Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Posted by BeauHD on from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

4 of 72 comments (clear)

  1. Meanwhile on your mobile devices.... by bug1 · · Score: 3, Interesting

    Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.

  2. More questions than answers by AlanObject · · Score: 5, Interesting

    The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.

    But the bigger problem I have is: (from the TFA)

    Routers download and run various DLL files in the normal course of business.

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    1. Re:More questions than answers by complete+loony · · Score: 3, Interesting

      Winbox was insecure by design. It downloaded dll's from the router and ran them.

      How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:More questions than answers by l0n3s0m3phr34k · · Score: 5, Interesting

      We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.