Results 1 to 4 of 4

Thread: Project Sauron: state-sponsored malware which has been hiding for 5 years

  1. #1
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,240
    Thanks
    88,437
    Thanked 80,969 Times in 20,255 Posts

    Thumbs Down Project Sauron: state-sponsored malware which has been hiding for 5 years



    I don't think we have to wager too many guesses as to who's behind this again...


    Source: Ars Technica


    "Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only with the active support of a nation-state.

    The malware — known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec — has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

    Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

    "The attackers clearly understand that we as researchers are always looking for patterns," Kaspersky researchers wrote in a report published Monday. "Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg." Symantec researchers, in a report of their own, said they were aware of seven organizations infected.


    Jumping air gaps

    Part of what makes ProjectSauron so impressive is its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the "air-gapped" machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

    Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

    "Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."

    Kaspersky researchers said they discovered the malware last September after a customer at an unidentified government organization hired them to investigate anomalous network traffic. They eventually unearthed a "strange" executable program library that was loaded into the memory of one of the customer's domain controller servers. The library was masquerading as a Windows password filter, which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password, and it was able to view passcodes in plaintext.

    The main purpose of the malware platform was to obtain passwords, cryptographic keys, configuration files, and IP addresses of the key servers related to any encryption software that was in use. Infected groups include government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.

    Kaspersky researchers estimate that development and operation of the Sauron malware is likely to have required several specialist teams and a budget in the millions of dollars. The researchers went on to speculate that the project was funded by a nation-state, but they stopped short of saying which one.

    "The actor behind ProjectSauron is very advanced, comparable only to the top-of-the top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin," the Kaspersky researchers wrote. "Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them."
    "


    Source: Ars Technica
    = DEATH BEFORE DISHONOR =

  2. The Following 8 Users Say Thank You to Aragorn For This Useful Post:

    Aianawa (10th August 2016), boja (10th August 2016), bsbray (11th August 2016), Cearna (10th August 2016), Dreamtimer (10th August 2016), Elen (10th August 2016), lcam88 (10th August 2016), modwiz (10th August 2016)

  3. #2
    Senior Member Morocco modwiz's Avatar
    Join Date
    13th September 2013
    Location
    Nestled in Appalachia
    Posts
    6,720
    Thanks
    40,125
    Thanked 41,242 Times in 6,698 Posts
    Symantec has named the group behind the Sauron malware by the name of Strider. That ain't right.



    https://www.rt.com/news/355165-sauro...ber-espionage/
    "To learn who rules over you simply find out who you are not allowed to criticize" -- Voltaire

    "Great minds discuss ideas; average minds discuss events; small minds discuss people."-- Eleanor Roosevelt

    "Misery loves company. Wisdom has to look for it." -- Anonymous

  4. The Following 7 Users Say Thank You to modwiz For This Useful Post:

    Aianawa (10th August 2016), Aragorn (10th August 2016), bsbray (11th August 2016), Cearna (10th August 2016), Dreamtimer (10th August 2016), Elen (11th August 2016), lcam88 (10th August 2016)

  5. #3
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,240
    Thanks
    88,437
    Thanked 80,969 Times in 20,255 Posts
    Quote Originally posted by modwiz View Post
    Symantec has named the group behind the Sauron malware by the name of Strider. That ain't right.
    I was shocked and upset about that as well, Brother. My namesake being equated to Sauron is an insult to all that's honorable.
    = DEATH BEFORE DISHONOR =

  6. The Following 5 Users Say Thank You to Aragorn For This Useful Post:

    Aianawa (10th August 2016), bsbray (11th August 2016), Dreamtimer (10th August 2016), Elen (11th August 2016), modwiz (10th August 2016)

  7. #4
    Senior Member Morocco modwiz's Avatar
    Join Date
    13th September 2013
    Location
    Nestled in Appalachia
    Posts
    6,720
    Thanks
    40,125
    Thanked 41,242 Times in 6,698 Posts
    Quote Originally posted by Aragorn View Post
    I was shocked and upset about that as well, Brother. My namesake being equated to Sauron is an insult to all that's honorable.
    Yes, an obvious attempt by orcs to besmirch a good name. In their twisted minds, they are keeping a watch on "the bad guys". As Worf, the Klingon, would say, "They are without honor".
    "To learn who rules over you simply find out who you are not allowed to criticize" -- Voltaire

    "Great minds discuss ideas; average minds discuss events; small minds discuss people."-- Eleanor Roosevelt

    "Misery loves company. Wisdom has to look for it." -- Anonymous

  8. The Following 5 Users Say Thank You to modwiz For This Useful Post:

    Aianawa (10th August 2016), Aragorn (10th August 2016), bsbray (11th August 2016), Dreamtimer (10th August 2016), Elen (11th August 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •