Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Regin Malware Dashboard

by Cody Dumont
November 25, 2014

A long-running malware called “Regin” is a backdoor Trojan and is a state-sponsored piece of “espionageware”. Using SecurityCenter Continuous View (CV), customers can detect infections across the network.  Regin seems to be a new piece in the class of malware that is being sponsored by states to spy on other states, and may not adversely impact regular computer and Internet users.  While some of its functions (such as acting as a proxy for other Regin infected hosts) may impact the machine they are hosted on, this malware is not targeted at the end user.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments.

The dashboard requirements are:

  • SecurityCenter 4.7
  • Nessus 5.2.7

Read more about Regin on the Tenable Blog.

By monitoring the AutoRun settings, the analyst can monitor for known files and known malware with hashes provided by Tenable’s research team.  This dashboard is comprised of five components, two of which focus on the Windows Process information.  The next two look in the registry for known malware, and the final component identifies unknown services using banner recognition.

SecurityCenter CV allows for the most comprehensive and integrated view of network health. SecurityCenter CV provides a unique combination of detection, reporting and pattern recognition utilizing industry recognized algorithms and models.  SecurityCenter CV also enables you to react to advanced threats, zero-day vulnerabilities and new forms of regulatory compliance.

Regin Trojan Malware - Known Files: This component provides indicators of Regin malware discovered in the running processes. This component uses plugin 70329 (Microsoft Windows Process Information).  The plugin detects details about the running processes on a Microsoft Windows machine, and can be used for forensic investigation, malware detection, and to that confirm your system processes conform to your system policies.  Each indicator looks for known file names associated with Regin and will turn purple when a match is found.

 

Regin Trojan Malware - Microsoft Windows Process Information: This component provides a list of networks and systems where process information has been collected. The component uses plugin 70329 (Microsoft Windows Process Information).  The plugin detects details about the running processes on a Microsoft Windows machine, and can be used for forensic investigation, malware detection, and to that confirm your system processes conform to your system policies.  The table provides the subnet based on a 24 bit mask and a total of systems with process information collected.

Regin Trojan Malware - Unknown Service Detection Banner Retrieval: This component uses banner retrieval techniques to list systems with an unknown banner.  These systems could be running an unauthorized service or malware.  The table uses plugin 11154 (Unknown Service Detection: Banner Retrieval).  SecurityCenter CV uses Nessus to identify the service banners.  However, for these systems the scanner was unable to identify a service on the remote host even though it returned a banner of some type.  The table provides the IP address, hostname, NetBIOS name and the OS CPE.

Regin Trojan Malware - Custom File Hash Searches: This component provides indicators of possible malware using the reputation Microsoft Windows Known Bad AutoRuns / Scheduled Tasks plugin. The first four letters of the hash are displayed as part of the indicator and will turn purple when a match is found.  Plugin 74442 (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) detects processes known to be associated with known malware. This indicates that the system may have been compromised by malware.  These indicators are known to be part of the Regin malware.

Regin Trojan Malware - Microsoft Windows Known Bad AutoRuns or Scheduled Tasks: This component provides a table of systems running processes detected using the Microsoft Windows Known Bad AutoRuns / Scheduled Tasks plugin.  The table provides the IP address, hostname, NetBIOS name and the OS CPE.  Plugin 74442 (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) detects Windows systems that have one or more registry entries that are known to be associated with known malware. This indicates the system may have been compromised by malware.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training