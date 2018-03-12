'Slingshot' Malware That Hid For Six Years Spread Through Routers 20
An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.
Meanwhile on your mobile devices.... (Score:3)
Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.
Hang them. (Score:2)
Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.
Re: (Score:2)
WTF? I don't think you are making sense.
Re: (Score:2)
I've never worried about that actually, and not because I feel the government is preventing it.
Many other things the government does to"protect" me from that however, I worry about constantly.
Doing fantastic work (Score:3)
This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.
Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.
Re: (Score:2)
Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org] and many others.
Forensic tools as a counter measure (Score:1)
Which forensic tools should I keep active in order to have those viruses conveniently shut down components while they think I am a researcher looking for them?
Re: (Score:2)
Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
"Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)
https://arstechnica.com/inform... [arstechnica.com]
More questions than answers (Score:2)
The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.
But the bigger problem I have is: (from the TFA)
Routers download and run various DLL files in the normal course of business.
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.
Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
On top of that I don't understand why they call out
Re: (Score:2)
Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
