The same Symantec researchers who tracked down the Stuxnet worm four years ago have discovered another potent piece of malware, Re/code reports. The Trojan program is called Regin, and it offers "a powerful framework for mass surveillance," Symantec says in a blog post that calls out "a degree of technical competence rarely seen." Its capabilities suggest that a government is behind it, though which government isn't certain. "The best clues we have are where the infections have occurred and where they have not," says a researcher. About half of the roughly 100 infections detected have been in Russia and Saudi Arabia, but the malware has also appeared in Europe, Mexico, India, and elsewhere in the Middle East. Neither the US nor China is known to have been infected.
Those two countries, as well as Israel, would have the ability to make such malware, Re/code notes. Regin infections stretch back to 2008 (and possibly even 2006, a researcher tells Re/code); they occurred through 2011, "after which it was abruptly withdrawn," per Symantec. "A new version of the malware resurfaced from 2013 onwards." It targets systems running Windows, attacking in five stages and opening the systems for surveillance use: So far, Regin has been employed in "spying operations against governments, infrastructure operators, businesses, researchers, and private individuals," Symantec says. It's not clear how Regin gets distributed, experts say. "In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless," says a company white paper. "What we have seen in Regin is just such a class of malware." (Read more malware stories.)