Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Posted by BeauHD on from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

72 comments

  1. Meanwhile on your mobile devices.... by bug1 · · Score: 3, Interesting

    Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.

    1. Re: Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      and MikroTik routers pass, what, .0001% of I-net traffic?

    2. Re: Meanwhile on your mobile devices.... by arglebargle_xiv · · Score: 1

      That's still useful if that 0.001% was the DNC's internal email, just to take a random example.

    3. Re: Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      Or an equal amount of Donald's tax forms.. or Russian contacts..

    4. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 4, Informative

      This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.

      During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.

      The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.

      In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
    5. Re:Meanwhile on your mobile devices.... by MobyDisk · · Score: 1

      I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I

      You can't claim to be a privacy advocate while working a career that requires you to do the exact opposite.

    6. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 1

      I can see where you might see a contradiction. However I do know that my many conversations with elected officials have had an effect on net neutrality support and encryption rights. I do have to wear two hats, and I don't like it. But right now those who oppose net freedoms are using these tools to defeat those efforts. Trump is in office because of data tools like these. I cannot tell those opposing him not to use the legal tools at their disposal.

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
    7. Re:Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      I'll bet this company begins with a T and ends with an E

    8. Re: Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      But that was an inside job. When the fox lives inside the henhouse, it doesn't matter how good the locks are.

    9. Re:Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      Do you have citations for any of this? I feel like somebody somewhere should be screaming from the rooftops about it.

    10. Re:Meanwhile on your mobile devices.... by q4Fry · · Score: 1

      I cannot tell those opposing him not to use the legal tools at their disposal.

      Assert.Bullshit();

      You can absolutely tell them not to use those tools. Just like you can (for instance) tell them not to sponsor misleading but legal attack ads. Furthermore, they can then proclaim that they don't use them, and then have serious conversations about whether such a practice ought to be legal without looking the hypocrite.

      I appreciate your work under the one hat. I would like to appreciate your work under the other, and I understand how the situation is difficult for you. But it is doublespeak to tell us you can't say a thing that you are not only capable of uttering but also claim to believe and MobyDisk is right to call you on it.

    11. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 1

      So I should tell people not to use the legal tools their competition is using? It's better to be a noble loser that can not affect change than an elected official who can? What is being offered is perfectly legal at this point. And for the record I brought up this very topic of micro targeting and shared data with a Senator last weekend urging them to make this sort of thing illegal. So while trying to get elections won I am seeding the idea of addressing the abuse legally. Until you have to navigate these waters don't be so sure that you could maintain every one your ideals at every moment.

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
    12. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 1

      www.phunware.com

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
    13. Re:Meanwhile on your mobile devices.... by Anonymous Coward · · Score: 0

      He isn't taking steps to ensure absolute privacy for himself, while at the same time encourage others to give theirs up either blatantly or covertly.

      unlike.... Mark Zuckerberg or bill gates or jeff bezos or Tim Cook.

      definition of #2 of hypocrite is incorrect. Yes Merriam Webster is WRONG. #2 is too broadly encompassing such that EVERYONE would be a hypocrite.

    14. Re:Meanwhile on your mobile devices.... by pnutjam · · Score: 1

      I agree, but if your a true privacy advocate you should be willing to publicize this more. At the very least email me the name of the company so I can do some personal research and work on highlighting this and making illegal in the US as well as Europe.

      --
      Cheap storage VM.
    15. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 1

      I posted the company elsewhere in this thread, but here ya go. www.phunware.com. Contact me if you would like more info

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
  2. Hang them. by sgage · · Score: 1

    Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.

    1. Re:Hang them. by Anonymous Coward · · Score: 0

      These "assholes" are the people who make it so you can sleep safely at night without worrying that your flight the next morning is going to wind up hitting the side of a skyscraper, guided missile style.

    2. Re:Hang them. by Anonymous Coward · · Score: 1

      Interesting example since post analysis revealed that the American intelligence agencies knew about the terrorist's activities in advance, and did not intervene.

      So, they failed exactly where it mattered most. And as punishment we gave them even more power.

    3. Re:Hang them. by Anonymous Coward · · Score: 0

      A) It's hard.

      B) A country's leaders are in a higher social class. They are not bound by the same laws as the rest of us. They do not receive the same punishments. This has been plainly and obviously true throughout all of human history, and the present is no exception. Furthermore, people like you are "uppity," and if you don't mind your place and start causing trouble for them, you will be punished.

      C) The people in the best position to do something about it...the device manufacturers, have two direct incentives to allow this to happen: they must keep prices down and the level of quality control that you want costs a fortune, and they are pressured (financially and legally) by their own governments to inject and maintain backdoors for government use.

    4. Re:Hang them. by sgage · · Score: 1

      WTF? I don't think you are making sense.

    5. Re:Hang them. by Anonymous Coward · · Score: 0

      Why does everyone expect three letter agencies to publicly announce to the world every time they find something new and exciting ? Yeah, it doesn't work like that. Loose lips lose wars. I can only imagine intelligence agencies live in an alternate reality compared to the rest of us that, quite honestly have no idea or concept of what goes on there, and for good reason no doubt.

    6. Re:Hang them. by EETech1 · · Score: 1

      I've never worried about that actually, and not because I feel the government is preventing it.

      Many other things the government does to"protect" me from that however, I worry about constantly.

    7. Re:Hang them. by Anonymous Coward · · Score: 0

      I'm not happy about the government spying on it's own citizens but I do want our government to have a good set of tools to use against other countries.

    8. Re:Hang them. by Anonymous Coward · · Score: 0

      The intelligence agencies were not sharing information or cooperating with each other. This is not surprising. The intelligence agencies compete each other. Jurisdiction and over lapping investigations made these agencies competitors instead or partners. After 9/11 they have attempted to start sharing information but we will just have wait until the next large scale attack happens to see if any real progress has been accomplished.

    9. Re:Hang them. by sjames · · Score: 1

      Who said anything about announcing. How about not letting it happen? Had they done their jobs, the terrorists would have had perfectly ordinary seeming accidents or been found with large amounts of heroin and locked away. Instead, they caused 911.

    10. Re:Hang them. by fisted · · Score: 1

      You're an idiot.

      --
      CLI paste? paste.pr0.tips!
    11. Re:Hang them. by TheRaven64 · · Score: 1
      The NSA has a dual mission. They are charged with finding attacks that will work on foreign powers and securing US infrastructure. Any time they find a vulnerability, they have to make a judgement call over whether it's more important to fix it domestically or to have it available to attack other people with. If they didn't publicly disclose something, it means that either:
      1. They made this judgement call that it was worth the risk of other people attacking, or
      2. They didn't find it in the first place

      If there's something widely being used as an attack vector that they didn't find, then that implies incompetence because it's their job to find these things and protect US infrastructure against attacks that other people use. If they did know about it, it's been used to attack US infrastructure, and hasn't been used by the US, then that also implies incompetence because they made the wrong judgement call and left a real vulnerability open for attack in the hope that it would allow a hypothetical future attack on others by them.

      --
      I am TheRaven on Soylent News
    12. Re:Hang them. by butzwonker · · Score: 2

      Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general. They probably are allowed to inform and advise larger corporations of threats but that's about it. Their main role is SIGINT.

      So yes, of course they will hoard and weaponize exploits. In case of these routers, the above AC is right, that could easily be an NSA exploit. It depends on where these routers are primarily used and where the compromised routers were located.

    13. Re:Hang them. by TheRaven64 · · Score: 1

      Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.

      This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected officials with national security responsibilities) is using one at home.

      --
      I am TheRaven on Soylent News
    14. Re:Hang them. by Anonymous Coward · · Score: 0

      These assholes are the ones who know that attack will go down, and quite possibly even aided in setting it up, and will sit back and allow it to happen. Because why let a good crisis go to waste? The attack will "prove" that the government needs expanded powers and authorization to intrude into everybody's lives in the name of making us all safe.

      I'm not sure if you're a paid apologist or just drinking the koolaid, but it you truly believe intelligence agencies are the good guys that give a fuck about any of us, you're one or the other.

  3. THEM WHOM SMELT IT DELT IT! by Anonymous Coward · · Score: 0

    And them damn Rushers. Again!

  4. Doing fantastic work by lordlod · · Score: 5, Insightful

    This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.

    Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.

    1. Re:Doing fantastic work by AHuxley · · Score: 2

      Yes Kaspersky has helped security research all over the net, in devices.
      Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... and many others.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Doing fantastic work by Anonymous Coward · · Score: 0

      Thanks for pointing out the obvious on slashdot so the Young Republicans can know what's up.

    3. Re:Doing fantastic work by Anonymous Coward · · Score: 1

      I've yet to find an article that tells you how to detect and remove Slingshot. Gotta pay up for some Kaspersky protection to get that info?

    4. Re:Doing fantastic work by fredgiblet · · Score: 1

      "Recent MikroTik router firmware updates should fix the issue."

      So update your firmware and you're good. Even if you don't have an infection you should update to prevent it.

    5. Re:Doing fantastic work by Anonymous Coward · · Score: 1

      Maybe they are uncovering their own old malware just to look clean.

    6. Re:Doing fantastic work by Anonymous Coward · · Score: 0

      And to note, this was patched over a year ago.

  5. Forensic tools as a counter measure by Anonymous Coward · · Score: 1

    Which forensic tools should I keep active in order to have those viruses conveniently shut down components while they think I am a researcher looking for them? :D

    1. Re:Forensic tools as a counter measure by AHuxley · · Score: 1

      All of the AV that can be found and tested.
      Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
      "Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)
      https://arstechnica.com/inform...

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re: Forensic tools as a counter measure by Anonymous Coward · · Score: 0

      No, what the heck? AV is not forensic tools.
      Stuff like VM based debuggers scare malware. AV is just something to be bypassed, but a VM debugger has to be detected. That way the malware can shutdown and not be analyzed.

  6. More questions than answers by AlanObject · · Score: 5, Interesting

    The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.

    But the bigger problem I have is: (from the TFA)

    Routers download and run various DLL files in the normal course of business.

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    1. Re:More questions than answers by Anonymous Coward · · Score: 0

      Winbox

    2. Re:More questions than answers by AHuxley · · Score: 1

      Recall how a modem, router can be upgraded with a file from the home computer network side.
      Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
      Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
      A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
      Lots of ways in with a person, via a network to alter a device thats often on and networked.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:More questions than answers by complete+loony · · Score: 3, Interesting

      Winbox was insecure by design. It downloaded dll's from the router and ran them.

      How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    4. Re:More questions than answers by l0n3s0m3phr34k · · Score: 5, Interesting

      We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.

    5. Re:More questions than answers by AHuxley · · Score: 1

      Yes its fun to think about how much of this state create malware got pushed up from the trusted side of a network.
      Tech support talking fast and seen by staff talking to the boss then moving to any computer with their USB files?
      A charming NGO worker (spy) with a video to play on a computer on the trusted side of a network to show the boss how a "charity" event went...
      How many get the malware update via the internet pushed down in the wild?

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re:More questions than answers by Anonymous Coward · · Score: 3, Informative

      The full technical paper can be found here:

      https://s3-eu-west-1.amazonaws...

    7. Re:More questions than answers by Anonymous Coward · · Score: 2, Informative

      Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.

      I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace on AP in a building with something running this tool and the network Adminstration PC could be hacked (some management things log in repeatedly without user interaction)

    8. Re: More questions than answers by Anonymous Coward · · Score: 0

      First thing I've always done on every RouterBoard device for years is shut down Winbox, ftp and telnet access. Do the config over ssh from a Linux box. The web interface is handy, but only after installing a real SSL cert and turning off port 80.

      Vault 7 revealed last Spring that the CIA had a special place in its lab to test exploits against Mikrotik routers. The leaked material was apparently enough for Mikrotik to fix this and other flaws at that time. Latvia being a "friendly" country and all, that was pretty rude of US agents. But then they thought nothing of hijacking and modding hardware from a certain US network equipment manufacturer while enroute to customers, so that shouldn't be surprising. "With friends like that..."
      U

    9. Re: More questions than answers by houghi · · Score: 1

      Hope you take away the USB key when done and not let it leave the premises at evening. Also remember that security is a technical solution solving a social problem. It is also an attitude.

      --
      Don't fight for your country, if your country does not fight for you.
    10. Re:More questions than answers by Anonymous Coward · · Score: 0

      The paper clarifies this. The systems that were compromised were Windows. It is unknown how most of these systems were compromised, but according to the researchers "we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router."

      In other words, they whacked Mikrotik first and leveraged that to compromise a router admin's system.

      But mostly they don't know how systems were compromised.

    11. Re:More questions than answers by Anonymous Coward · · Score: 0

      As the other poster said, Winbox uses DLL's that are kept on the router. This was changed like a year ago. 6.40.3 is not vuln to this however, you need tp update Winbox also. Just run winbox and click on tools (when no connected to a router) and then upgrade. Blamo new winbox.

  7. Effective since 2012 by Anonymous Coward · · Score: 0

    pretty much guarantees it wasn't made in Amercia. Where the attitude is code correctly why that eats in to the bottom line - shove it out the door lt the users find the bugs.

  8. Blinking Lights by Khyber · · Score: 1

    "If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it."

    Unplug all computers from the router and see if the router is still trying to broadcast out by watching the blinking lights (assuming they are even present.)

    Can almost guarantee they didn't bother thinking about old-fashioned forensics.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Blinking Lights by Anonymous Coward · · Score: 0

      I'm pretty sure the malware won't try to send anything out on ports where no computer is active.

    2. Re:Blinking Lights by Anonymous Coward · · Score: 0

      Modern routers have API to control blinking LEDs. This slingshot malware could also use the said API to hide its malicious activity.

    3. Re:Blinking Lights by AHuxley · · Score: 1

      Some sort of induction ring around the router and shielded computer to log events?
      A reverse TEMPEST to see whats been broadcast out at strange times?

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Blinking Lights by Anonymous Coward · · Score: 0

      Then put a dumb hub or switch on one of the ports and watch if it's leds are blinking.

  9. Re:Behold, the happy slave. by Anonymous Coward · · Score: 0

    And because your happiness is worth more to you than EVERYONE ELSE'S FREEDOMS you invite and welcome slavery.

    Fuck you buddy.

  10. Re:Cry moar faggit by Anonymous Coward · · Score: 0

    It really looks good on you and makes your NSA sponsored crap so much more believable.

  11. Journalism by Anonymous Coward · · Score: 0

    An engadget story linking to ArsTechnica, linking to Kaspersky

  12. Can firmware update reliably clean up infection? by nowwith25percentmore · · Score: 1

    How can we trust a firmware update to reliably clean up an infected device? After all, the firmware update would need to be installed by the currently running infected firmware. Couldn't the current firmware infect the new firmware as its being installed? Sounds like we might need to JTAG a new image straight to the hardware.

  13. Re:Can firmware update reliably clean up infection by Anonymous Coward · · Score: 0

    The routers need to be treated like any other compromised IoT device: Physically thrown away, and replaced by a known good brand, perhaps something running PFSense on a small scale.

  14. Re: Can firmware update reliably clean up infectio by Anonymous Coward · · Score: 0

    I don't think a known good brand exists.

  15. Downloading executing shit by DrYak · · Score: 1

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to.

    Maybe your own doesn't.

    But lots of equipment provided to client by telco (the router that you received for free when you signed up for DSL/cable/fibre internet) do.

    In the name of user-friendliness, defined as "my grand-ma is unable to upgrade the firmware nor even configure the settings, so everybody is imposed auto-updates", nearly all of these device download and run a ton of shit.
    It might be just scripts (to set or update configuration) or it might be complete firmware upgrade (including telco's own "optimisation" - you tauch preloaded crapware waws limited to desktops?)

    cue in rant by RMS about "autoupdate being a form of remote execution and thus security danger".

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    Sadly that's a situation that is enforced by telco on unsuspecting users.
    You got to get out of your way to buy your own personnal router, disable it's auto-update/auto-configuration capabilities, plug it in and manually configure it and upgrade it to a known good firmware (preferably something from OpenWrt/LEDE if you decide not to trust the original equipement manufacturer.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    As pointed out by other, in this case it's the administration software that downloads Windows DLLs from the router and runs them on the admin's PC.
    But all the rants about auto-update and remote execution still apply in this context too.

    And it's not new at all. Microsoft SMB/CIFS "shared printers" provide drivers on the servers. A client Windows system that wants to send documents on a server print queue will also automatically download and run printer drivers in the exact same fashion.

    (But yeah, in this case, it's not the RouterOS itself loading .so and .ko and running them without any user approval).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  16. Write-protected flash drives by Fencepost · · Score: 1

    My listing for this is years out of date, but is it still the case that the only modern flash drives with hardware write protection are from Kanguru, a few models of PQI, and maybe 1-2 Imation devices?

    Do you allow devices like the secured IODD/Zalman drive enclosures that can be set up for read-only access as well?

    --
    fencepost
    just a little off
    1. Re:Write-protected flash drives by Fencepost · · Score: 1

      Holy smokes, I really was out-of-date. Imation is dead and in a holding company with (possibly) PNY able to make things using the name, PQI appears to no longer have any write-protected drives, Ritek appears to no longer have any write-protected drives and I missed Netac.

      Guess it's Kanguru ($$$), Netac, touchpad-enabled secure drive enclosures and maybe some forensic devices for write-protected drives.

      --
      fencepost
      just a little off
  17. Re:Can firmware update reliably clean up infection by Anonymous Coward · · Score: 0

    Physically thrown away, and replaced by a known good brand, perhaps something running PFSense on a small scale.

    My ISP requires these devices for their sort of frame relay tunnel thing they got going. I have not been able to replicate that connection on pfsense. So i have a mikrotik router that i own, sitting infront of my pfsense on the wan side.

    Yikes. gonna patch it tonight when i get home! thing cost like $100 bucks so i am not going to throw it away. i did restrict all access to it externally, so hopefully whatever mikrotik exploit this is requires some sort of port to be open to work...

    ah found some info. it seems to have only infected africa and middle east and uses copies the dll to a windows machine when you use winbox to configure. I do remember using winbox at some point but i think it didnt work very well. still scarily close to home!

    https://s3-eu-west-1.amazonaws...

  18. Re:Can firmware update reliably clean up infection by Anonymous Coward · · Score: 0

    Since when is PFSense good? Ive cleaned up more infected PFS boxes then MT's. So a bunch of people left things open. MT changed all this a year ago. Its no longer a issue and anyone still running year old code without a firewall is getting what they are asking for.

  19. Re:Can firmware update reliably clean up infection by Anonymous Coward · · Score: 0

    Just SSH in and update. You have much larger attack surface running windows or letting people visit your wireless.