'Slingshot' Malware That Hid For Six Years Spread Through Routers

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

Re:More questions than answers

The full technical paper can be found here:

https://s3-eu-west-1.amazonaws...

Re:More questions than answers

Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.

I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace on AP in a building with something running this tool and the network Adminstration PC could be hacked (some management things log in repeatedly without user interaction)

Re:Meanwhile on your mobile devices....

[605dave]

This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.

During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.

The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.

In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.