The details are still emerging, but the recent announcement by Symantec of the Regin malware suggest that this is the highest profile and most sophisticated threat found since the Stuxnet worm. Like Stuxnet, this appears to be a threat that existed for years undetected before being reported to the public. Also like Stuxnet, this malware appears to have been developed by government resources, and is targeted at other government and infrastructure systems in specific target countries.
Although this is a high profile announcement, there is little that the average person needs to fear from threats like these. Developers of this type of malware are not interested in getting data from individuals’ systems, and would actually go to great lengths to have it not infect end users because that would only increase the odds of detection. Although most consumer antivirus solutions, both using static and dynamic analysis, would not detect or prevent infection by this type of threat, the argument could be made that it would not be worth it for those types of users to try to prevent such a threat when there is very little risk that the threat will cause them significant harm.
Image courtesy of Symantec
For militaries, governments and operators of critical infrastructure, on the other hand, this is the type of threat that they should be most concerned about. Most of these organizations have systems and processes in place to prevent the average, everyday malware from threatening their networks and critical operations, even zero day attacks. Although we do not yet know all of the details on how this particular malware spreads, or what systems it targets, the fact that it is engineered to evade detection through several levels of encryption and obfuscation means that it is designed to thwart the efforts of systems that are designed to detect these types of threats.
For the organizations that are targeted by this type of malware and have the most to lose from infection there are several things that they can do to reduce the likelihood of being compromised. One of the most important protections to implement is a defense-in-depth solution, that use several layers of defense to detect and block malware from compromising their systems. This prevents targeted attacks that can subvert one system from being successful. The second thing that organizations can do is control the chain of possession for any data or devices that will have access to secure networks, and to prevent access by any devices or data that does not have a fully-trusted chain of possession.
Finally, it is important to periodically rescan files, systems, and devices that are already part of the secure network, to detect any threats that previously made it through their defenses. In the case of Regin, for example, once full details of the threat and what it does have been released all organizations should scan their networks to make sure it didn’t previously enter undetected.