Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com)

← Back to Stories (view on slashdot.org)

Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com)

Posted by msmash on Tuesday August 9, 2016 @04:50AM from the security-woes dept.

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

13 of 59 comments (clear)

Min score:

Reason:

Sort:

Launch on bootup by Anonymous Coward · 2016-08-09 05:02 · Score: 2, Interesting

How does this thing boot strap it's self without leaving traces?
1. Re:Launch on bootup by The-Ixian · 2016-08-09 05:29 · Score: 2
  
  Possible answer to your question. From the article;
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Launch on bootup by npslider · 2016-08-09 05:35 · Score: 2
  
  My computer uses Velcro.
  I'm safe.
3. Re:Launch on bootup by JustAnotherOldGuy · 2016-08-09 09:00 · Score: 3, Interesting
  
  "Once installed, the main Project Sauron modules start working as 'sleeper cells"
  So, this was written by ISIS?
  Well, if they're really sleeping they may just be Boeing employees.
  ("Sleeper cell" was the unofficial name for small groups at Boeing that would sometimes disappear during work and take a snooze in obscure parts of the main assembly plants in Renton and Everett. There were lots of places a guy could go to catch a nap, places that no one would ever stumble across by accident. Like the Surplus Equipment Storage Room in the Renton paint facility or the "Break/Fix/Awaiting Service" shed at the Everett plant. I MEAN, THAT'S WHAT I HEARD...)
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Admiration and Trepidation by Dust038 · 2016-08-09 05:28 · Score: 5, Interesting

As an IT guy trying desperately to keep his network clean I have both admiration and trepidation towards the time, money, and thought process to create such a beast. Doesn't matter if state sponsored or not, the team was able to create something that hid for 5 years. Whomever you guys/girls are you have my admiration for your ability.
1. Re:Admiration and Trepidation by The-Ixian · 2016-08-09 05:33 · Score: 5, Insightful
  
  This is why we (in general) are moving to a whitelist arrangement for software.
  At the very least, disable execution of code from any user writable area.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Admiration and Trepidation by npslider · 2016-08-09 05:33 · Score: 2
  
  Makes ya wonder what else is hiding out there, inside every household appliance, every modern car, every LOL cat.
3. Re:Admiration and Trepidation by hAckz0r · 2016-08-09 10:33 · Score: 2
  
  You have many processors (DMA, GPU, Bus controllers, network boards, IO boards, keyboards, etc) installed in your every day computers, and many pidgin holes in the memory pages that can be utilized for encrypted blobs. When the malware itself is not executed, touched by, or managed by your CPU then your white-list running under your CPU's control won't help much. You want to be running VT-d/IOMMU/IMA based software protection to lock things down as much as possible. While you wait for your BIOS to finish self-check, you could already be rooted by your network card DMA or GPU processor. Any whitelist (default deny policy) that is loaded _after_ you are already rooted, doesn't do a whole lot to keep you safe. Take the red pill to leave the hypervisor you didn't even know you had.
Sauron by npslider · 2016-08-09 05:30 · Score: 2

"The world is changing... I can feel it in the water."
Something has been awoken. It's senses it's time has come.
Firmware? by sshir · 2016-08-09 06:32 · Score: 3, Interesting

Couple years back I've revived a dead flash drive. I was following instructions I found on YouTube. The whole experience was disconcertingly painless - it was way too easy to reflash the drive with new, manufacturer supplied firmware.

So, may be the reason Symantec/Kaspersky didn't find the method used to jump the airgap is that the penetration code was in a flashdrive's firmware.
Scenario: Internet facing machine got breached by one of gazillion methods. Perpetrators sit there, collect login credentials. Then, one day, someone inserts a flashdrive. Firmware is replaced by attack code that makes the drive represent itself as a keyboard. Flash drive then inserted into an airgapped system...
Other scenarios: Given how much resources attacker has (attacks are waaay too, ahem, tailored), they might have done a postal intercept (NSA style) or even breached the flashdrive manufacturer.

There might be traces of reflashing left. Or it might be that the initial overwrite was destructive and that the poisoned flash drive was declared dead (after being plugged into a couple of other airgapped machines, just to be sure).
So it might be a good idea for Kaspersky to rummage through dead thumbdrives drawer.
1. Re:Firmware? by Etcetera · 2016-08-09 08:10 · Score: 2
  
  For an organization capable of doing all this, using BadUSB or some other attack would certainly be in the realm of plausibility.
  I love how people think that "air gaped" means "successfully isolated" though. Not only do you have the obvious vector of floppy^H^H^H^H^H^H USB transmission, but there are plenty of other esoteric methods that have been demonstrated in labs and could be used to infiltrate commands to a listener and exfiltrate data back out. If you're walking to an air-gapped system with a laptop in hand, then it's not just WiFi transmissions you need to worry about... modem signals over browser pages being listened to by mics has been demonstrated easily.
  
  --
  Hire a Linux system administrator, systems engineer,
I admit it by Kinwolf · 2016-08-09 07:07 · Score: 2

I was the one who developed it, but it was only supposed to infect Slashdot network as to snif out who were the Anonymous Coward posters, and if there really was human editors working at slashdot.
And it was called by JustAnotherOldGuy · 2016-08-09 08:50 · Score: 2

"Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years", and it was found that internally the authors named it "Windows 10 Extra Telemetry Edition"

--
Just cruising through this digital world at 33 1/3 rpm...