Tuesday, November 25, 2014

The silence of the antivirus industry

A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world.

But here's a question no one's answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? Has it really taken them years to reverse engineer it?


For one thing, it doesn't operate like conventional spyware: Regin doesn't form a remotely controlled botnet – suggesting its masters really didn't want it to be found – nor does it harvest personal financial information.

Instead it collects intelligence useful to state spies. Coupled with the fact that virtually no infections have been reported in the US, UK or other Five Eyes nations, some to suspect it's the work of the NSA, GCHQ or their contractors.
The NSA's fingerprints look to be all over this.  Of course, they've been all about intelligence gathering for, well, forever. 

It is interesting that it's taken 6 years for the antivirus industry to catch this, but it's plausible that the unusual behavior and small number of infected devices explain that.

Whether it's good politics to spy on our allies like this is another discussion.

1 comment:

lelnet said...

Honestly, my guess is that it's the different profile (especially the lack of mass infections) that's the key. Some might hypothesize that the NSA leaned on them, but that fails to account for two factors:

1. Why now? If they can keep it secret from 2008 to today even in a hypothetical world where the AV vendors are in on the conspiracy, why isn't it secret anymore?
2. Why didn't Kaspersky have it? It's hard to source scales so sensitive they can pick up the weight NSA can throw around in Russia, but they didn't catch on to it there either.

If "laziness" and/or "incompetence" can adequately explain the observations, then I'm going to go ahead and rule out "conspiracy" until there's some new data point which mandates re-considering it.