Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com)

← Back to Stories (view on slashdot.org)

Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com)

Posted by msmash on Tuesday August 9, 2016 @04:50AM from the security-woes dept.

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

59 comments

Min score:

Reason:

Sort:

In Plane Cite? by Anonymous Coward · 2016-08-09 04:51 · Score: 0

Or ware?
Launch on bootup by Anonymous Coward · 2016-08-09 05:02 · Score: 2, Interesting

How does this thing boot strap it's self without leaving traces?
1. Re:Launch on bootup by Anonymous Coward · 2016-08-09 05:09 · Score: 1
  
  How does this thing boot strap it's self without leaving traces?
  Automagically, of course.
2. Re:Launch on bootup by Anonymous Coward · 2016-08-09 05:23 · Score: 1
  
  By it's boot straps. Duh.
3. Re:Launch on bootup by The-Ixian · 2016-08-09 05:29 · Score: 2
  
  Possible answer to your question. From the article;
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
  
  --
  My eyes reflect the stars and a smile lights up my face.
4. Re:Launch on bootup by npslider · 2016-08-09 05:35 · Score: 2
  
  My computer uses Velcro.
  I'm safe.
5. Re:Launch on bootup by npslider · 2016-08-09 05:41 · Score: 1
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells"
  So, this was written by ISIS?
6. Re:Launch on bootup by Anonymous Coward · 2016-08-09 06:06 · Score: 0
  
  Apparently, it leaves apostrophes where they're not needed... It's means it is. Also, you just needed the word "itself". Simple.
7. Re:Launch on bootup by quonsar · 2016-08-09 06:22 · Score: 1
  
  Possible answer to your question. From the article;
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
  So, how does it continuously poll network traffic looking for 'wake-up' commands? Is that not activity?
  
  --
  
  Sacred cows make the best burgers.
8. Re: Launch on bootup by bestweasel · 2016-08-09 06:39 · Score: 1
  
  It sits on Windows domain controllers where there's lots of genuine network traffic.
9. Re: Launch on bootup by bestweasel · 2016-08-09 06:49 · Score: 1
  
  More to the point, it masquerades as a Windows password filter so I guess it is always present but hiding.
10. Re:Launch on bootup by poofmeisterp · 2016-08-09 08:24 · Score: 1
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells"
  So, this was written by ISIS?
  It's smarter than that.
11. Re:Launch on bootup by JustAnotherOldGuy · 2016-08-09 09:00 · Score: 3, Interesting
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells"
  So, this was written by ISIS?
  Well, if they're really sleeping they may just be Boeing employees.
  ("Sleeper cell" was the unofficial name for small groups at Boeing that would sometimes disappear during work and take a snooze in obscure parts of the main assembly plants in Renton and Everett. There were lots of places a guy could go to catch a nap, places that no one would ever stumble across by accident. Like the Surplus Equipment Storage Room in the Renton paint facility or the "Break/Fix/Awaiting Service" shed at the Everett plant. I MEAN, THAT'S WHAT I HEARD...)
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
12. Re:Launch on bootup by npslider · 2016-08-09 09:26 · Score: 1
  
  Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)
  One employee that works at the same job site as me is described this way by others:
  "We have to wake him up to tell him it's time to go home for the day".
  He defines sleeper cell.
13. Re:Launch on bootup by Anonymous Coward · 2016-08-09 10:44 · Score: 0
  
  It hides itself in firmware on a GPU or hard disk drive? Then it initiates some network commands at the BIOS level to download modules when needed?
14. Re:Launch on bootup by Anonymous Coward · 2016-08-09 11:56 · Score: 0
  
  So, this was written by ISIS?
  If it was going after Iranians, it was probably written by the Jews. If it was poking around at the Saudis, it was probably written by the Jews. If the targets were Russian, it was probably written by the Jews. And if any Americans were targeted, you can guarantee Mossad was behind it.
15. Re:Launch on bootup by JustAnotherOldGuy · 2016-08-09 12:58 · Score: 1
  
  Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)
  I never slept on the job, but I know some people that I'm sure did. I was usually in an office and rarely visited the assembly line.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Windows shit. by Anonymous Coward · 2016-08-09 05:27 · Score: 0

So if you have this "advanced malware" you have no less than 2 spywares because Microsoft products are all US Government spyware.
So when you call it advanced, what is so advanced about it actually?
This is supposed to be some reason to install the latest Windows spyware updates? Stupid if you do.
1. Re:Windows shit. by Anonymous Coward · 2016-08-09 05:28 · Score: 0
  
  This is not a problem with Linux or FreeBSD. To install it you would have to register with Tim Cook's homo alliance on Mac even.
Admiration and Trepidation by Dust038 · 2016-08-09 05:28 · Score: 5, Interesting

As an IT guy trying desperately to keep his network clean I have both admiration and trepidation towards the time, money, and thought process to create such a beast. Doesn't matter if state sponsored or not, the team was able to create something that hid for 5 years. Whomever you guys/girls are you have my admiration for your ability.
1. Re:Admiration and Trepidation by The-Ixian · 2016-08-09 05:33 · Score: 5, Insightful
  
  This is why we (in general) are moving to a whitelist arrangement for software.
  At the very least, disable execution of code from any user writable area.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Admiration and Trepidation by npslider · 2016-08-09 05:33 · Score: 2
  
  Makes ya wonder what else is hiding out there, inside every household appliance, every modern car, every LOL cat.
3. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 05:57 · Score: 0
  
  This is why we (in general) are moving to a whitelist arrangement for software...
  And now a word from our sponsor, PCMatic...
4. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 06:14 · Score: 0
  
  Makes ya wonder what else is hiding out there, inside every household appliance, every modern car, every LOL cat.
  A cheezeburger is hiding in ever LOL cat
5. Re:Admiration and Trepidation by npslider · 2016-08-09 06:20 · Score: 1
  
  Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!
6. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 06:33 · Score: 0
  
  Whomever you guys/girls are you have my admiration for your ability.
  Oh look, the JIDF is out and about heaping praise upon Mossad! Quelle surprise.
7. Re:Admiration and Trepidation by bobthesungeek76036 · 2016-08-09 06:45 · Score: 1
  
  Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!
  So will popcorn
  
  --
  Karma: Bad
8. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 06:49 · Score: 0
  
  Or a hearbleed attack...
9. Re:Admiration and Trepidation by npslider · 2016-08-09 06:55 · Score: 1
  
  Kernel Sanders' chicken also has that affect...
10. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 08:46 · Score: 0
  
  So much for writing your own little tools to improve your productivity. 'Everybody should learn to program' to improve their effectiveness is off to a dying start.
11. Re:Admiration and Trepidation by npslider · 2016-08-09 09:15 · Score: 1
  
  *effect
  Not enough coffee, and-or too much time on slash.
12. Re:Admiration and Trepidation by hAckz0r · 2016-08-09 10:33 · Score: 2
  
  You have many processors (DMA, GPU, Bus controllers, network boards, IO boards, keyboards, etc) installed in your every day computers, and many pidgin holes in the memory pages that can be utilized for encrypted blobs. When the malware itself is not executed, touched by, or managed by your CPU then your white-list running under your CPU's control won't help much. You want to be running VT-d/IOMMU/IMA based software protection to lock things down as much as possible. While you wait for your BIOS to finish self-check, you could already be rooted by your network card DMA or GPU processor. Any whitelist (default deny policy) that is loaded _after_ you are already rooted, doesn't do a whole lot to keep you safe. Take the red pill to leave the hypervisor you didn't even know you had.
13. Re:Admiration and Trepidation by Anonymous Coward · 2016-08-09 11:29 · Score: 0
  
  Mossad, JIDF, that's what's hiding out there. Israel is behind this malware along with many others.
Sauron by npslider · 2016-08-09 05:30 · Score: 2

"The world is changing... I can feel it in the water."
Something has been awoken. It's senses it's time has come.
1. Re:Sauron by Anonymous Coward · 2016-08-09 06:25 · Score: 1
  
  " It's senses it's time has come."
  Jesus FUCKING CHRIST, it's like getting an ice pick in each eye! Every time! IT'S MEANS IT IS!!!!!!!!
  IT IS SENSES IT IS TIME HAS COME!!???????????
  Fuck me!
2. Re:Sauron by npslider · 2016-08-09 06:29 · Score: 1
  
  Good catch. Sorry about the incorrect use of its.
  Perhaps you could turn down the volume a tad though?
  Oh, this is Slashdot, never mind.
3. Re:Sauron by Anonymous Coward · 2016-08-09 06:31 · Score: 0
  
  Its almost as though that bothers you.
4. Re:Sauron by Anonymous Coward · 2016-08-09 06:37 · Score: 0
  
  Actually it's Ulmo who can feel it in the water.
5. Re:Sauron by Anonymous Coward · 2016-08-09 07:07 · Score: 0
  
  If only there was a command and control ring somewhere..
6. Re:Sauron by telchine · 2016-08-09 08:19 · Score: 1
  
  Good catch.
  By writing "Good catch", you suggest that you don't often make such errors. May I suggest you read up on the difference between the words effect and affect? Once you have done that: Re-read your Colonel Sanders post and ask yourself whether you made the right choice in that instance.
7. Re:Sauron by npslider · 2016-08-09 08:48 · Score: 1
  
  By writing "Good catch", you suggest that you don't often make such errors.
  
  I was thanking them for pointing out my grammatical mistake; I do make them, and sometimes more than I would like. I do not determine my value or self-worth on how well I can communicate on Slashdot.
  
  May I suggest you read up on the difference between the words effect and affect?
  
  I do often confuse those two, not every time, but I did then. I'm glad this is a discussion board and not an essay for a grammar class, I guess I would be in real trouble if it was. I thought for a minute you were assuming the role of a condescending professor, funny. It must be hard living in a world full of people who use less than flawless grammar, and feeling the need to go out of your way to point it out. Does it make you feel better about yourself every time you do? Do you need to do that to fill some insecurity? I'm sorry if that is so.
  I certainly don't claim to be the best writer out there, but I see no reason for stone throwing. Let he who has never made a mistake throw the first stone.
  
  Once you have done that: Re-read your Colonel Sanders post and ask yourself whether you made the right choice in that instance.
  Are you a follower of my posts? I'm flattered! It's nice to be noticed. I made a wrong choice, I guess the world is over now.
  Wow.
More likely written by by Anonymous Coward · 2016-08-09 06:31 · Score: 1

Microsoft and called Windows 10.
1. Re:More likely written by by npslider · 2016-08-09 06:42 · Score: 1
  
  Yikes! That's even worse!
Firmware? by sshir · 2016-08-09 06:32 · Score: 3, Interesting

Couple years back I've revived a dead flash drive. I was following instructions I found on YouTube. The whole experience was disconcertingly painless - it was way too easy to reflash the drive with new, manufacturer supplied firmware.

So, may be the reason Symantec/Kaspersky didn't find the method used to jump the airgap is that the penetration code was in a flashdrive's firmware.
Scenario: Internet facing machine got breached by one of gazillion methods. Perpetrators sit there, collect login credentials. Then, one day, someone inserts a flashdrive. Firmware is replaced by attack code that makes the drive represent itself as a keyboard. Flash drive then inserted into an airgapped system...
Other scenarios: Given how much resources attacker has (attacks are waaay too, ahem, tailored), they might have done a postal intercept (NSA style) or even breached the flashdrive manufacturer.

There might be traces of reflashing left. Or it might be that the initial overwrite was destructive and that the poisoned flash drive was declared dead (after being plugged into a couple of other airgapped machines, just to be sure).
So it might be a good idea for Kaspersky to rummage through dead thumbdrives drawer.
1. Re:Firmware? by Etcetera · 2016-08-09 08:10 · Score: 2
  
  For an organization capable of doing all this, using BadUSB or some other attack would certainly be in the realm of plausibility.
  I love how people think that "air gaped" means "successfully isolated" though. Not only do you have the obvious vector of floppy^H^H^H^H^H^H USB transmission, but there are plenty of other esoteric methods that have been demonstrated in labs and could be used to infiltrate commands to a listener and exfiltrate data back out. If you're walking to an air-gapped system with a laptop in hand, then it's not just WiFi transmissions you need to worry about... modem signals over browser pages being listened to by mics has been demonstrated easily.
  
  --
  Hire a Linux system administrator, systems engineer,
2. Re:Firmware? by Anonymous Coward · 2016-08-09 11:54 · Score: 0
  
  It would be nice if the researchers at Kaspersky Lab and Symantec actually did something useful like trying to identify threats before they are released in the wild. They are always two steps behind the top virus and malware developers. Instead they publish papers years after the damage has already been done.
  The ones bitching about MS Windows have always had the right to build their own OS. But it is easier to complain about the work of others instead of actually doing anything. Sadly people ingest every falsehood regarding MS software while turning a blind eye to all the other devices and software being used to run our digital world. I wouldn't worry about MS because Android devices are at the top of the list when it comes to malware infections.
  Oh and I have a question. What personal information is being transmitted to MS by their telemetry service? And if the existence of the telemetry still bothers people why don't they configure their firewall to block any telemetry related data from being sent?
Comment removed by account_deleted · 2016-08-09 06:51 · Score: 1

Comment removed based on user account deletion
Why nobody thought about BLOBs before? by Anonymous Coward · 2016-08-09 07:07 · Score: 0

Sometimes I wonder if people understand what they are writing.
I admit it by Kinwolf · 2016-08-09 07:07 · Score: 2

I was the one who developed it, but it was only supposed to infect Slashdot network as to snif out who were the Anonymous Coward posters, and if there really was human editors working at slashdot.
1. Re:I admit it by Anonymous Coward · 2016-08-09 08:46 · Score: 0
  
  I know who anonymous is, it's Ted Danson.
Re:So who were the Jews targeting this time? by Anonymous Coward · 2016-08-09 08:29 · Score: 0

STFU and go away!
And it was called by JustAnotherOldGuy · 2016-08-09 08:50 · Score: 2

"Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years", and it was found that internally the authors named it "Windows 10 Extra Telemetry Edition"

--
Just cruising through this digital world at 33 1/3 rpm...
Unusually Advanced Malware? by khz6955 · 2016-08-09 09:21 · Score: 1

Has it become slashdot policy to never mention Microsoft Windows in relation to malware.
1. Re:Unusually Advanced Malware? by Anonymous Coward · 2016-08-09 16:40 · Score: 0
  
  too many M$ fanboys here. Try the red site:
  http://www.soylentnews.org/
  they even have Tor .onion hidden services.
Re: So who were the Jews targeting this time? by Anonymous Coward · 2016-08-09 13:49 · Score: 0

He's right.
What could they do to voting machines? by Anonymous Coward · 2016-08-09 14:12 · Score: 0

Now consider how lax voting machine security is and the counting software used to collate the vote. We need to go back/stick to 100% paper voting systems.
Given the targets of this hack are Russia, Sweden, Rwanda, Belgium (i.e. EU HQ, previously targets of GCHQ), that's UK or USA. They might be nice about 'state sponsored', but that's the obvious conclusion.
Just because its your side, doesn't mean you are safe.
Imagine an out of control military man, who turned the spooks against his own country... do you think he'd think twice about rigging an American or British election?
I don't. I think its the nature of power hungry people that they seek power by the easiest means possible, and a bit of malware on an electronic vote counting machine is all it would take.
Trump by Anonymous Coward · 2016-08-09 15:40 · Score: 0

"The world is changing... I can feel it in the water."
Something has been awoken. It's senses it's time has come.
Yes, but hopefully we can fight Trump off for at least 4 more years.