Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

Launch on bootup

[Anonymous Coward]

How does this thing boot strap it's self without leaving traces?

Re:

[Anonymous Coward]

How does this thing boot strap it's self without leaving traces?

Automagically, of course.

Re:

[Anonymous Coward]

By it's boot straps. Duh.

Re:

[The-Ixian]

Possible answer to your question. From the article;

"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."

Re:

[npslider]

"Once installed, the main Project Sauron modules start working as 'sleeper cells"

So, this was written by ISIS?

More likely written by

[Anonymous Coward]

Microsoft and called Windows 10.

Re:

[npslider]

Yikes! That's even worse!

Re:

[poofmeisterp]

"Once installed, the main Project Sauron modules start working as 'sleeper cells"

So, this was written by ISIS?

It's smarter than that.

Re:Launch on bootup

[JustAnotherOldGuy]

"Once installed, the main Project Sauron modules start working as 'sleeper cells"

So, this was written by ISIS?

Well, if they're really sleeping they may just be Boeing employees.

("Sleeper cell" was the unofficial name for small groups at Boeing that would sometimes disappear during work and take a snooze in obscure parts of the main assembly plants in Renton and Everett. There were lots of places a guy could go to catch a nap, places that no one would ever stumble across by accident. Like the Surplus Equipment Storage Room in the Renton paint facility or the "Break/Fix/Awaiting Service" shed at the Everett plant. I MEAN, THAT'S WHAT I HEARD...)

Re:

[npslider]

Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)

One employee that works at the same job site as me is described this way by others:

"We have to wake him up to tell him it's time to go home for the day".

He defines sleeper cell.

Re:

[JustAnotherOldGuy]

Were you doing "quality control" on your optical sensor covers, looking for any holes, in those choice locations? ;)

I never slept on the job, but I know some people that I'm sure did. I was usually in an office and rarely visited the assembly line.

Re:

[quonsar]

Possible answer to your question. From the article;

"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."

So, how does it continuously poll network traffic looking for 'wake-up' commands? Is that not activity?

Re: Launch on bootup

[bestweasel]

It sits on Windows domain controllers where there's lots of genuine network traffic.

Re: Launch on bootup

[bestweasel]

More to the point, it masquerades as a Windows password filter so I guess it is always present but hiding.

Re:

[npslider]

My computer uses Velcro.

I'm safe.

Admiration and Trepidation

[Dust038]

As an IT guy trying desperately to keep his network clean I have both admiration and trepidation towards the time, money, and thought process to create such a beast. Doesn't matter if state sponsored or not, the team was able to create something that hid for 5 years. Whomever you guys/girls are you have my admiration for your ability.

Re:Admiration and Trepidation

[The-Ixian]

This is why we (in general) are moving to a whitelist arrangement for software.

At the very least, disable execution of code from any user writable area.

Re:

[hAckz0r]

You have many processors (DMA, GPU, Bus controllers, network boards, IO boards, keyboards, etc) installed in your every day computers, and many pidgin holes in the memory pages that can be utilized for encrypted blobs. When the malware itself is not executed, touched by, or managed by your CPU then your white-list running under your CPU's control won't help much. You want to be running VT-d/IOMMU/IMA based software protection to lock things down as much as possible. While you wait for your BIOS to finish se

Re:

[npslider]

Makes ya wonder what else is hiding out there, inside every household appliance, every modern car, every LOL cat.

Re:

[npslider]

Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!

Re:

[bobthesungeek76036]

Too many of those LOL Cheeseburgers will clog your computer's arteries, causing a kernel panic!

So will popcorn [gocomics.com]

Re:

[npslider]

Kernel Sanders' chicken also has that affect...

Re:

[npslider]

*effect

Not enough coffee, and-or too much time on slash.

Sauron

[npslider]

"The world is changing... I can feel it in the water."

Something has been awoken. It's senses it's time has come.

Re:

[Anonymous Coward]

" It's senses it's time has come."

Jesus FUCKING CHRIST, it's like getting an ice pick in each eye! Every time! IT'S MEANS IT IS!!!!!!!!

IT IS SENSES IT IS TIME HAS COME!!???????????

Fuck me!

Re:

[npslider]

Good catch. Sorry about the incorrect use of its.

Perhaps you could turn down the volume a tad though?

Oh, this is Slashdot, never mind.

Re:

[telchine]

Good catch.

By writing "Good catch", you suggest that you don't often make such errors. May I suggest you read up on the difference between the words effect and affect? Once you have done that: Re-read your Colonel Sanders post and ask yourself whether you made the right choice in that instance.

Re:

[npslider]

By writing "Good catch", you suggest that you don't often make such errors.

I was thanking them for pointing out my grammatical mistake; I do make them, and sometimes more than I would like. I do not determine my value or self-worth on how well I can communicate on Slashdot.

May I suggest you read up on the difference between the words effect and affect?

I do often confuse those two, not every time, but I did then. I'm glad this is a discussion board and not an essay for a grammar class, I guess I would be in real trouble if it was. I thought for a minute you were assuming the role of a condescending professor, funny. It must be hard living in a world full of p

Re:

[account_deleted]

Comment removed based on user account deletion

Firmware?

[sshir]

Couple years back I've revived a dead flash drive. I was following instructions I found on YouTube. The whole experience was disconcertingly painless - it was way too easy to reflash the drive with new, manufacturer supplied firmware.

So, may be the reason Symantec/Kaspersky didn't find the method used to jump the airgap is that the penetration code was in a flashdrive's firmware.
Scenario: Internet facing machine got breached by one of gazillion methods. Perpetrators sit there, collect login credentials. Then, one day, someone inserts a flashdrive. Firmware is replaced by attack code that makes the drive represent itself as a keyboard. Flash drive then inserted into an airgapped system...
Other scenarios: Given how much resources attacker has (attacks are waaay too, ahem, tailored), they might have done a postal intercept (NSA style) or even breached the flashdrive manufacturer.

There might be traces of reflashing left. Or it might be that the initial overwrite was destructive and that the poisoned flash drive was declared dead (after being plugged into a couple of other airgapped machines, just to be sure).
So it might be a good idea for Kaspersky to rummage through dead thumbdrives drawer.

Re:

[Etcetera]

For an organization capable of doing all this, using BadUSB or some other attack would certainly be in the realm of plausibility.

I love how people think that "air gaped" means "successfully isolated" though. Not only do you have the obvious vector of floppy^H^H^H^H^H^H USB transmission, but there are plenty of other esoteric methods that have been demonstrated in labs and could be used to infiltrate commands to a listener and exfiltrate data back out. If you're walking to an air-gapped system with a laptop

I admit it

[Kinwolf]

I was the one who developed it, but it was only supposed to infect Slashdot network as to snif out who were the Anonymous Coward posters, and if there really was human editors working at slashdot.

And it was called

[JustAnotherOldGuy]

"Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years", and it was found that internally the authors named it "Windows 10 Extra Telemetry Edition"

Unusually Advanced Malware?

[khz6955]

Has it become slashdot policy to never mention Microsoft Windows in relation to malware.