'Slingshot' Malware That Hid For Six Years Spread Through Routers

← Back to Stories (view on slashdot.org)

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Posted by BeauHD on Monday March 12, 2018 @12:10PM from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

40 of 72 comments (clear)

Min score:

Reason:

Sort:

Meanwhile on your mobile devices.... by bug1 · 2018-03-12 12:31 · Score: 3, Interesting

Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.
1. Re: Meanwhile on your mobile devices.... by arglebargle_xiv · 2018-03-12 20:44 · Score: 1
  
  That's still useful if that 0.001% was the DNC's internal email, just to take a random example.
2. Re:Meanwhile on your mobile devices.... by 605dave · 2018-03-12 23:50 · Score: 4, Informative
  
  This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.
  During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.
  The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.
  In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.
  
  --
  Be kind, for everyone you meet is fighting a difficult battle. - Plato
3. Re:Meanwhile on your mobile devices.... by MobyDisk · 2018-03-13 01:52 · Score: 1
  
  I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I
  
  You can't claim to be a privacy advocate while working a career that requires you to do the exact opposite.
4. Re:Meanwhile on your mobile devices.... by 605dave · 2018-03-13 02:14 · Score: 1
  
  I can see where you might see a contradiction. However I do know that my many conversations with elected officials have had an effect on net neutrality support and encryption rights. I do have to wear two hats, and I don't like it. But right now those who oppose net freedoms are using these tools to defeat those efforts. Trump is in office because of data tools like these. I cannot tell those opposing him not to use the legal tools at their disposal.
  
  --
  Be kind, for everyone you meet is fighting a difficult battle. - Plato
5. Re:Meanwhile on your mobile devices.... by q4Fry · 2018-03-13 05:17 · Score: 1
  
  I cannot tell those opposing him not to use the legal tools at their disposal.
  Assert.Bullshit();
  You can absolutely tell them not to use those tools. Just like you can (for instance) tell them not to sponsor misleading but legal attack ads. Furthermore, they can then proclaim that they don't use them, and then have serious conversations about whether such a practice ought to be legal without looking the hypocrite.
  I appreciate your work under the one hat. I would like to appreciate your work under the other, and I understand how the situation is difficult for you. But it is doublespeak to tell us you can't say a thing that you are not only capable of uttering but also claim to believe and MobyDisk is right to call you on it.
6. Re:Meanwhile on your mobile devices.... by 605dave · 2018-03-13 05:53 · Score: 1
  
  So I should tell people not to use the legal tools their competition is using? It's better to be a noble loser that can not affect change than an elected official who can? What is being offered is perfectly legal at this point. And for the record I brought up this very topic of micro targeting and shared data with a Senator last weekend urging them to make this sort of thing illegal. So while trying to get elections won I am seeding the idea of addressing the abuse legally. Until you have to navigate these waters don't be so sure that you could maintain every one your ideals at every moment.
  
  --
  Be kind, for everyone you meet is fighting a difficult battle. - Plato
7. Re:Meanwhile on your mobile devices.... by 605dave · 2018-03-13 08:17 · Score: 1
  
  www.phunware.com
  
  --
  Be kind, for everyone you meet is fighting a difficult battle. - Plato
8. Re:Meanwhile on your mobile devices.... by pnutjam · 2018-03-14 02:48 · Score: 1
  
  I agree, but if your a true privacy advocate you should be willing to publicize this more. At the very least email me the name of the company so I can do some personal research and work on highlighting this and making illegal in the US as well as Europe.
  
  --
  Cheap storage VM.
9. Re:Meanwhile on your mobile devices.... by 605dave · 2018-03-14 03:00 · Score: 1
  
  I posted the company elsewhere in this thread, but here ya go. www.phunware.com. Contact me if you would like more info
  
  --
  Be kind, for everyone you meet is fighting a difficult battle. - Plato
Hang them. by sgage · 2018-03-12 12:32 · Score: 1

Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.
1. Re:Hang them. by Anonymous Coward · 2018-03-12 12:45 · Score: 1
  
  Interesting example since post analysis revealed that the American intelligence agencies knew about the terrorist's activities in advance, and did not intervene.
  So, they failed exactly where it mattered most. And as punishment we gave them even more power.
2. Re:Hang them. by sgage · 2018-03-12 13:15 · Score: 1
  
  WTF? I don't think you are making sense.
3. Re:Hang them. by EETech1 · 2018-03-12 13:33 · Score: 1
  
  I've never worried about that actually, and not because I feel the government is preventing it.
  Many other things the government does to"protect" me from that however, I worry about constantly.
4. Re:Hang them. by sjames · 2018-03-12 20:01 · Score: 1
  
  Who said anything about announcing. How about not letting it happen? Had they done their jobs, the terrorists would have had perfectly ordinary seeming accidents or been found with large amounts of heroin and locked away. Instead, they caused 911.
5. Re:Hang them. by fisted · 2018-03-12 20:52 · Score: 1
  
  You're an idiot.
  
  --
  CLI paste? paste.pr0.tips!
6. Re:Hang them. by TheRaven64 · 2018-03-12 22:17 · Score: 1
  The NSA has a dual mission. They are charged with finding attacks that will work on foreign powers and securing US infrastructure. Any time they find a vulnerability, they have to make a judgement call over whether it's more important to fix it domestically or to have it available to attack other people with. If they didn't publicly disclose something, it means that either:
  
  They made this judgement call that it was worth the risk of other people attacking, or
  
  They didn't find it in the first place
  
  If there's something widely being used as an attack vector that they didn't find, then that implies incompetence because it's their job to find these things and protect US infrastructure against attacks that other people use. If they did know about it, it's been used to attack US infrastructure, and hasn't been used by the US, then that also implies incompetence because they made the wrong judgement call and left a real vulnerability open for attack in the hope that it would allow a hypothetical future attack on others by them.
  --
  I am TheRaven on Soylent News
7. Re:Hang them. by butzwonker · 2018-03-12 23:18 · Score: 2
  
  Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general. They probably are allowed to inform and advise larger corporations of threats but that's about it. Their main role is SIGINT.
  So yes, of course they will hoard and weaponize exploits. In case of these routers, the above AC is right, that could easily be an NSA exploit. It depends on where these routers are primarily used and where the compromised routers were located.
8. Re:Hang them. by TheRaven64 · 2018-03-12 23:37 · Score: 1
  
  Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.
  This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected officials with national security responsibilities) is using one at home.
  
  --
  I am TheRaven on Soylent News
Doing fantastic work by lordlod · 2018-03-12 12:40 · Score: 5, Insightful

This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.
Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.
1. Re:Doing fantastic work by AHuxley · 2018-03-12 13:11 · Score: 2
  
  Yes Kaspersky has helped security research all over the net, in devices.
  Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... and many others.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:Doing fantastic work by Anonymous Coward · 2018-03-12 15:04 · Score: 1
  
  I've yet to find an article that tells you how to detect and remove Slingshot. Gotta pay up for some Kaspersky protection to get that info?
3. Re:Doing fantastic work by fredgiblet · 2018-03-12 18:04 · Score: 1
  
  "Recent MikroTik router firmware updates should fix the issue."
  
  So update your firmware and you're good. Even if you don't have an infection you should update to prevent it.
4. Re:Doing fantastic work by Anonymous Coward · 2018-03-12 18:23 · Score: 1
  
  Maybe they are uncovering their own old malware just to look clean.
Forensic tools as a counter measure by Anonymous Coward · 2018-03-12 12:44 · Score: 1

Which forensic tools should I keep active in order to have those viruses conveniently shut down components while they think I am a researcher looking for them? :D
1. Re:Forensic tools as a counter measure by AHuxley · 2018-03-12 13:17 · Score: 1
  
  All of the AV that can be found and tested.
  Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
  "Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)
  https://arstechnica.com/inform...
  
  --
  Domestic spying is now "Benign Information Gathering"
More questions than answers by AlanObject · 2018-03-12 13:11 · Score: 5, Interesting

The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.
But the bigger problem I have is: (from the TFA)

Routers download and run various DLL files in the normal course of business.
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.
Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.
1. Re:More questions than answers by AHuxley · 2018-03-12 13:57 · Score: 1
  
  Recall how a modem, router can be upgraded with a file from the home computer network side.
  Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
  Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
  A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
  Lots of ways in with a person, via a network to alter a device thats often on and networked.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:More questions than answers by complete+loony · 2018-03-12 14:53 · Score: 3, Interesting
  
  Winbox was insecure by design. It downloaded dll's from the router and ran them.
  How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
3. Re:More questions than answers by l0n3s0m3phr34k · 2018-03-12 17:34 · Score: 5, Interesting
  
  We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.
4. Re:More questions than answers by AHuxley · 2018-03-12 17:55 · Score: 1
  
  Yes its fun to think about how much of this state create malware got pushed up from the trusted side of a network.
  Tech support talking fast and seen by staff talking to the boss then moving to any computer with their USB files?
  A charming NGO worker (spy) with a video to play on a computer on the trusted side of a network to show the boss how a "charity" event went...
  How many get the malware update via the internet pushed down in the wild?
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:More questions than answers by Anonymous Coward · 2018-03-12 18:56 · Score: 3, Informative
  
  The full technical paper can be found here:
  https://s3-eu-west-1.amazonaws...
6. Re:More questions than answers by Anonymous Coward · 2018-03-12 21:28 · Score: 2, Informative
  
  Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.
  I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace on AP in a building with something running this tool and the network Adminstration PC could be hacked (some management things log in repeatedly without user interaction)
7. Re: More questions than answers by houghi · 2018-03-13 01:34 · Score: 1
  
  Hope you take away the USB key when done and not let it leave the premises at evening. Also remember that security is a technical solution solving a social problem. It is also an attitude.
  
  --
  Don't fight for your country, if your country does not fight for you.
Blinking Lights by Khyber · 2018-03-12 14:35 · Score: 1

"If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it."
Unplug all computers from the router and see if the router is still trying to broadcast out by watching the blinking lights (assuming they are even present.)
Can almost guarantee they didn't bother thinking about old-fashioned forensics.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:Blinking Lights by AHuxley · 2018-03-12 17:59 · Score: 1
  
  Some sort of induction ring around the router and shielded computer to log events?
  A reverse TEMPEST to see whats been broadcast out at strange times?
  
  --
  Domestic spying is now "Benign Information Gathering"
Can firmware update reliably clean up infection? by nowwith25percentmore · 2018-03-12 22:14 · Score: 1

How can we trust a firmware update to reliably clean up an infected device? After all, the firmware update would need to be installed by the currently running infected firmware. Couldn't the current firmware infect the new firmware as its being installed? Sounds like we might need to JTAG a new image straight to the hardware.
Downloading executing shit by DrYak · 2018-03-13 03:35 · Score: 1

WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to.
Maybe your own doesn't.
But lots of equipment provided to client by telco (the router that you received for free when you signed up for DSL/cable/fibre internet) do.
In the name of user-friendliness, defined as "my grand-ma is unable to upgrade the firmware nor even configure the settings, so everybody is imposed auto-updates", nearly all of these device download and run a ton of shit.
It might be just scripts (to set or update configuration) or it might be complete firmware upgrade (including telco's own "optimisation" - you tauch preloaded crapware waws limited to desktops?)
cue in rant by RMS about "autoupdate being a form of remote execution and thus security danger".

Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
Sadly that's a situation that is enforced by telco on unsuspecting users.
You got to get out of your way to buy your own personnal router, disable it's auto-update/auto-configuration capabilities, plug it in and manually configure it and upgrade it to a known good firmware (preferably something from OpenWrt/LEDE if you decide not to trust the original equipement manufacturer.

On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.
As pointed out by other, in this case it's the administration software that downloads Windows DLLs from the router and runs them on the admin's PC.
But all the rants about auto-update and remote execution still apply in this context too.
And it's not new at all. Microsoft SMB/CIFS "shared printers" provide drivers on the servers. A client Windows system that wants to send documents on a server print queue will also automatically download and run printer drivers in the exact same fashion.
(But yeah, in this case, it's not the RouterOS itself loading .so and .ko and running them without any user approval).

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Write-protected flash drives by Fencepost · 2018-03-13 06:25 · Score: 1

My listing for this is years out of date, but is it still the case that the only modern flash drives with hardware write protection are from Kanguru, a few models of PQI, and maybe 1-2 Imation devices?

Do you allow devices like the secured IODD/Zalman drive enclosures that can be set up for read-only access as well?

--
fencepost
just a little off
1. Re:Write-protected flash drives by Fencepost · 2018-03-13 06:43 · Score: 1
  
  Holy smokes, I really was out-of-date. Imation is dead and in a holding company with (possibly) PNY able to make things using the name, PQI appears to no longer have any write-protected drives, Ritek appears to no longer have any write-protected drives and I missed Netac.
  
  Guess it's Kanguru ($$$), Netac, touchpad-enabled secure drive enclosures and maybe some forensic devices for write-protected drives.
  
  --
  fencepost
  just a little off