Potent malware that hid for six years spread through routers

Nation-sponsored Slingshot is one of the most advanced attack platforms ever.

Read the whole story

 

[Raptor]

malware so stealthy it remained hidden for six years despite infecting at least 100 computers worldwide.

So 100 or so out of a couple of billion?

Yeah, I could see how that might have been missed.

 

[haar]

i did not know that MikroTik was a Latvian manufacturer... i thought it was made in the USA. (or assembled)

I thought MikroTik products were similar to ubnt.com or ubiquiti products that are US designed and/or assembled...

 

[grawity]

Of course, the fact that Winbox downloads executable modules from the device also leaves much to be desired... (As does its poor transport security. And poor authentication methods. And poor UI design. And poor internationalization support.)

 

[photochemsyn]

100 of the right computers infected, brilliant and stays hidden longer. Or did Kaspersky write it and is trying to get good PR?

Well let’s remember that ‘at least’ and ‘approximately’ and ‘exactly’ all mean quite different things. At least 100 means >100 which doesn’t have an upper limit. If this espionage software is a nifty as claimed it probably has the ability to erase itself from a system without leaving any traces, for example.

 

[grawity]

Something's left out here. Winbox is a user interface to MikroTik routers. It has no scripting capabilities built in. So using that to infect a system would require user intervention with no ability to automate the infection. No wonder it's only 100 systems.

It might have many capabilities you don't know of. Every time you connect to a device, it downloads a set of modules for that firmware version from the device itself (you can see them cached in your AppData), in order to understand how to present different data to the user. And they appear to be Windows DLLs – not just declarative descriptions/schemas.

 

[jdale]

The name Cahnadr clearly indicates it's Canadian. Durr.

Debug messages written in perfect English suggest that the developers spoke that language.

I guess this is something that happens with modern development environments, but it still seems odd to include debug messages (in any language) in malware.

 

[Raptor]

100 of the right computers infected, brilliant and stays hidden longer. Or did Kaspersky write it and is trying to get good PR?

Well let’s remember that ‘at least’ and ‘approximately’ and ‘exactly’ all mean quite different things. At least 100 means >100 which doesn’t have an upper limit.

Technically, yes. But the implication, especially at such a low number, is "possibly more than 100, but probably fewer than 200 - almost certainly fewer than 1,000".

Out of a pool of, estimated worldwide, over 2 billion computers.

Again, I'm not surprised it took so long to notice, and that, coupled with the complexity of it, very much suggests a state-sponsored, targeted attack.

 

[plateshutoverlock]

Not that something like this is good, but this is truly a fascinating piece of software. Obviously, the programmer(s) are very talented. It's a shame that they turned to the dark side.

 

[Morley Dotes]

Not that something like this is good, but this is truly a fascinating piece of software. Obviously, the programmer(s) are very talented. It's a shame that they turned to the dark side.

"The Dark side" is always relative...

"Perfect English", "Nation State", "Middle East and Africa"...

Things that make you go "Hmmm"...

 

[iPirateEverything]

"The malware is highly advanced, solving all sort of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."

I'm sure if the creator is reading this, s/he has a smile on his face

 

[pluralh]

israel or sa but i'm leaning heavily on the former

 

[Ralf The Dog]

The name Cahnadr clearly indicates it's Canadian. Durr.

Debug messages written in perfect English suggest that the developers spoke that language.

I guess this is something that happens with modern development environments, but it still seems odd to include debug messages (in any language) in malware.

I would guess, the debug text is a way of tracing it back in the media. You put in a string like, "Plaid space Monkeys", then you search for usage of that phrase in the news.

 

[Old_Fogie_Late_Bloomer]

Not that something like this is good, but this is truly a fascinating piece of software. Obviously, the programmer(s) are very talented. It's a shame that they turned to the dark side.

"The Dark side" is always relative...

"Perfect English", "Nation State", "Middle East and Africa"...

Things that make you go "Hmmm"...

Yeah, the "perfect English" bit suggests to me that it's less likely they are native speakers. People who grow up natively in a language rarely approach perfection in use.

If I were the CIA, and I wanted to implicate the Russians in the development of malware, I'd definitely have someone go through all the plain language and make sure it was fluent Ukrainian or whatever language I believed that the media would believe that the Russians would use to try to make it look like they didn't write the malware.

 

[harmless]

"Winbox transfers ipv4.dll to the target's computer, loads it into memory, and executes it."

And with "computer" you mean "computer running Windows", right?

 

[Ralf The Dog]

I do not know if I am the only one, but with all the news about unsecure/unmaintained and infected Router, I am now looking at that piece of kit differently.

Used to be you update it, you set it up, and then you can forget about it unless it breaks down...

Remember when people started doubting Antivirus Companies, thinking they could just use the one Windows came up with, and everything would be fine?


Now I see the need for a new kind of equipment. If you could sell me a box I could plug in, only for security, that could monitor everything to see if I was infected in any way, I would pay good money for it.

and then the box infects every device on your network.

 

[beebee]

Maybe these pfsense roll your own router neck beards aren't all that crazy.

 

[BobsYourUncleBob]

Not that something like this is good, but this is truly a fascinating piece of software. Obviously, the programmer(s) are very talented. It's a shame that they turned to the dark side.

"The Dark side" is always relative...

"Perfect English", "Nation State", "Middle East and Africa"...

Things that make you go "Hmmm"...

Exceptionally broad-ranging data collection capabilities paired with elegantly structured stealth architecture = "One-stop shopping for all your data collection needs!"

I suspect that resource-intensive attribution categories (e.g. "Nation State") should be expanded to encompass corporate entities as well.

I'd never presume to point fingers at any particular potential player, but would anyone who is paying attention be "truly shocked and surprised!!!" to learn that, say, an NBCUniversal or an AT&T grade-player were found to be the source of some similar functionality/execution methodology? (I mean Superfish is childishly rudimentary in comparison to this attack, but thanks for trying anyway Lenovo!)

Perhaps cynicism is pushing me ever closer to the tin-foil-hat club, but bits and pieces of what would once be considered dystopian sci-fi future scenarios seem to be cropping up with an ever more disturbing regularity.

 

[dave562]

Now I see the need for a new kind of equipment. If you could sell me a box I could plug in, only for security, that could monitor everything to see if I was infected in any way, I would pay good money for it.

Do you know what an IDS is?

 

[dave562]

This is the same Kaspersky that was exposed as an agent of the Russian government and hacked NSA computers, right? Awfully cute of them to be announcing a malware discovery as though they have any credibility anymore.

The malware speaks for itself. It's not like they made the stuff up just to try to get attention.

How is their report not credible?

 

[Gatorplaynogame]

Now I see the need for a new kind of equipment. If you could sell me a box I could plug in, only for security, that could monitor everything to see if I was infected in any way, I would pay good money for it.

Do you know what an IDS is?

Yes, they are hardly on sale in your local supermarket, are they?

I think the first company who will package it in an easy to use appliance will sell millions.

 

[alkhrt]

i did not know that MikroTik was a Latvian manufacturer... i thought it was made in the USA. (or assembled)

I thought MikroTik products were similar to ubnt.com or ubiquiti products that are US designed and/or assembled...

Developed in Latvia, produced in China.

 

[clackerd]

Now I see the need for a new kind of equipment. If you could sell me a box I could plug in, only for security, that could monitor everything to see if I was infected in any way, I would pay good money for it.

Do you know what an IDS is?

Yes, they are hardly on sale in your local supermarket, are they?

I think the first company who will package it in an easy to use appliance will sell millions.

Dell sells a soho device that does IPS for about $350 - Called sonic wall. Looks kinda snazzy actually.

 

[williamyf]

This is the same Kaspersky that was exposed as an agent of the Russian government and hacked NSA computers, right? Awfully cute of them to be announcing a malware discovery as though they have any credibility anymore.

No, this is the same Kaspersky that was 'acused' by the US Government of being a russian govt agent, without presenting any formal proof, without due process, and without a presumption of inocense.

If you take the USoA's Govt word at face value 100% of the time, cool, all the power to you then.

 

[SplatMan_DK]

The sophistication is staggering. Really proves that if you're targeted you're screwed ...

 

[Retorrent]

I wouldn't be surprised if this was written by someone working at or for the NSA. It seems more like a sniper rifle to target specific machines then the usual bomb likeness of other malwares where they go for infecting large amounts of machines. This might explain the low number of infected machines.

 

[wagnerrp]

Remember when people started doubting Antivirus Companies, thinking they could just use the one Windows came up with, and everything would be fine?

Remember when your computer used to be stable, before you installed a live monitoring antivirus and it put low level hooks into everything? Remember when you used to be able to copy a directory without the AV pegging your CPU for minutes on end?

 

[ytene]

The name Cahnadr clearly indicates it's Canadian. Durr.

Debug messages written in perfect English suggest that the developers spoke that language.

I guess this is something that happens with modern development environments, but it still seems odd to include debug messages (in any language) in malware.

Unless you're doing so quite intentionally, to provide mis-direction in case your code is detected.

 

[Raptor]

Remember when people started doubting Antivirus Companies, thinking they could just use the one Windows came up with, and everything would be fine?

Remember when your computer used to be stable, before you installed a live monitoring antivirus and it put low level hooks into everything? Remember when you used to be able to copy a directory without the AV pegging your CPU for minutes on end?

Pepperidge Farm remembers.

Oh, wait, I thought that's where we were going with that.

 

[nosmadar2016]

What an *interesting* set of targets.
Perhaps looking a motive would lead to perpetrator?

I'm liking Israel.
Or, either U.S. or China ?

Depends on whether a couple of the targets were thrown in for mis-direction (or field tests).

 

[starmonche]

Remember when people started doubting Antivirus Companies, thinking they could just use the one Windows came up with, and everything would be fine?

Remember when your computer used to be stable, before you installed a live monitoring antivirus and it put low level hooks into everything? Remember when you used to be able to copy a directory without the AV pegging your CPU for minutes on end?

It's completely unacceptable that the engine that renders web content on your computer can adversely affect the health of your operating system. No amount of shiny new Windows features will change the fact that the entire security system in Windows is rooted in bullshit.

 

[TheFu]

DLL? Fine. No issue here.
100 systems? Heck, I have 30 systems at the house, so it doesn't seem all that hard for 100 to infected with a small-time virus.

I'd bet there are viruses with over 10,000 infections that no AV has found in-the-wild.

 

[.劉煒]

...fluent Ukrainian or whatever language I believed that the media would believe that the Russians would use to try to make it look like they didn't write the malware.

Ugh, you're all over the place with that (thus supporting my point)

Could you maybe rephrase a bit? I'm honestly having a little trouble parsing it correctly.

Okay. Say I'm the CIA. I want to manipulate the western media into blaming Russia for some malware. This isn't very hard, because the CIA basically owns the American media, but they can't be too obvious about it, so they can't just write malware that contains perfect Russian.

So, instead, they pretend that they're Russia pretending to be North Korean hackers. They leave such obvious NK traces that it seems obviously forced, and then drop a few subtle hints that would implicate Russia if you knew what you were looking at.

The media rapidly forms an "organic" consensus on the matter. Security researchers who doubt the official narrative know that if they try to speak up, they'll be branded as contrarians at best or conspiracy theorists at worst. Besides, they know all this nation-level stuff is kabuki anyway. It doesn't matter nearly as much as the media makes everyone think.

Et voilà, Russia hacked the Olympics.

A week later, everyone has completely forgotten about it (except sulking security researchers), but the general sense that "Russia is bad" has still been ratcheted up a notch, and another successful CIA psyop against America and the west has been successfully executed.

To be clear, I'm not taking Russia's side in any of this. Putin can be what he is, and Russia can be what it is, and that still doesn't change the nature of "American" intelligence agencies.

Truly you have a dizzying intellect.