Talk:Regin (malware)

Latest comment: 9 years ago by 84.135.114.2 in topic Regin and NSA 'qwerty' keylogger

Description of Regin

edit

removed the following from the article page...

Correction: Regin is NOT a virus, but a trojan. The whitepaper from Symantec clearly says, "A reproducible infection vector is unconfirmed at time of writing." I see that this was also put under the category of Worms, which is also entirely inaccurate. "It is used for the collection of data and continuous monitoring of targeted organizations or individuals. This report provides a technical analysis of Regin based on a number of identified samples and components. This analysis illustrates Regin’s architecture and the many payloads at its disposal"

This is correct, there is nothing in the paper published by symantec saying that this is a virus, nor that it is a trojan (as suggested above). The attack vector is unknown at this point.

— Preceding unsigned comment added by 82.71.3.221 (talkcontribs) 00:30, 24 November 2014‎

Yeah it seems to be this should simply be called malware until more info emerges. So will anyone object if I move it to Regin (malware)? Nil Einne (talk) 00:55, 24 November 2014 (UTC)Reply
please do, I don't know how to do that myself, otherwise I would have done it already.
For future reference, unfortunately it's not possible for unregistered editors. If you are unwilling or unable to register, you'll need to request someone do it for you, perhaps via the Wikipedia:Requested moves template. Nil Einne (talk) 01:48, 24 November 2014 (UTC)Reply

The blog post from symantec http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance says that Regin is 'a back door-type Trojan'.

But the rest of the blog post just uses malware (except where it calls it a Remote Access Trojan) and give details which suggest they don't know that well how it spreads. There doesn't seem to be any evidence so far that it's self spreading so worm and virus should probably be avoided. And it probably spreads like a trojan in at least some cases (and they say it does), but other cases seem more complicated and I don't know if there's even a good word for them. E.g. the case where a Yahoo Messeger exploit was used, was this really trojan like? I'm guessing the answer may be no. Anyway I'm not seeing any specific objection to malware so I'll move it with no prejudice to any future renaming. Nil Einne (talk) 01:40, 24 November 2014 (UTC)Reply

Name

edit

Does anyone know why it's called Regin? Eric Kvaalen (talk) 14:52, 27 November 2014 (UTC)Reply

According to a german newspaper [1] security people at Microsoft, who found fragments of it first, named it after the sneaky nord god Regin. Alexpl (talk) 15:39, 27 November 2014 (UTC)Reply
Thanks, I have put it in the article. Eric Kvaalen (talk) 16:36, 28 November 2014 (UTC)Reply

Regin and NSA 'qwerty' keylogger

edit

I'm no expert in this field, but maybe this recent article is useful and should be mentioned. It documents striking similarities between Regin and a malware known (from the Snowden documents) to have been deployed by the NSA. Looks pretty convincing. The article contains a link to the original code snippets published by Der Spiegel in Jan 2015:

https://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/

84.135.114.2 (talk) 22:46, 27 January 2015 (UTC)Reply