World's most advanced hacking spyware uncovered

Today a cyber security firm Symantec has exposed a new advance piece of malware, Regin. It has been using since 2008 to spy on government agencies and individuals.

Once the malware has breached a computer, it can gain control of the mouse pointer, recover deleted files and make copies of passwords.

Almost half of the attacks targeted individuals and small businesses, alongside telecoms companies in what appears to be an attempt to gain access to calls routed through their infrastructure.

Regin victims may have been tricked into using fake versions of well-known websites, resulting in the installation of the bug. The low-key nature of the bug means it could be used in espionage campaigns lasting several years, Symantec said.

Regin is a back-door-type Trojan, “customizable with an extensive range of capabilities depending on the target,” Symantec said, adding that “it provides its controllers with a powerful framework for mass surveillance.” Its development probably took months “if not years” and “its authors have gone to great lengths to cover its tracks.”

Researchers have identified its use in 10 countries, mainly Russia and Saudi Arabia, as well as Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan.

Regin has five attack stages. It begins with an initial “drop,” also called a Trojan horse (or “backdoor”) breach, that allows it to exploit a security vulnerability while avoiding detection. The first stage deploys what is called a loader, which prepares and executes the next stage; the second stage does the same to complicate detection.

The third and fourth stages, called kernels, build a framework for the fifth and final stage, called the payload. That’s when it can wrest control of a computer or leap to a new victim.

Each stage prepares and executes the next, rather than deploy from a common framework. It’s similar in concept to Russian nesting dolls. Regin’s distributed structure makes it difficult for cyber security researchers to identify it without capturing information about all five stages.

Source : Symantec