Infinity vs. The Real World: Regin

It’s ironic that the recent news by Symantec threat research team to find Regin malware spying on businesses also indicates that it’s been on systems for over six years. Hmm. Doesn’t that tell us all the efficacy of security products today?  

Cylance was created for this purpose. Once this story broke, we tested the samples against our cybersecurity endpoint protection product, CylancePROTECT. As expected, we identified ALL the samples as bad. As can be seen from the screen shot – the Cylance score indicated 100% confidence that the features of the objects were indeed a threat. This is all without having ever before seeing the object.

regin-01 Cylance’s algorithmic malware detection makes short work of Regin samples.

The Regin samples detected above are all 32-bit Windows drivers, the first stage of the Regin malware which reads subsequent stages from NTFS extended attributes (EAs) via the NtQueryEaFile API function. Although the driver contains code to look up the NtSetEaFile API function as well – even going so far as to retrieve the function’s address from the service descriptor table if running on Windows NT 4.0 (build 1381) – it does not call NtSetEaFile. As of this writing, we have not seen the exploit or Regin installer that stores the EAs. Fortunately, detecting either stage breaks the chain and prevents the compromise and all the badness that ensues from it.

While it is important to know about Regin, realistically it’s just another advanced threat (APT). They are in the news weekly, and at Cylance we see new forms daily. In the end it’s not even the malware’s presence, it’s whether it is able to execute – or successfully install – that’s important. When bypassing traditional security, it’s the “asset” and the value of what gets damaged, stolen or spied upon that is important. In this case, the malware was not focused on business intellectual property, but on users and what they were doing and where they were going and staying.

Cylance is teamed with cybersecurity professionals who realize the use of malware – for whatever purpose – is a non-stop barrage on their computers. Seeing the likes of Symantec miss this for over six years with their signature based antivirus is further proof the fundamentals of detection and prevention have to change.

We created CylancePROTECT using algorithmic science and machine learning to do just that: classify every computer object and instantaneously detect which are “bad”, regardless of how the malware is structured, delivered and changed over time, and block them from executing. Had the affected companies installed CylancePROTECT on their systems, this malware would have been discovered, disrupting the spying that is now global headlines.

Greg Fitzgerald
Chief Marketing Officer