Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Posted by BeauHD on from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

3 of 72 comments (clear)

  1. Doing fantastic work by lordlod · · Score: 5, Insightful

    This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.

    Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.

  2. More questions than answers by AlanObject · · Score: 5, Interesting

    The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.

    But the bigger problem I have is: (from the TFA)

    Routers download and run various DLL files in the normal course of business.

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    1. Re:More questions than answers by l0n3s0m3phr34k · · Score: 5, Interesting

      We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.