Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Posted by BeauHD on from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

10 of 72 comments (clear)

  1. Meanwhile on your mobile devices.... by bug1 · · Score: 3, Interesting

    Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.

    1. Re:Meanwhile on your mobile devices.... by 605dave · · Score: 4, Informative

      This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.

      During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.

      The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.

      In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.

      --
      Be kind, for everyone you meet is fighting a difficult battle. - Plato
  2. Doing fantastic work by lordlod · · Score: 5, Insightful

    This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.

    Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.

    1. Re:Doing fantastic work by AHuxley · · Score: 2

      Yes Kaspersky has helped security research all over the net, in devices.
      Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... and many others.

      --
      Domestic spying is now "Benign Information Gathering"
  3. More questions than answers by AlanObject · · Score: 5, Interesting

    The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.

    But the bigger problem I have is: (from the TFA)

    Routers download and run various DLL files in the normal course of business.

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    1. Re:More questions than answers by complete+loony · · Score: 3, Interesting

      Winbox was insecure by design. It downloaded dll's from the router and ran them.

      How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:More questions than answers by l0n3s0m3phr34k · · Score: 5, Interesting

      We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.

    3. Re:More questions than answers by Anonymous Coward · · Score: 3, Informative

      The full technical paper can be found here:

      https://s3-eu-west-1.amazonaws...

    4. Re:More questions than answers by Anonymous Coward · · Score: 2, Informative

      Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.

      I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace on AP in a building with something running this tool and the network Adminstration PC could be hacked (some management things log in repeatedly without user interaction)

  4. Re:Hang them. by butzwonker · · Score: 2

    Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general. They probably are allowed to inform and advise larger corporations of threats but that's about it. Their main role is SIGINT.

    So yes, of course they will hoard and weaponize exploits. In case of these routers, the above AC is right, that could easily be an NSA exploit. It depends on where these routers are primarily used and where the compromised routers were located.