Security industry wasn't proactive in disclosing Regin malware

The Regin malware was well written and designed to conduct cyberespionage, likely launched by the NSA and GCHQ

After details of the sophisticated Regin malware was published online, there was concern that security companies didn't do enough to protect Internet users from the threat. Since it was released years ago, it took some time before Symantec reportedly identified - and included it in detection systems in December 2013.

However, it would appear Symantec identified Regin sometime in 2010 and it was labelled a Trojan in 2011, while F-Secure identified parts of the malware in 2009, with Microsoft learning of it in 2010.

"Symantec has been monitoring Regin for some time," Symantec recently told Forbes. "However, it has taken some time to gather all necessary components so that we can build a good understanding of the threat. We have also been monitoring for any further activity and attacks. Since no further information has come to light we have made the decision to release our findings publicly."

The Regin malware was likely created by the NSA and GCHQ - considering the US and UK priority on surveillance - cybersecurity experts wouldn't be overly surprised if the two countries were behind the code.

Did The Security Industry Fail To Protect The World From Regin?

Comment Now 

Follow Comments 

Symantec SYMC +0.08%, the world’s number one supplier of anti-virus software, first began looking into the super-smart Regin surveillance tool in the fall of 2013 and added it to its detection systems in December of that year. Not a bad turnaround, right? Maybe not.

The firm told me over email: “Symantec has been monitoring Regin for some time. However, it has taken some time to gather all necessary components so that we can build a good understanding of the threat. We have also been monitoring for any further activity and attacks. Since no further information has come to light we have made the decision to release our findings publicly.”

But Simon Edwards, who runs anti-virus testing business Dennis Technology Labs, did some quick research today showing that Symantec was actually detecting components of Regin back in 2010 and had labelled it a Trojan in March 2011. That was the same time Microsoft MSFT +0.59% had picked up on the malware, thought by various sources I’ve spoken with to be a product of GCHQ and National Security Agency hackers. But there’s something odd about that initial Microsoft detection: it didn’t include any technical information. Microsoft’s systems evidently saw Regin was doing something bad, but then no human analyst decided it was worthy of attention. Another anti-virus provider, F-Secure, told me it had started blocking components from as early as 2009, whilst admitting on Twitter TWTR +3.45% the firm had been asked by a customer, not a government body, to not publicly divulge information on Regin.

Here’s something a little more perplexing: Symantec has given Regin the lowest possible risk rating and only a “medium” score for its “damage rating”. That’s likely because only 100 or so machines have actually been hit with Regin. Microsoft, meanwhile, gave it a “severe” rating three years ago. Such mixed messages don’t fill onlookers with confidence. Let’s remember this is a piece of malware that reportedly infected systems at Belgacom, a major ISP that provides services for the European Union, and one of the world’s top cryptographers, Jean-Jacques Quisquater.

This would all indicate AV firms’ technology did an adequate job at figuring out if something was malicious and then blocking it. But neither the tech nor its owners were quick to figure out just how severe a threat Regin was, hence Symantec’s bizarre statement that it wasn’t detecting until last year. Nor were they able to expose Regin as a nation state-sponsored malware as fast as they might. And they were either afraid to say it outright or didn’t have enough hard facts in front of them: this was the work of GCHQ and/or the NSA.

Perhaps if their threat data sharing mechanisms were better, they would have pieced the Regin puzzle together sooner. And maybe it’s time we saw the same high-quality anti-virus as something that comes as standard with every computer and phone. That would require more standardised data sharing across companies. They would, of course, have to find other ways to remain competitive. But it would make us all that much more secure from nation states with too much funding and time on their hands.