Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com) 59
A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.
Launch on bootup (Score:2, Interesting)
How does this thing boot strap it's self without leaving traces?
Re: (Score:1)
How does this thing boot strap it's self without leaving traces?
Automagically, of course.
Re: (Score:1)
Re: (Score:3)
Possible answer to your question. From the article;
"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
Re: (Score:2)
"Once installed, the main Project Sauron modules start working as 'sleeper cells"
So, this was written by ISIS?
More likely written by (Score:1)
Microsoft and called Windows 10.
Re: (Score:2)
Yikes! That's even worse!
Re: (Score:2)
"Once installed, the main Project Sauron modules start working as 'sleeper cells"
So, this was written by ISIS?
It's smarter than that.
Re:Launch on bootup (Score:4, Interesting)
"Once installed, the main Project Sauron modules start working as 'sleeper cells"
So, this was written by ISIS?
Well, if they're really sleeping they may just be Boeing employees.
("Sleeper cell" was the unofficial name for small groups at Boeing that would sometimes disappear during work and take a snooze in obscure parts of the main assembly plants in Renton and Everett. There were lots of places a guy could go to catch a nap, places that no one would ever stumble across by accident. Like the Surplus Equipment Storage Room in the Renton paint facility or the "Break/Fix/Awaiting Service" shed at the Everett plant. I MEAN, THAT'S WHAT I HEARD...)
Re: (Score:2)
Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)
One employee that works at the same job site as me is described this way by others:
"We have to wake him up to tell him it's time to go home for the day".
He defines sleeper cell.
Re: (Score:2)
Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)
I never slept on the job, but I know some people that I'm sure did. I was usually in an office and rarely visited the assembly line.
Re: (Score:1)
Possible answer to your question. From the article;
"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
So, how does it continuously poll network traffic looking for 'wake-up' commands? Is that not activity?
Re: Launch on bootup (Score:1)
It sits on Windows domain controllers where there's lots of genuine network traffic.
Re: Launch on bootup (Score:1)
More to the point, it masquerades as a Windows password filter so I guess it is always present but hiding.
Re: (Score:3)
My computer uses Velcro.
I'm safe.
Admiration and Trepidation (Score:5, Interesting)
Re:Admiration and Trepidation (Score:5, Insightful)
This is why we (in general) are moving to a whitelist arrangement for software.
At the very least, disable execution of code from any user writable area.
Re: (Score:3)
Re: (Score:3)
Makes ya wonder what else is hiding out there, inside every household appliance, every modern car, every LOL cat.
Re: (Score:2)
Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!
Re: (Score:2)
Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!
So will popcorn [gocomics.com]
Re: (Score:2)
Kernel Sanders' chicken also has that affect...
Re: (Score:2)
*effect
Not enough coffee, and-or too much time on slash.
Sauron (Score:3)
"The world is changing... I can feel it in the water."
Something has been awoken. It's senses it's time has come.
Re: (Score:1)
" It's senses it's time has come."
Jesus FUCKING CHRIST, it's like getting an ice pick in each eye! Every time! IT'S MEANS IT IS!!!!!!!!
IT IS SENSES IT IS TIME HAS COME!!???????????
Fuck me!
Re: (Score:2)
Good catch. Sorry about the incorrect use of its.
Perhaps you could turn down the volume a tad though?
Oh, this is Slashdot, never mind.
Re: (Score:2)
Good catch.
By writing "Good catch", you suggest that you don't often make such errors. May I suggest you read up on the difference between the words effect and affect? Once you have done that: Re-read your Colonel Sanders post and ask yourself whether you made the right choice in that instance.
Re: (Score:2)
By writing "Good catch", you suggest that you don't often make such errors.
I was thanking them for pointing out my grammatical mistake; I do make them, and sometimes more than I would like. I do not determine my value or self-worth on how well I can communicate on Slashdot.
May I suggest you read up on the difference between the words effect and affect?
I do often confuse those two, not every time, but I did then. I'm glad this is a discussion board and not an essay for a grammar class, I guess I would be in real trouble if it was. I thought for a minute you were assuming the role of a condescending professor, funny. It must be hard living in a world full of p
Re: (Score:1)
Firmware? (Score:4, Interesting)
So, may be the reason Symantec/Kaspersky didn't find the method used to jump the airgap is that the penetration code was in a flashdrive's firmware.
Scenario: Internet facing machine got breached by one of gazillion methods. Perpetrators sit there, collect login credentials. Then, one day, someone inserts a flashdrive. Firmware is replaced by attack code that makes the drive represent itself as a keyboard. Flash drive then inserted into an airgapped system...
Other scenarios: Given how much resources attacker has (attacks are waaay too, ahem, tailored), they might have done a postal intercept (NSA style) or even breached the flashdrive manufacturer.
There might be traces of reflashing left. Or it might be that the initial overwrite was destructive and that the poisoned flash drive was declared dead (after being plugged into a couple of other airgapped machines, just to be sure).
So it might be a good idea for Kaspersky to rummage through dead thumbdrives drawer.
Re: (Score:3)
For an organization capable of doing all this, using BadUSB or some other attack would certainly be in the realm of plausibility.
I love how people think that "air gaped" means "successfully isolated" though. Not only do you have the obvious vector of floppy^H^H^H^H^H^H USB transmission, but there are plenty of other esoteric methods that have been demonstrated in labs and could be used to infiltrate commands to a listener and exfiltrate data back out. If you're walking to an air-gapped system with a laptop
I admit it (Score:3)
And it was called (Score:3)
"Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years", and it was found that internally the authors named it "Windows 10 Extra Telemetry Edition"
Unusually Advanced Malware? (Score:2)