Regin Malware

Last week, we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's substantial evidence that it was built and operated by the United States.

This isn't the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.

I dislike the "cyberwar" metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.

For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.

This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.

So why did these companies all keep Regin a secret for so long? And why did they leave us vulnerable for all this time?

To get an answer, we have to disentangle two things. Near as we can tell, all the companies had added signatures for Regin to their detection database long before last month. The VirusTotal website has a signature for Regin as of 2011. Both Microsoft security and F-Secure started detecting and removing it that year as well. Symantec has protected its users against Regin since 2013, although it certainly added the VirusTotal signature in 2011.

Entirely separately and seemingly independently, all of these companies decided not to publicly discuss Regin's existence until after Symantec and the Intercept did so. Reasons given vary. Mikko Hyponnen of F-Secure said that specific customers asked him not to discuss the malware that had been found on their networks. Fox IT, which was hired to remove Regin from the Belgian phone company Belgacom's website, didn't say anything about what it discovered because it "didn't want to interfere with NSA/GCHQ operations."

My guess is that none of the companies wanted to go public with an incomplete picture. Unlike criminal malware, government-grade malware can be hard to figure out. It's much more elusive and complicated. It is constantly updated. Regin is made up of multiple modules -- Fox IT called it "a full framework of a lot of species of malware" -- making it even harder to figure out what's going on. Regin has also been used sparingly, against only a select few targets, making it hard to get samples. When you make a press splash by identifying a piece of malware, you want to have the whole story. Apparently, no one felt they had that with Regin.

That is not a good enough excuse, though. As nation-state malware becomes more common, we will often lack the whole story. And as long as countries are battling it out in cyberspace, some of us will be targets and the rest of us might be unlucky enough to be sitting in the blast radius. Military-grade malware will continue to be elusive.

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn't. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

This essay previously appeared in the MIT Technology Review.

Posted on December 8, 2014 at 7:19 AM • 41 Comments


Don BaileyDecember 8, 2014 7:38 AM

I have to disagree with the assessment that Regin has its origins in US or British services. Page 12 of Symantic's report indicates that the string "shit" is sprinkled throughout the code and that CRC checks use the seek "31337." Unless the authors were intentionally trying to look like h4ck3rz, I'd say it's the work of amateurs.

keinerDecember 8, 2014 7:42 AM

It's a shame. I will cancel my subscriptions to these snake oil software and rely on Linux/BSD and free software scanners. I'm no longer willing to pa for such a trash, only things I got the last 10 years were false positives, taking me a significant amount of time to confirm as such.

The rest is simply stealing of computing resources, computers work fine after fresh install, but as soon as this antivirus trash is added, performance goes south.

ThothDecember 8, 2014 7:56 AM

@Bruce Schneier
Many of your followers on this blog have given up hope on commercial security and many of us are turning to or having interest in attempting to build our own secure environment (includes hardware and software).

Commercial security has been a failure for a long time and will always be. From the downright silly buffer overflows, type casting, command injections to the high level spy game intrigues of hardware backdoors and crypto subversion. Crypto AG is a good example of a crypto company that fails to deliver high integrity crypto products since it's days of the Hagelin cipher machine. It's machines are backdoored for the selfish to toy with others.Commercial security is really upsetting.

Linux / BSD for casual use would be nice but if it's high assurance security, it would not be enough. Setting up multiple tiers of security boundaries and environments with proper planning, OPSEC, disaster plans and etc.

FrustratedDecember 8, 2014 8:16 AM

It's worse than that. As you've pointed out many times, we have one infrastructure. We have companies that are receiving national security letters to never speak a word about "things that affect national security." But what security is it when other companies can't even mention the fact that there could be massive vulnerabilities that affect every layer of the stack, from microcode to distributed-AI. Knowingly and intentionally leaving things insecure for the sake of being the "black hat" of the "we'll take that data thank you very much"-pair (companies and multi-nationals being the other in the "white hat" role, but don't let the name fool ya). All the while trying to demonize anyone that dare bring it up (and have proof), meaning those that literally depend on the machines for society to function but have no technical chops are left out to dry. It's a fucking shit show and we're all getting it up the arse because getting warrants and doing good ol' fashion police work these days is apparently too much to ask from those that "represent" our views on how to "gently" fuck us over rather than "definitely" fuck us over.

Maybe it's time we take the argument that malware lives matter. It's simple, if it can procreate (the malware being the seed and the host machine being the egg, as binary file doesn't act on it's own), in an semi-metaphorical manner, then we can posit that we are dealing with a government life-form of sorts. Because we cannot know if we are affected or not (because companies or researchers or officials can't disclose it), then that is an offensive attack on the citizens because it was done knowingly.

At what point of sophistication are we going to collide with software and devices that affect our lives to the point where it is a physical disaster and we can trace it back to state-sponsored-spawns? Self-driving cars, banking, handhelds, ATMs, etc. That is why this shit has to change, it is too fucking dangerous for EVERYONE (people and overloads).

wiredogDecember 8, 2014 8:53 AM

But what should they do? "We've found this signature of a malware that we don't know the source of."? Isn't that what they are already doing with most of the malware they remove? They say they've found something, but don't talk about the source. Or should they start speculating about the source when they have no real idea of it? That's what all the people blaming North Korea for the Sony attack are doing. "Sony was hacked, Sony released a movie making fun of KN, so NK is behind the attack." Except that, oops, maybe not.

Beware false flags.

"When you make a press splash ... you want to have the whole story. " Someone needs to pass that along to Rolling Stone. Because following the idea of "That is not a good enough excuse, though." is getting them a lot of flak.

FrustratedDecember 8, 2014 8:59 AM

I agree there. More just ... I can see an argument being made that if government malware ended up on a civilian system, they could try to say that's cyber-assault. At some point there will eventually be a verifiable state-sponsored digital assault if the universe RNG is to be trusted in (and we wait long enough) ... good ol' probability. At that point, how far along is the malware going to be in sophistication, replication, and capabilities.

HaginDecember 8, 2014 9:38 AM

Kaspersky Lab wrote on Monday it obtained a sample of Regin that had infected the computer of Jean Jacques Quisquater, a well-known Belgian cryptographer who said his computer was targeted by a sophisticated attack.

It wouldn't surprise me if Regin was found on Bruce Schneier's computer. If not Regin, then possibly some other nation-state malware from a non-Five-Eyes country.

RogerdodgerDecember 8, 2014 9:46 AM

I think you may be a bit paranoid in this particular case. The fact that these AV companies were detecting this as malware before they released a press briefing about it is hardly evidence of skullduggery. Also, what bizarre scenario could occur that would end up having Kaspersky, Symantec, F-Secure, and Microsoft all working together for a common nefarious purpose? That would be a stretch.

If you look at the daily/weekly deluge of malware these companies deal with I believe the adage "Never blame on malice that which can be explained by incompetence" is probably appropriate here.

@Thoth -
You may have "given up on commercial security" and decided to build your own, but I can assure you that many of the business readers of this blog have not thrown out their Cisco/Juniper/Checkpoint enterprise firewalls or started writing their own anti-malware programs. Security software and hardware is rarely without faults and needs constant updating, yes, but the answer in an enterprise environment is that you simply to take that into account when you are implementing security controls and plan for the inevitability of a security weakness or failure, not throw the baby out with the bathwater. One can create a CIA-level highly-secure environment, but the other 90% of us need to allow the company to turn a profit.

Bob S.December 8, 2014 10:04 AM

The Snowden Revelations explained to us a great number of major American corporations are willingly cooperating or have been forcibly co-opted into becoming...."partners" for the NSA. Millions of dollars is paid for their...assistance.

For some reason the number 86 comes to mind as the specific number of large partner corporations working for the NSA. That pretty much covers all the bases in the USA I would think.

So then, the question becomes, are big anti-virus, firewall and/or internet security corporations "partners" with NSA/GCHQ/Five Eyes and who knows what other governments?

Based on some of my experience with them by watching network connection monitors, logs and tracing e.g. "update" connections the answer is: "probably". Meanwhile, everyone knows encryption done right, works. Thus, proof is not readily possible.

The big corporations are in a tough spot. The smaller outfits can simply refuse to cooperate and go out of business. For any of the multi-nationals to do that would be catastrophic in many respects. So, they simply fall in line.

The way governments and corporations are stonewalling about mass surveillance has become tiresome to say the least. At this point it appears they will prevail, too.

Bauke Jan DoumaDecember 8, 2014 10:20 AM

We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them

To which I'd like to add:
We want, and need, our ISP's to tell us everything they can about these threats as soon as they know them. I.e.
full story or not.
I am thinking esp. of XS4ALL in The Netherlands who have one of their servers mentioned in the XKEYSCORE Tor
subversion script.

AnonDecember 8, 2014 11:20 AM

@Don Bailey:
Please read the intercept article on Regin. It points out that it is what "hacked" the Belgacom servers at roughly the time the NSA operation to do the same was going on.

Is it conclusive proof? No. But please also note that it does say "shit" not "merde"/"дерьмо"/"똥"/"mierda" or "狗屁"

As for it not being professional enough... well... if you're hiring black hats, expect to employ some interesting characters. Large multi-stage component based malware like Regin is generally not the work of amateurs - way too much work to write for a hobby.

Rogers' whoresDecember 8, 2014 11:42 AM

This essay is remarkably meek. When you sell protection from sabotage and knowingly choose to withhold it, that is fraud. When people trust you with their livelihood or even lives, this is treachery. Colleagues and customers need to publicly put the obvious question to these high-profile failures, Hyponnen, Prins, Fran Rosch: What made you flush your reputation and integrity? Was it NSA? How did they induce you to betray your position of trust? With corruption, or extortion? Or did they just make you feel like big shots? And now that you're disgraced as Stasi-style informants, Why should we believe a word you say from here on out? Who do think is going to trust your NSA spy software?

PenguinDecember 8, 2014 12:41 PM

"Linux / BSD for casual use would be nice but if it's high assurance security, it would not be enough. Setting up multiple tiers of security boundaries and environments with proper planning, OPSEC, disaster plans and etc."

Could you please elaborate? Or do you have any links or books to recommend?

I switched to Linux from Windows a while ago, and although I'm confident that the setup I have now is much more secure than before, I don't pretend that I'm invincible to every attacker out there. I'm always looking for ways to improve. Security requires eternal vigilance, as they say.

keinerDecember 8, 2014 2:03 PM

@Penguin: As a starter use an appropriate router (hard+software) and a IDS/IPS (unfortunately Snort is f*cked up by being bought by Cisco and Suricata by US-Homeland Security...). Different networks for different purposes. And so on, and so on...

JustinDecember 8, 2014 2:42 PM

Re: OP

I think these antivirus companies see evidence or a level of sophistication that indicates a nation-state is behind some malware, and then they simply clam up about it. Oftentimes the customer that reported the sample already has reason to suspect nation-state hacking, and doesn't want it talked about. Whether they don't want to interfere with legitimate government spying operations or they are simply scared of recriminations from whatever government, I think there is a certain level where it is mutually agreed that certain malware is simply out of the AV companies' league.

Think about Kaspersky, for instance, based in Russia. Obviously they can't be detecting the latest Russian government malware or reporting it in the news. But they don't want to be one-upped by the other AV companies, either. And the other AV companies are similarly beholden to their governments, so they all collude to keep silent about any nation-state malware that any one of the members of the AV cartel is under pressure not to reveal anything about.

How else does this work? The cat is out of the bag at The Intercept, and all the AV companies chime in that they knew all about it but they just kept quiet for years.

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware.

Sure they are. And they probably are sending memos around regarding all this government-grade malware, "if you see this, shut up about it." Because if it's "government-grade," it's out of their league.

Quote_Percent_x_QuoteDecember 8, 2014 5:16 PM

APT = NSA using their jump boxes in *x* nation their mouthpieces like Mandiant or Cylance or any one of the myriad little incestuous whores in the infosec community that front for the US government. Right on time for the negotiations over Iran's civilian nuclear energy program, here comes a wild report which claims that Iranian super hackers are the most sophisticated thing they've ever seen.. then proceeds to point out how they couldn't even cover their tracks to the level of any teenage script kiddie with a few jump boxes and anon proxies. I'm glad to see the NSA still has plenty of jump boxes in Iran.

DanielDecember 8, 2014 5:44 PM

Regardless of the merits and demerits of this specific case in the bigger view I think it is naive to think that the AV companies can serve as a counterweight to the various nation states and there various intelligence services. There are many reasons for this including the fact that these three letter agencies tend to suck up the best talent, that they can bring more resources to bear on the task, and that the AV companies are incorporated somewhere and thus political and social pressure can be brought to bear.

Bruce writes, "We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them,"

We may indeed want and need that but for the forgoing reasons it is unrealistic to think they can provide it.

ThothDecember 8, 2014 6:17 PM

Attacking a computing system is not just software. Hardware is part of the picture. Clive Robinson, Nick P, RobertT and me have been banging about it for a while on this blog. OS layer with secure kernel and proper evaulation, threat definition models, mathematical proving of logic ..etc .. What I am talking about is a high assurance security kernel like seL4 but that's out of reach for the most of us unless you want to buy a BeagleBoard and run seL4 on top of it and isolate it. We have multiple deadly *nix near missues like the shell script command injection (forgot it's name) and so forth. *nix is feels more "secure" like how Mac OSX is feels more "secure" than Windows because it has not gain much traction but now everyone is running some form of *nix at some point in time (iPhone, Android, Mac OSX, Amazon Cloud with Linux hosting ...) which means it is gaining more attention and our friends up there wouldn't sit easy and watch us use *nix to bang away at crypto. SELinux is NSA creation by the way :) .

Even if *nix were deployed for "secure" computing, most people still get it wrong (especially OPSEC) and how many can configure anything on Linux properly ? *nix were never built from the core with a TCB and rigid proof (includes mathematical logic proof) that the seL4 / OKL4 kernels provide but again it's kinda a hassle if you want a high assurance kernel and running it on a BeagleBoard (not designed to be a high security chipboard) is yet another downside as hardware attacks onboard can be done with minimal effort.

For most use case, a hardened *nix may suffice (and best with proper OPSEC and a some what verifiable chipboard that may not exist in market).

It's about time SSL/TLS gets a thorough check from the doctor. SSL/TLS have been beaten and damaged pretty badly many times although I wouldn't say it is completely broken yet. AEAD is the new kid in the block so don't expect it to perform as advertised. Many AEAD ciphers are made and broken very frequently. The good old HMAC has been well studied. Its is about time those people who design protocols (especially the SSL/TLS team) took a page out of Daniel J Bernstein's (djb) NaCL crypto-lib with it's nice Curve25519(ECDHE)-XSalsa20-Poly1305 cipher combination. For those sensitive to ECC curves, you can replace it with RSA/DSA(DHE)-XSalsa20-Poly1305. djb have a MinimaLT protocol design as well. The djb algos have been there for a bit of time and have not been broken and for TLS v1.3 seem to have Chacha20 (djb) as part of it's future suite. Wonder when the Poly1305 would be added as well to recreate the NaCL style cipher suite. Crypto is one thing that is hard to get right but valuable once done properly :) .

Dennis MDecember 8, 2014 7:40 PM

@ DB

Could it be plausible deniability in case it ran amok? Looks like there's a linux version.

BOTtom feederDecember 8, 2014 9:07 PM

There are a lot of ways to be pwned. Phishing, waterholing, and now White Housing.

Of course, the Internet is the Wild West. What make it great is the freedom of the Wild West. But that freedom is just as available to the self appointed power bureaucracy as it is to us.

Vesselin BontchevDecember 9, 2014 7:47 AM

Having worked for an anti-virus company myself, I assure that there is no conspiracy. These companies receive samples of malicious software at the rate of tens of thousands PER DAY. Nobody has the time to analyze that. Usually they are submitted to some automated analysis system (if replication is observed, then it is easy - it's a virus; if not, some other behavior markers are sought) and if the thing is deemed to be indeed malicious (or at least dodgy-looking enough), detection for it is added (usually - also in an automated way) and it is archived in the collections, shared with other AV companies, and promptly forgotten.

This explains why everybody has been detecting Regin for years but didn't notice anything unusual about it - until one company made the news and then, of course, everybody else had to dig up their samples, analyze them and chime in, for PR reasons.

Never assume malice when stupidity is an adequate explanation.

name.withheld.for.obvious.reasonsDecember 9, 2014 9:51 PM

@ Thoth

Attacking a computing system is not just software. Hardware is part of the picture.

The hardware-based subversion that has been disclosed thus far implicates all hardware at the COTS level. Any EAL/EIA/ISO/DOB standards that are part of information security approaches are suspect! If the vendors, supply chain, and standards bodies at multiple levels are ATTACKED than--good luck with any software level assurance.

By the way, I was on the IATF (NSA's Information Assurance Task Force) in the early 2000's. I can attest to the fact the for the most part everyone was on board to provide a robust, secure, kernel architecture. Of course, knowing what I know now, I cannot placate the affect of decisions made to subvert all communications and systems to the level that the NSA has become known for.

My fear, and recent reality, is the negative impact in the community is irreparable.

name.withheld.for.obvious.reasonsDecember 9, 2014 10:18 PM

@ Frustrated

I can see an argument being made that if government malware ended up on a civilian system, they could try to say that's cyber-assault.

In U.S. law I see this as a complete violation of the third amendment to the Bill of Rights.


All the senators that today proclaimed that torture was necessary should be called be the criminal court in the Hague--especially Chambliss (see where/what he's invested in).

Clive RobinsonDecember 10, 2014 6:14 AM

@ Name.witheld...,

As far as I'm aware the "quatering of troops" with civilians is a definate no no with regards the fundementals of US legislatuon, and with good reason.

Further is the quatering of their horses and other equipment without the appropriate contractual arrangement (ie consideration or "something given for something received" withoit adhesion or traction).

So malware used by the US Gov would be the equivalent of "quatering" and with out contract, thus illegal.

However the job of getting any judge to agree is decidedly doubtfull in this day and age. Especially when we get to the higher levels of politicaly selected judges...

AnonymiceDecember 10, 2014 12:20 PM

If you guys have access to an Autistici VPN, try this:

1. Download an iso of opensuse 13.2 (64 bit, 4.7gb DVD) using your regular connection. Run a sha1sum. Result: a1bd237ccfb07939953a9681607c99c00bc78d5d (as expected).

2. Try the same download through the Autistici VPN and run a sha1sum on the iso. Result: b6975e0d7c046a9ac0ebb5fd2001e9c9617267c1

What the hell?!

JustinDecember 10, 2014 2:31 PM

@ Vesselin Bontchev

The AV companies knew that this was very unusual government-grade malware, and they deliberately kept quiet about it. It was definitely something that attracted their attention beyond the thousands of samples run through their automated analysis.

@ name.withheld, Clive Robinson

Hacking into computers is not quartering soldiers in a house without the consent of the owner and it is not going to be seen that way by any judge. It might violate the 4th Amendment, but certainly not the 3rd.

@ Anonymice

If you have these two ISOs that are supposed to be the same but are not, it would be interesting to mount them both and do a file-by-file comparison, see exactly what is different, and figure out exactly how one of these is compromised.

name.withheld.for.obvious.reasonsDecember 10, 2014 2:40 PM

@ Justin

I suggest that you rethink your position. Where cyber code can affect acts of war (stuxnet is a perfect example) that is indeed an agent code executed on a system owned not by government but by civilians is the equivalent of housing an agent of the government to carry out acts of war. You need to educate yourself on the tenets of war and the use of weaponry--launching a cyber attack, and specifically an act that is kinetic and constitutes and act of war, cannot be carried out from a civilian asset--PERIOD!!!

SoWhatDidYouExpectDecember 10, 2014 4:03 PM

Feds Plan For 35 Agencies To Collect, Share, Use Health Records of Americans

While we are slightly distracted by discussion of corporate abuse in data collection, the Feds continue their attack on the data of U.S. citizens, under the guise of the above mentioned program. Particularily stressful about this is the effective dismantling of HIPAA to broadcast health information everywhere possible. Once the door is opened, all the data will reach the corporate sector and the criminal sector, which will cause untold abuses of our privacy, and essentially strip citizens of their ability to function in the soon-to-be prisoner society. Essentially, we are outlawed from having (seeing) data about ourselves but all the outlaws will be able to get that data.

SoWhatDidYouExpectDecember 10, 2014 6:19 PM

I believe this also plays a part, as the observed result is exactly what the corporate/political overlords are looking for:

Yet, what are they going to do when there are no tax dollars from the lost middle-class to line the pocket of the upper class? That group needs someone to fight the wars, which won't be making money much longer. They need someone to buy products so they have profits to live on but who will have money for that?

The end is in sight...

fajensenDecember 11, 2014 3:37 AM

@Vesselin Bontchev:

But, this *also* explains "why": I think that some of the larger AV-vendors are not only silently colluding with TLA's but are actually contracting with TLA's to deliver both information and privileged access to user's systems. Anti-Virus is just too much of an opportunity for meeting a "Collect Everything" requirement!

Some telecom's did, SWIFT certainly DOES, I.O.W. nobody can be considered pure!

I also looks like just about NONE of the Danish media - except Radio24/7 - deems it newsworthy that the summary US torture report was released. Not a peep is reported in the big newspapers, which are always all over Iran, Iraq, Bosnia, Libya (well, not so much now that the Arab Spring turned to shit as we knew it would).

Is that a happy coincidence, is it plain cowardice or are me & my beer buddies the only competent people left (which would be a truly frightening scenario, at least malice & conspiracies can be fixed)? I see subversion at every level here, we are supposed to be a democracy and all!?

SoWhatDidYouExpectDecember 11, 2014 5:38 AM

The release of the torture report coincided with the approval of 1.1 trillion dollars of spending for the next year. The powers that be, wanted something controversial out in front of the public so there would be no discussion or examination of the spending bill. There is plenty of wasteful spending in the bill ("pork") and an item that allows higher levels of donations by individuals for political purposes.

Larry S.December 11, 2014 3:37 PM

Does anyone know who coined the word Cyber War ? I'm thinking the media came up with it and the US government later legitimized it by making it a comm. Is the info on wikipedia legit? idk

SoWhatDidYouExpectDecember 11, 2014 7:57 PM

In the latest release of its home checking account and financial program, Intuit seemingly requires you to logon to their servers in order to download financial data to your computer (or consolidate your financial account passwords to make it easier for them to access your data).

See these URLs for user complaints on this:

Nick PDecember 11, 2014 8:30 PM

@ SoWhatDidYouExpect

Thanks for the link on private communications bill. Shit, they're going for a home run against the 4th Amendment. Combined with their sharing partners, the results should be about as bad as I expect.

Vesselin BontchevDecember 16, 2014 5:31 AM


Where is your evidence for this? Just because ONE company said "we found something dodgy that looked like government malware and it took us some time to figure out how to react because we didn't want to interfere with a legitimate operation" is no evidence of a conspiracy among the AV industry to suppress information about government malware. Note that VirusTotal data shows that many AV products have been detecting the thing for ages. They just didn't deem it newsworthy until a competitor started making waves in the news about it. If they were in cahoots with the government, don't you think that they wouldn't have implemented detection of it?


What you think is irrelevant. I've worked in the AV industry for years. I know how the things are being done there.

Not that I have any hopes of being able to dissuade any conspiracy theorists; I just thought it worthwhile to share my knowledge here.

Clive RobinsonDecember 16, 2014 10:21 AM

@ Vesselin Bontchev,

It does not have to be a conspiracy to look like a conspiracy or have the same results as a conspiracy, it's one of the reasons prosecuting conspiracy is difficult due to the "burden of proof" you need rather more than the proverbial "smoking gun" in a court of law. Unfortunatly this is not a court and it's the AV companies that have to show not just that they are innocent but believably innocent, and that's going to be a tough call

I tend to never under estimate the result of collective self interest, it does not even have to be malign to appear so. To see why, if an AV company has one block of large complex but infrequently appearing malware and ten blocks of small relativly simple but frequently appearing malware, it's a no brainer as to which blocks are going to be a more effective use of resources to investigate.

Collective self interest says that the all the AV companies are going to go down the no brainer route. Further it also says that when one AV company gets marginally ahead and does have spare resources to investigate the large complex block of malware, it is going to publicaly "blow it's own trumpet" over it. And yet again collective self interest will cause all the other AV companies to reprioritize and blow their own trumpets over the large block of complex malware....

It is this collective self interest motivation that was also responsible in large part for the banking crisis due to the perverse effects of the bonus culture.

As I've indicated, to an external observer the results seen for collective self interest are indistinguishable from a conspiracy. Thus other indicators have to be used, and this can be problematical (think of "quacks like a duck, waddels like a duck, looks like a duck, who would think it was a goose").

We have seen since the Ed Snowden revelations numerous IT companies making claims of innocence they later had to reword or recant, or worse have to admit collusion with US TLAs be it willingly or under compulsion they made no attempt to resist.

The half assed comment by one AV company was a sufficient "smoldering rag" to light the fuse to the powder keg. The question that remains is are the AV companies going to fully put out the fuse or just wait for the bang of their businesses going stratospheric if not orbital?

It's their choice to shift the burden of proof such that they are not tared with the same brush as those that have so far suffered sufficient ignominy that outside of the US they have been "Tared feathered and run out of town on a rail" or suffered the "rough music" from the community gone vigilantie.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.