Detecting Regin Malware

The advanced threat Regin has recently entered the public spotlight following a series of excellent articles from our partners in the anti-malware industry. We know that the threat is sophisticated and stealthy, but which products can detect it?

Detection Today

Most of the well-known anti-malware vendors already have the ability to detect Regin, and with our Metascan Online service, we are in a position to share exactly which engines can do so.

Out of the 43 vendors that participate in Metascan Online, a full 27 can detect this threat as of 11/25/14, and following the recent bout of publicity, we expect that number to grow even further. The top seven engine providers which can detect Regin, sorted by market share, are Microsoft, Avast, AVG, Symantec, McAfee, ESET and Kaspersky Lab. For a full list of all engines and threat names, please see the latest scan results.

Global Coverage

Drawing from our most recently available market share data, we conclude that at least 86.6% of the anti-malware installations we can observe can detect Regin.

Of course, this data is drawn from Gears, a cross-section of the Windows install-base which is more likely to encourage anti-malware usage.

Another consideration is that real-time detection is not enabled on all endpoints, which puts those machines at risk until a scan is manually triggered. As an example of this, we consider the popular Malwarebytes, whose free version lacks a real-time protection component. The number of users who have Malwarebytes as their primary anti-malware solution but with no real-time protection enabled represent 6.9% of the total sample size.

Vendor Collaboration

Symantec may have only recently unveiled its technical paper on the nature of Regin, but a sample has been in circulation among the anti-malware community long before that. By the time the first sample of Regin was scanned by Metascan Online in February 2014, no fewer than 19 vendors had released definitions.

There are mechanisms in place, formal and otherwise, whereby anti-malware vendors distribute samples of known malware for further analysis. This collaboration allows vendors to devise protections even against threats that they may not have encountered in the wild. In the case of Regin, which is largely focused within the Russian Federation and Saudi Arabia, even vendors without substantial market share in those regions have access to the data they require.

OPSWAT contributes to this effort through our Metascan Online service, which gathers malware samples from both our public web site and business users who opt in to sample sharing, and shares the data with anti-malware vendors to help them improve their detection rates and reduce false positives.

Pulling it Together

Regin is a targeted piece of malware that can serve as a benchmark against other threats. Our partners within the anti-malware community have been successful in sharing samples to allow detection across a wide range of products. Finally, many vendors, including those we have not called out by name, are proactive in identifying and mitigating threats long before they reach the public eye.

For more information, please contact one of our cybersecurity experts.