting it quite early, which is good. What isn't good is the secrecy around it for so long," says security researcher Claudio Guarnieri, a.k.a. "nex."

But all three anti-virus firms say that Regin didn't just magically reveal its capabilities one day. "This is an APT campaign we have been tracking for several years and the research was ongoing," a Kaspersky spokeswoman tells Information Security Media Group. F-Secure's chief research officer, Mikko Hypponen, likens the process to a puzzle, saying that thanks to work by security researchers from different firms - sometimes collaborating - they've been able to collectively put enough pieces together to understand some of the malware's capabilities.

"Our first detection name was 'agent' - the default name for newly discovered malware," says F-Secure security advisor Sean Sullivan. "Regin was named in 2013 and that was when we really started to retroactively see the bigger picture," he adds, noting that it led F-Secure to discover that a piece of malware submitted to VirusTotal in 2009 was an earlier version of Regin.

Symantec's Timing Decision

Symantec says it has recovered samples of Regin from customers' PCs; it has seen only about 100 related infections to date. "Symantec has been monitoring Regin for some time," a spokeswoman tells Information Security Media Group. "However, it has taken some time to gather all necessary components so that we can build a good understanding of the threat. We have also been monitoring for any further activity and attacks. Since no further information has come to light, we have made the decision to release our findings publicly."

F-Secure and Kaspersky issued their related reports after - and in response to - Symantec's report. "We worked day and night and put together our paper after receiving questions from journalists about similar research being released by our competitor - Symantec," Kaspersky Lab says. "There are still a lot of unanswered questions about Regin that we are continuing to investigate. In general, during the course of our research activities, we are constantly tracking multiple advanced threat actors, and the decision to release reports is made when the work is completed with an acceptable degree of competence."

AV Firms Deny Whitelisting

Last year, Dutch digital rights group Bits of Freedom asked leading anti-virus firms if they would ever "whitelist" - as in, purposefully ignore or allow - any piece of malware, for example in response to a government demand. Six vendors quickly confirmed that they blocked all malware that they discovered, regardless of who built it. They also said they would never comply with any government demand that they not block a specific piece of malware. In subsequent interviews with this reporter, the other queried firms likewise said they detected - and blocked - all malware, and would comply with no government requests to do otherwise.

In response to similar questions being posed this week, F-Secure, Kaspersky Lab and Symantec all tell Information Security Media Group that - as they said in 2013 - they would never omit the signature for a piece of malware at the request of any government. "As a security company, Kaspersky Lab detects all forms of malicious programs, regardless of their source or purpose," a spokeswoman says, noting that if the firm detects it, then it adds a signature for blocking it to its anti-virus engine. Both Symantec and F-Secure say the same.

But the Regin episode highlights that while anti-virus vendors say they always block all forms of malware - whether state-sponsored or not - they don't always publish in-depth technical details for every piece of malware they find. Sometimes, that decision is based on privacy concerns voiced by one of the anti-virus firm's customers. F-Secure, for example, says it previously declined to issue an analysis of Regin for precisely those reasons, as the company's Mikko Hypponen here explains, in response to a Regin-related query from security expert and Europol cybersecurity advisor Alan Woodward:

While it's easy in hindsight to ask why anti-virus vendors didn't more quickly issue a public warning about Regin, it's also important to note that by some estimates, anti-virus firms are seeing more than 160,000 new pieces of malware per day.

"What do you want, press releases on every piece of malware?" asks security expert Dan Kaminsky, chief scientist of anti-malware firm White Ops. "[The] vast majority of bugs and attacks are never disclosed publicly." And trying to do so, he says, would likely require something on the order of a phone book.

Such data would also be relatively meaningless, without first turning it into usable intelligence. "Discovering a rootkit component doesn't necessarily mean you have anything interesting to write about anyway," F-Secure's Sullivan says. Although as Regin highlights, that situation can sometimes change quickly, and dramatically, and the security firms suggest that additional, related revelations may soon follow.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network