'Slingshot' Malware That Hid For Six Years Spread Through Routers 72
An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.
Meanwhile on your mobile devices.... (Score:3, Interesting)
Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.
Re: (Score:2)
Re:Meanwhile on your mobile devices.... (Score:5, Informative)
This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.
During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.
The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.
In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.
Re: (Score:2)
I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I
You can't claim to be a privacy advocate while working a career that requires you to do the exact opposite. [merriam-webster.com]
Re: (Score:2)
I can see where you might see a contradiction. However I do know that my many conversations with elected officials have had an effect on net neutrality support and encryption rights. I do have to wear two hats, and I don't like it. But right now those who oppose net freedoms are using these tools to defeat those efforts. Trump is in office because of data tools like these. I cannot tell those opposing him not to use the legal tools at their disposal.
Re: (Score:2)
I cannot tell those opposing him not to use the legal tools at their disposal.
Assert.Bullshit();
You can absolutely tell them not to use those tools. Just like you can (for instance) tell them not to sponsor misleading but legal attack ads. Furthermore, they can then proclaim that they don't use them, and then have serious conversations about whether such a practice ought to be legal without looking the hypocrite.
I appreciate your work under the one hat. I would like to appreciate your work under the other, and I understand how the situation is difficult for you. But it is doublespeak
Re: (Score:2)
So I should tell people not to use the legal tools their competition is using? It's better to be a noble loser that can not affect change than an elected official who can? What is being offered is perfectly legal at this point. And for the record I brought up this very topic of micro targeting and shared data with a Senator last weekend urging them to make this sort of thing illegal. So while trying to get elections won I am seeding the idea of addressing the abuse legally. Until you have to navigate these
Re: (Score:2)
Re: (Score:2)
I posted the company elsewhere in this thread, but here ya go. www.phunware.com. Contact me if you would like more info
Re: (Score:2)
www.phunware.com
Hang them. (Score:2)
Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.
Re: (Score:1)
Interesting example since post analysis revealed that the American intelligence agencies knew about the terrorist's activities in advance, and did not intervene.
So, they failed exactly where it mattered most. And as punishment we gave them even more power.
Re: (Score:2)
Who said anything about announcing. How about not letting it happen? Had they done their jobs, the terrorists would have had perfectly ordinary seeming accidents or been found with large amounts of heroin and locked away. Instead, they caused 911.
Re: (Score:2)
If t
Re: (Score:3)
Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general. They probably are allowed to inform and advise larger corporations of threats but that's about it. Their main role is SIGINT.
So yes, of course they will hoard and weaponize exploits. In case of these routers, the above AC is right, that could easily be an NSA exploit. It de
Re: (Score:2)
Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.
This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected
Re: (Score:2)
WTF? I don't think you are making sense.
Re: (Score:2)
I've never worried about that actually, and not because I feel the government is preventing it.
Many other things the government does to"protect" me from that however, I worry about constantly.
Re: (Score:2)
You're an idiot.
Doing fantastic work (Score:5, Insightful)
This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.
Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.
Re: (Score:3)
Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org] and many others.
Re: (Score:1)
Maybe they are uncovering their own old malware just to look clean.
Re: (Score:1)
I've yet to find an article that tells you how to detect and remove Slingshot. Gotta pay up for some Kaspersky protection to get that info?
Re: (Score:2)
So update your firmware and you're good. Even if you don't have an infection you should update to prevent it.
Forensic tools as a counter measure (Score:1)
Which forensic tools should I keep active in order to have those viruses conveniently shut down components while they think I am a researcher looking for them? :D
Re: (Score:2)
Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
"Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)
https://arstechnica.com/inform... [arstechnica.com]
More questions than answers (Score:5, Interesting)
The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.
But the bigger problem I have is: (from the TFA)
Routers download and run various DLL files in the normal course of business.
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.
Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.
Re: (Score:2)
Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
Lots of ways in with a person, via
Re:More questions than answers (Score:5, Interesting)
Re: (Score:2)
Tech support talking fast and seen by staff talking to the boss then moving to any computer with their USB files?
A charming NGO worker (spy) with a video to play on a computer on the trusted side of a network to show the boss how a "charity" event went...
How many get the malware update via the internet pushed down in the wild?
Re: (Score:2)
Write-protected flash drives (Score:2)
Do you allow devices like the secured IODD/Zalman drive enclosures that can be set up for read-only access as well?
Re: (Score:2)
Guess it's Kanguru ($$$), Netac, touchpad-enabled secure drive enclosures and maybe some forensic devices for write-protected drives.
Re:More questions than answers (Score:4, Interesting)
Winbox was insecure by design. It downloaded dll's from the router and ran them.
How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.
Re: (Score:3, Informative)
The full technical paper can be found here:
https://s3-eu-west-1.amazonaws... [amazonaws.com]
Re: (Score:2, Informative)
Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.
I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace
Downloading executing shit (Score:2)
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to.
Maybe your own doesn't.
But lots of equipment provided to client by telco (the router that you received for free when you signed up for DSL/cable/fibre internet) do.
In the name of user-friendliness, defined as "my grand-ma is unable to upgrade the firmware nor even configure the settings, so everybody is imposed auto-updates", nearly all of these device download and run a ton of shit.
It might be just scripts (to set or update configuration) or it might be complete firmware upgrade (including telco's own "opt
Blinking Lights (Score:2)
"If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it."
Unplug all computers from the router and see if the router is still trying to broadcast out by watching the blinking lights (assuming they are even present.)
Can almost guarantee they didn't bother thinking about old-fashioned forensics.
Re: (Score:2)
A reverse TEMPEST to see whats been broadcast out at strange times?
Can firmware update reliably clean up infection? (Score:1)