Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Communications Government Privacy Software Technology

'Slingshot' Malware That Hid For Six Years Spread Through Routers 72

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

'Slingshot' Malware That Hid For Six Years Spread Through Routers

Comments Filter:
  • by bug1 ( 96678 ) on Monday March 12, 2018 @08:31PM (#56249959)

    Over that time you or someone using your wireless network has installed dozens of apps that has been legally spying on and selling your data to anyone will pay a few cents.

    • by 605dave ( 722736 ) on Tuesday March 13, 2018 @07:50AM (#56251461) Homepage

      This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.

      During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.

      The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.

      In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.

      • by MobyDisk ( 75490 )

        I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I

        You can't claim to be a privacy advocate while working a career that requires you to do the exact opposite. [merriam-webster.com]

        • by 605dave ( 722736 )

          I can see where you might see a contradiction. However I do know that my many conversations with elected officials have had an effect on net neutrality support and encryption rights. I do have to wear two hats, and I don't like it. But right now those who oppose net freedoms are using these tools to defeat those efforts. Trump is in office because of data tools like these. I cannot tell those opposing him not to use the legal tools at their disposal.

          • by q4Fry ( 1322209 )

            I cannot tell those opposing him not to use the legal tools at their disposal.


            You can absolutely tell them not to use those tools. Just like you can (for instance) tell them not to sponsor misleading but legal attack ads. Furthermore, they can then proclaim that they don't use them, and then have serious conversations about whether such a practice ought to be legal without looking the hypocrite.

            I appreciate your work under the one hat. I would like to appreciate your work under the other, and I understand how the situation is difficult for you. But it is doublespeak

            • by 605dave ( 722736 )

              So I should tell people not to use the legal tools their competition is using? It's better to be a noble loser that can not affect change than an elected official who can? What is being offered is perfectly legal at this point. And for the record I brought up this very topic of micro targeting and shared data with a Senator last weekend urging them to make this sort of thing illegal. So while trying to get elections won I am seeding the idea of addressing the abuse legally. Until you have to navigate these

          • by pnutjam ( 523990 )
            I agree, but if your a true privacy advocate you should be willing to publicize this more. At the very least email me the name of the company so I can do some personal research and work on highlighting this and making illegal in the US as well as Europe.
            • by 605dave ( 722736 )

              I posted the company elsewhere in this thread, but here ya go. www.phunware.com. Contact me if you would like more info

  • Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.

    • by fisted ( 2295862 )

      You're an idiot.

  • by lordlod ( 458156 ) on Monday March 12, 2018 @08:40PM (#56250011)

    This is just the latest of a number of state sponsored attacks that Kaspersky has published details on. They are doing fantastic work.

    Whatever your view on the level of the cooperation with the Russian state, exposing these sophisticated attacks and attack vectors makes us all safer.

    • by AHuxley ( 892839 )
      Yes Kaspersky has helped security research all over the net, in devices.
      Stuxnet, Flame, Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org] and many others.
      • by Anonymous Coward

        Maybe they are uncovering their own old malware just to look clean.

    • by Anonymous Coward

      I've yet to find an article that tells you how to detect and remove Slingshot. Gotta pay up for some Kaspersky protection to get that info?

      • "Recent MikroTik router firmware updates should fix the issue."

        So update your firmware and you're good. Even if you don't have an infection you should update to prevent it.
  • by Anonymous Coward

    Which forensic tools should I keep active in order to have those viruses conveniently shut down components while they think I am a researcher looking for them? :D

    • by AHuxley ( 892839 )
      All of the AV that can be found and tested.
      Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
      "Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)
      https://arstechnica.com/inform... [arstechnica.com]
  • by AlanObject ( 3603453 ) on Monday March 12, 2018 @09:11PM (#56250119)

    The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.

    But the bigger problem I have is: (from the TFA)

    Routers download and run various DLL files in the normal course of business.

    WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.

    Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.

    On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.

    • by AHuxley ( 892839 )
      Recall how a modem, router can be upgraded with a file from the home computer network side.
      Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
      Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
      A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
      Lots of ways in with a person, via
      • by l0n3s0m3phr34k ( 2613107 ) on Tuesday March 13, 2018 @01:34AM (#56250865)
        We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.
        • by AHuxley ( 892839 )
          Yes its fun to think about how much of this state create malware got pushed up from the trusted side of a network.
          Tech support talking fast and seen by staff talking to the boss then moving to any computer with their USB files?
          A charming NGO worker (spy) with a video to play on a computer on the trusted side of a network to show the boss how a "charity" event went...
          How many get the malware update via the internet pushed down in the wild?
        • Hope you take away the USB key when done and not let it leave the premises at evening. Also remember that security is a technical solution solving a social problem. It is also an attitude.

        • My listing for this is years out of date, but is it still the case that the only modern flash drives with hardware write protection are from Kanguru, a few models of PQI, and maybe 1-2 Imation devices?

          Do you allow devices like the secured IODD/Zalman drive enclosures that can be set up for read-only access as well?
          • Holy smokes, I really was out-of-date. Imation is dead and in a holding company with (possibly) PNY able to make things using the name, PQI appears to no longer have any write-protected drives, Ritek appears to no longer have any write-protected drives and I missed Netac.

            Guess it's Kanguru ($$$), Netac, touchpad-enabled secure drive enclosures and maybe some forensic devices for write-protected drives.
    • by complete loony ( 663508 ) <Jeremy@Lakeman.gmail@com> on Monday March 12, 2018 @10:53PM (#56250455)

      Winbox was insecure by design. It downloaded dll's from the router and ran them.

      How were the routers infected? Some already known exploit, or intercepting the devices during shipping? Who knows.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The full technical paper can be found here:

      https://s3-eu-west-1.amazonaws... [amazonaws.com]

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.

      I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace

    • WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to.

      Maybe your own doesn't.

      But lots of equipment provided to client by telco (the router that you received for free when you signed up for DSL/cable/fibre internet) do.

      In the name of user-friendliness, defined as "my grand-ma is unable to upgrade the firmware nor even configure the settings, so everybody is imposed auto-updates", nearly all of these device download and run a ton of shit.
      It might be just scripts (to set or update configuration) or it might be complete firmware upgrade (including telco's own "opt

  • "If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it."

    Unplug all computers from the router and see if the router is still trying to broadcast out by watching the blinking lights (assuming they are even present.)

    Can almost guarantee they didn't bother thinking about old-fashioned forensics.

    • by AHuxley ( 892839 )
      Some sort of induction ring around the router and shielded computer to log events?
      A reverse TEMPEST to see whats been broadcast out at strange times?
  • How can we trust a firmware update to reliably clean up an infected device? After all, the firmware update would need to be installed by the currently running infected firmware. Couldn't the current firmware infect the new firmware as its being installed? Sounds like we might need to JTAG a new image straight to the hardware.

Ask five economists and you'll get five different explanations (six if one went to Harvard). -- Edgar R. Fiedler