Tue Aug 9, 2016, 03:16 AM

NWCorona (8,541 posts)

Researchers crack open unusually advanced malware that hid for 5 years

Source: Arstechnica

Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only with the active support of a nation state.

The malware—known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

Part of what makes ProjectSauron's so impressive is its ability to collect data from air-gapped computers. To do this, it uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

Read more: http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/

The ability to jump the gap is crazy stuff.

12 replies, 3904 views

Thread info Bookmark this thread Trash this thread

Reply to this thread

Always highlight: 10 newest replies | Replies posted after I mark a forum

Replies to this discussion thread

12 replies	Author	Time	Post
Researchers crack open unusually advanced malware that hid for 5 years (Original post)	NWCorona	Aug 2016	OP
There was a BIOS hack that allowed air-gap control via infrasonic signals	Recursion	Aug 2016	#1
Agreed! The technology that's coming on line is both scary and amazing	NWCorona	Aug 2016	#9
Aliens, obviously.	truthisfreedom	Aug 2016	#2
5 years is an eternity in Tech	Moliere	Aug 2016	#3
It didn't "jump the gap"	spinbaby	Aug 2016	#4
Yeah you are right. that term can be viewed a few ways. That's why I left off the word "air"	NWCorona	Aug 2016	#10
Lazy or careless	cannabis_flower	Aug 2016	#11
Epoxy, and...	reACTIONary	Aug 2016	#12
So was it depending on a physical USB drive or was it creating a	cstanleytech	Aug 2016	#5
Sounds like it was coopting part of a separate USB drive's memory.	Igel	Aug 2016	#6
Windows operating system	FigTree	Aug 2016	#7
You can find examples	Plucketeer	Aug 2016	#8

Response to NWCorona (Original post)

Tue Aug 9, 2016, 03:30 AM

Recursion (56,545 posts)

1. There was a BIOS hack that allowed air-gap control via infrasonic signals

At least that was the assumption since physically disconnecting the mic stopped it.

A computer's IR receiver would also work, and for that matter a monitor can function as an AM tuner...

Reply to this post

Response to Recursion (Reply #1)

Tue Aug 9, 2016, 01:43 PM

NWCorona (8,541 posts)

9. Agreed! The technology that's coming on line is both scary and amazing

I'm just thinking about the fact that it was latent for over five years and how it was able to avoid patten mapping.

Also the bridging method is the most troubling part of the whole article.

"The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives."

Reply to this post

Response to NWCorona (Original post)

Tue Aug 9, 2016, 03:33 AM

truthisfreedom (22,810 posts)

2. Aliens, obviously.

Reply to this post

Response to NWCorona (Original post)

Tue Aug 9, 2016, 06:05 AM

Moliere (285 posts)

3. 5 years is an eternity in Tech

Unreal hack to have been active for so long

Reply to this post

Response to NWCorona (Original post)

Tue Aug 9, 2016, 07:26 AM

spinbaby (14,755 posts)

4. It didn't "jump the gap"

It depended on someone plugging in an infected USB drive, probably counting on someone using the same USB drive on both an unsecured and a secure computer. There are very secure air-gap manual switches that enable someone to have both computers on their desk and switch between them as needed. All it would take is for that person to get lazy and use the same USB drive on both machines. A REALLY secure computer has its USB ports filled with epoxy.

Reply to this post

Response to spinbaby (Reply #4)

Tue Aug 9, 2016, 01:48 PM

NWCorona (8,541 posts)

10. Yeah you are right. that term can be viewed a few ways. That's why I left off the word "air"

In my view the way it fools secure systems is the most interesting and troubling part.

And definitely agree with you on the epoxy.

Reply to this post

Response to spinbaby (Reply #4)

Tue Aug 9, 2016, 02:28 PM

cannabis_flower (3,676 posts)

11. Lazy or careless

Not necessarily the same thing.

Reply to this post

Response to spinbaby (Reply #4)

Tue Aug 9, 2016, 08:19 PM

reACTIONary (5,373 posts)

12. Epoxy, and...

.... located within a Faraday cage.

Reply to this post

Response to NWCorona (Original post)

Tue Aug 9, 2016, 08:06 AM

cstanleytech (24,565 posts)

5. So was it depending on a physical USB drive or was it creating a

hidden virtual USB drive to survive on infected systems?

Reply to this post

Response to cstanleytech (Reply #5)

Tue Aug 9, 2016, 09:10 AM

Igel (33,314 posts)

6. Sounds like it was coopting part of a separate USB drive's memory.

You plug it in, the anti-malware software doesn't see this sequestered memory. The malware runs, infects the machine, and saves data to that reserved memory, undetected.

As soon as you plug the USB thumbdrive into a networked computer, the information can be transmitted. An uninfected drive plugged into an infected machine can be infected.

The air-gapped computer is now "networked" like the computers where I worked a long time ago was "networked": Engineers ran experiments, the data was recorded on magnetic tape, and somebody would have to schlep the tapes from the experiment site to the processing section. (Okay, this was '81.)

Reply to this post

Response to NWCorona (Original post)

Tue Aug 9, 2016, 01:14 PM

FigTree (346 posts)

7. Windows operating system

The gift that keeps on giving.

Reply to this post

Response to FigTree (Reply #7)

Tue Aug 9, 2016, 01:36 PM

Plucketeer (12,882 posts)

8. You can find examples

of some of the most vaunted automobiles in junkyards - ones that show no evidence of a collision being the cause of their demise. Nothing man-made is perfectly impervious.

Reply to this post

Latest Breaking News (Forum)