After Symantec
published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it?
Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework plugins that provide individual bits of functionality. If a copy is captured, only parts of the malware are revealed rather than its full capabilities.
It uses multiple levels of encryption to obfuscate itself, hides itself on disk, and runs at the kernel level to stay out of sight. It can eavesdrop on network traffic and infiltrate mobile phone networks. On the face of it, Regin
should have set alarm bells ringing much sooner when it was first detected in the wild.
It was injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware are said to have been floating around for years – since 2011, 2008 or 2004 depending on which antivirus vendor you talk to. On Sunday, Symantec went public with its dissection of the code.