Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

Launch on bootup

How does this thing boot strap it's self without leaving traces?

Re:Launch on bootup

[JustAnotherOldGuy]

"Once installed, the main Project Sauron modules start working as 'sleeper cells"

So, this was written by ISIS?

Well, if they're really sleeping they may just be Boeing employees.

("Sleeper cell" was the unofficial name for small groups at Boeing that would sometimes disappear during work and take a snooze in obscure parts of the main assembly plants in Renton and Everett. There were lots of places a guy could go to catch a nap, places that no one would ever stumble across by accident. Like the Surplus Equipment Storage Room in the Renton paint facility or the "Break/Fix/Awaiting Service" shed at the Everett plant. I MEAN, THAT'S WHAT I HEARD...)

Admiration and Trepidation

[Dust038]

As an IT guy trying desperately to keep his network clean I have both admiration and trepidation towards the time, money, and thought process to create such a beast. Doesn't matter if state sponsored or not, the team was able to create something that hid for 5 years. Whomever you guys/girls are you have my admiration for your ability.

Firmware?

[sshir]

Couple years back I've revived a dead flash drive. I was following instructions I found on YouTube. The whole experience was disconcertingly painless - it was way too easy to reflash the drive with new, manufacturer supplied firmware.

So, may be the reason Symantec/Kaspersky didn't find the method used to jump the airgap is that the penetration code was in a flashdrive's firmware.
Scenario: Internet facing machine got breached by one of gazillion methods. Perpetrators sit there, collect login credentials. Then, one day, someone inserts a flashdrive. Firmware is replaced by attack code that makes the drive represent itself as a keyboard. Flash drive then inserted into an airgapped system...
Other scenarios: Given how much resources attacker has (attacks are waaay too, ahem, tailored), they might have done a postal intercept (NSA style) or even breached the flashdrive manufacturer.

There might be traces of reflashing left. Or it might be that the initial overwrite was destructive and that the poisoned flash drive was declared dead (after being plugged into a couple of other airgapped machines, just to be sure).
So it might be a good idea for Kaspersky to rummage through dead thumbdrives drawer.