
Researchers crack open malware that hid for 5 years - rando444
http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/
======
rdtsc
Interesting regarding USB devices. When US DoD systems were infected with a
virus someone brought from home on a USB stick, I remember hearing there were
going around filling USB ports with epoxy. There was some method behind the
madness I guess.

There is also a market for routers and other devices which are produced as
much as possible in US (are they rolling their own capacitors I am
wondering...). I saw some of those devices come with a 100x markup. $400
device from China vs $40k from US. Those who sell the $40k know how hard it is
get on the list they are milking it for all its worth (the sales person was
quite frank about it).

It was also funny to see "Windows" as an approved security blessed OS and then
Debian, Ubuntu, OpenBSD rejected (with only ancient version of RHEL's approved
for Linux).

~~~
Endy
Too many people without security clearance can access and modify Linux. In any
real security environment, open-source is poison. Period, end of story.

~~~
jjbiotech
^ As if any amount of security clearance can erase human fallibility.

In any real security environment, humans are poison. Period, end of story.
This is not an issue exclusive to open-source.

~~~
794CD01
Of course not, but it's exacerbated by open source. Humans are indeed poison,
which is why it's normal to involve as few humans as possible. Unfortunately
AI is not sufficiently advanced so you still need some of them in order to get
the job done.

------
mr_overalls
What is the role of an InfoSec professional in an environment where advanced
threats like this are being deployed? I mean, a beat cop knows when it's time
to call the FBI or the military. But the open nature of the Net means that
firewall probes by script kiddies are interspersed with intrusions by nation-
state actors. It's a weird state of affairs.

~~~
Spooky23
Work with stakeholders to minimize lateral movement after a breach, get
monitoring in place to detect breaches, and have a response plan.

If you have company critical secrets or life-safety systems, you need to air
gap where possible.

That's you're job. You cannot stop or prevent attacks, and if option don't
have the metrics and logs, the FBI won't be able to do anything, assuming you
can get them to give a shit.

------
Kadin
> The researchers went on to speculate that the project was funded by a
> nation-state, but they stopped short of saying which one.

So ... does anyone, perhaps who doesn't have Kaspersky's business interests to
protect, care to actually speculate? In other cases it's been seemingly well-
known in the security community which APT attacks trace back to which
countries, it's just apparently impolite to say it in public.

~~~
groby_b
Russia, Iran, Rwanda... Let's assume the latter is a vector, not the target.
(The attacker is sophisticated enough that we can assume Rwanda itself is of
little interest). Rwanda also has fairly close ties to Russia, which
strengthens the vector hypothesis.

Russia+Iran suggests a western actor. Their biggest shared interest is Syria,
I'd think. And look, the Syrian conflict is on since March '11, and the
activity according to Kaspersky reaches back to June '11\. I'd say that's
quite close.

Neither the US nor Europe were _that_ deeply invested in Syria. There is,
however, one small middle-east country that has quite an interest in the
entire region, and also isn't friends with Iran or Russia. And it just so
happens that Israel is somewhat of a close affiliation of Rwanda.

None of that is in any way conclusive, but it certainly is probable.

~~~
ars
> and also isn't friends with Iran or Russia

Actually Israel is on very friendly terms with Russia. There are a ton of
Russian immigrants in Israel to the point that Putin called them "Russian
ambassadors".

It didn't start that way - part of the history of the creation of the modern
state of Israel is Russia vs US proxy conflict (of sorts) via Egypt. But it's
not like that anymore, not for a long time.

(The US and Russia have moved on to other proxies :)

~~~
kobayashi
While I'm not a proponent of the idea that Israel is behind this malware, I
disagree with you. Israel is not on particularly good terms with Russia. Yes,
the two governments have established a hotline to ensure that Russian military
maneuvers in Syria are not misinterpreted, but the two countries are closer to
foes with a mutually accepted cold peace. It's in the strategic interests of
each country not to be outwardly hostile to one another, but they're
definitely adversaries in many respects.

------
mr_overalls
Apple's walled garden has been subjected to criticism from open source
advocates. And Windows 10's telemetry triggers a lot of privacy concerns, too.

But in our current security environment, what if these walls become necessary
for secure computing? By analogy, there's a reason that many ancient cities
were circled by a wall.

~~~
kbenson
> By analogy, there's a reason that many ancient cities were circled by a
> wall.

Walls around cities were likely very poor at stopping small, stealthy groups
of infiltrators. They were designed for much more brute force attacks. Apple's
walled garden helps quite a bit with the deluge of crap that would be
available without it. Without it there would be an order of magnitude more
crap (in quantity and quality). That said, there's a vibrant black market for
people that can't stand the oppressive policies of Apple.

Additionally, once you have a wall in place, it's easy to make a decision to
tax certain types of traffic through it because the capability is now there,
whether or not it's in the best economic interest of the people inside. Apple
didn't skimp on this area. The wall was erected with tithes and taxation in
mind, and collection booths at all the gates.

So, does it help? Well, it prevents roving bands of bandits from riding in,
terrorizing and robbing the people unlucky enough to be in their path, and
making a hasty exit, so yes, but if you're a tasty enough target, getting past
the wall isn't really a problem. There are myriad ways to do that as long as
you're careful. For example, the numerous secret tunnels through the wall.
They aren't large, and they are constantly being filled in by the city
engineers, but there's always some they haven't found if you are willing to
ask the right people (or dig your own).

Okay, I believe I've tortured this analogy enough...

~~~
ethbro
Devil's advocate, walls and the enablement of taxation also centralized
capital and enabled cities to spend it on public works that might not have
been built otherwise (and before I get the "then they shouldn't!" retort, I
think we can all agree there are shared infrastructure resources that
w/couldn't be built by private actors).

In a world where all phones are loosely controlled Android derivates competing
on slim profit margins, is anyone going to make the drive for hard hardware-
enabled crypto? And even if they wanted to, could they afford it?

~~~
kbenson
> Devil's advocate, walls and the enablement of taxation

Sure. I wasn't making a case that taxation at the wall _is_ bad, but that it
has the _capability_ to be bad. We use regulation in (mostly) free markets to
greater or lesser success to steer the markets in some manner. If you accept
that _pure_ capitalism doesn't necessarily yield an optimally performing
system when people are involved, then that ability to influence the market is
a useful capability, especially when applied judiciously. A blanket rate isn't
necessarily the most efficient form of that, but it is a way to raise revenue.

> In a world where all phones are loosely controlled Android derivates

I think you've already stacked the starting conditions to the point where it's
not really worthwhile to consider. That situation would be ripe for disruption
in some manner, because I think it's inherently unstable. All it takes is a
small niche market for alternatives that _do_ make choices based on privacy,
or security, and events that spur interest in those topics, and the larger
population of providers will need to respond appropriately or risk ceding a
increasingly large portion of the market to those that do.

~~~
ethbro
I think the outcome of the first generation of smartphone OS's has
(surprisingly for me at least) shown that there's really only room for a
handful of players (Android/AChina, iOS) with sufficient numbers of users to
be self-sustaining.

As you note, not sure a unipolar outcome would ever be stable enough to have
persisted, but I wouldn't have expected a bipolar arrangement either. And I
can imagine a market structure that would have depressed manufacturer profits
far enough so as to preclude serious R&D / innovation on their parts.

~~~
kbenson
You know, it's common enough to have one dominant player in a marker, a small
few chasing players, and then a bunch of very niche players that I'm there's a
lot of economic theory behind it that I'm unaware of. It probably relies quite
a bit on how invested in the product you are once you've decided on it, but
there are plenty of examples throughout history[1],

1:
[http://images.dailytech.com/nimage/Smartphone_Market_Share_2...](http://images.dailytech.com/nimage/Smartphone_Market_Share_2007_Through_2011.png)

~~~
AnonymousPlanet
Let's keep this in mind the next time we get the idea to let market forces
regulate, say, school systems or infrastructure.

------
jt2190
I'm curious: How realistic is building malware like this? Is this something
that has been done out in the open by researchers? Is there an example we can
see, or is this all still rumors?

The reason I ask is because there's actually value in spreading the rumor that
a capability like this exists. Imagine if your adversary believed that you
could gain access to their computers even when they're not connected to the
internet. They'd run themselves in circles trying to secure everything!

In general, I believe this article to be true, but would love to learn more of
the details.

~~~
r721
From Kaspersky Lab's analysis:

>What would ProjectSauron have cost to set up and run?

>Kaspersky Lab has no exact data on this, but estimates that the development
and operation of ProjectSauron is likely to have required several specialist
teams and a budget probably running into millions of dollars.

[https://securelist.com/analysis/publications/75533/faq-
the-p...](https://securelist.com/analysis/publications/75533/faq-the-
projectsauron-apt/)

------
frank_jaeger
That is a really impressive piece of software. USB exfiltration of data on air
gapped machines is next level. I'm in awe of their skill.

~~~
pjc50
If your machine has a USB port, it's no longer properly isolated.

Obviously that's a _tremendous_ pain to work with, because you're limited to
PS/2 keyboards and mice (etc etc), but given that there's no way of
authenticating USB devices and they've already been used in various attacks, a
serious airgap protocol has to ban USB ports.

You could quite easily hide a USB mass storage device inside a mouse, or with
a bit more work have an unmodified mouse with a spare Flash area used for data
exfiltration.

(Firewire is even worse, and Thunderbolt lets you onto the PCI bus)

~~~
chrisper
If you just leave away the USB mass storage kernel module when compiling the
kernel, the mass storage device won't work anymore while the mouse still
works. I wonder if this is a solution to this problem or not since it seems
quite naive.

~~~
superuser2
Any USB device gets to be a keyboard and mouse. If it comes down to it, the
device could just "type" its payload.

~~~
cxseven
And if that malware can't liberate USB access, and still needs to read data
(rather than just writing it), it could exploit the capacity for various
devices to emit detectable EM radiation. The fake keyboard/mouse, being inside
the Faraday cage, would be able to sense that radiation and extract data that
the malware in its payload sends back to it.

In fact, all of this would work equally well with a PS/2 port.

------
devnull42
Heh I gave a talk at DefCon Skytalks last week on this exact exfil method and
C&C structure with a live demo using code we wrote....interesting.

~~~
eugenekolo2
> Heh I gave a talk at DefCon Skytalks last week on this exact exfil method
> and C&C structure with a live demo using code we wrote....interesting.

> Kaspersky researchers still aren't sure precisely how the USB-enabled
> exfiltration works. The presence of the invisible storage area doesn't in
> itself allow attackers to seize control of air-gapped computers. The
> researchers suspect the capability is used only in rare cases and requires
> use of a zero-day exploit that has yet to be discovered. In all, Project
> Sauron is made up of at least 50 modules that can be mixed and matched to
> suit the objectives of each individual infection.

You remarkably have the exact exfil method when that's not disclosed
information?

~~~
devnull42
>The attackers used multiple interesting and unusual techniques, including:

> Data exfiltration and real-time status reporting using DNS requests.

Sorry to be more specific we spoke on DNS Base Exfil using base64 encoded
strings in DNS Lookups and also how to use DNS records to control botnets.

So not exact and only part of their method.

------
DavidWanjiru
What criteria is used to determine that malware could only possibly have been
made by a nation state? If all it takes is specialist teams and a budget in
the millions of dollars (presumably, had it been 10s or 100s of millions,
that's what they'd call it), lot's of private entities can pull that together,
can't they?

~~~
bradford
They probably could, but would they?

At least in the US, publicly traded tech companies are accountable to
shareholders: There's some transparency in the accounting, and it's hard for
them to throw millions of dollars at a problem before shareholders start
asking tough questions.

~~~
DavidWanjiru
But a military contractor type of company has lots of obfuscation leeway with
"top secret" type of things, doesn't it? And I'd imagine a defence contractor
is the type of company that would be interested in the kind of info this kind
of malware can gather.

~~~
SCHiM
There is some evidence that CITIC Group, a Chinese company, is heavily
involved in corporate espionage and the manipulation of foreign nations.
There's no particular reason that other large companies, no matter their home
countries, could not also be engaged in these types of activities.

~~~
emmelaich
link: [http://www.securityweek.com/chinese-attackers-conduct-
cybere...](http://www.securityweek.com/chinese-attackers-conduct-
cyberespionage-economic-gain)

------
skybrian
Is the implication that there must be someone who connects the special USB
drives to these air-gapped computers? So the attacker must have local people
on the ground.

~~~
drzaiusapelord
Supposedly, the "drop USB drives in the parking lot" works pretty well to get
around air-gapped systems. As well as mailing USB drives to the receptionist,
mail room, etc.

Also, this thing was running as a local admin on a domain controller. So
either the DC's weren't patched or some zero-days were used. Or perhaps an
inside job.

~~~
superuser2
> the DC's weren't patched

As I understand it, airgapped systems are not in the habit of bringing
software updates across the airgap, so unpatched everything is likely.

~~~
drzaiusapelord
Its trivial to do with WSUS and off-line updates. But yeah, if its a shit run
environment, it will get owned by someone eventually.

~~~
paulfurtado
An air-gapped set of servers performing updates from a non-air-gapped WSUS
server are not air-gapped servers at all.

If the WSUS server were also air-gapped, then you're in the business of
manually downloading each update, verifying it, and copying it to over to the
air-gapped WSUS server offline.

Microsoft's Windows Update servers have also been compromised in the past.
Depending on the level of security you're operating at, taking new windows
updates on your air-gapped systems may require having someone decompile and
review each update.

In general, being air-gapped prevents infinitely more exploits than windows
updates could ever possibly cure; that is, until one of your admins uses his
admin privileges to disable the USB port restrictions for 5 minutes that one
time to copy that one file quickly so he can go home for the day. For this,
there are epoxied USB ports.

------
cynoclast
The thing I find interesting is that I bet the authors are reading this.

------
coldcode
Some at the NSA is having a bad day reading this.

~~~
pjc50
Bizarrely, the NSA and other US security agencies seem to have very little
interest in defence, preferring surveillance and attack capabilities.

~~~
Spooky23
That's a false statement. They work with NIST to develop the standards that
are the basis of the infosed industry.

~~~
lawnchair_larry
For the most part, NIST really has no relevance in infosec. With a few
exceptions, they're always way behind, and only focus on a few narrow domains.

~~~
Spooky23
Literally every compliance standard in the US references NIST 800-53.

In terms of the "narrow scope" assertion:
[http://csrc.nist.gov/publications/PubsSPs.html](http://csrc.nist.gov/publications/PubsSPs.html)

------
hrayr
>> so advanced in its design and execution that it could probably have been
developed only with the active support of a nation-state

Why is advanced technology automatically assumed to have the backing of
nation-states? Cant several highly motivated and smart individuals create the
technology without a nation-state behind them?

~~~
WatchDog
That's why they said "probably".

You need to look at things like the complexity of the malware, how many staff
it would take to develop and maintain it operationally, the targets selected
and what sort of payloads are executed. Criminals tend to have simpler malware
that used known exploits or a small number of zero days. They generally cast a
wide net for their targets and their payloads typically aim to directly raise
funds(ransom, mining, card theft, etc).

In contrast, nation-states tend to have complex malware with multiple zero
days, greater care is taken to avoid detection, their targets are chosen
carefully and their payloads focus on gathering information and specialized
operations.

------
Zigurd
Some security professionals have expressed the view that insecure endpoints
represent a good compromise. That is, without the US government being able to
snoop on endpoint devices, encryption would have to be tightly controlled, so
that the government could retain intelligence and investigatory capability.

A more cynical view would be that many security firms sell both security and
forensics/surveillance. One of those two product lines has to be fundamentally
defective.

Is the position that hackable endpoints are a good compromise supportable any
longer? Or has it bitten US entities in the ass enough that making truly
secure computing a reality for computer users, even if it blinds the
surveillance state, becomes the new goal.

~~~
EthanHeilman
I've often heard not that "insecure endpoints represent a good compromise" but
instead that since:

1\. endpoints are vulnerable because they are exceptionally hard to secure,

2\. and attacking endpoints can be targeted and specific,

the governments case that weakening encryption is necessary for warranted
search is weak. Even with strong encryption the government can exploit the
targeted communicant's endpoint to learn either the plaintext or the
encryption keys. This isn't a compromise so much as a statement of reality and
what is likely to remain reality for some time to come. Weakening encryption,
for the most part, provides benefits to the government in the form of mass
surveillance, but for a variety of reasons doesn't offer much benefit in the
form of limited, specific searches.

>making truly secure computing a reality for computer users,

We can make endpoints more secure, but I see no path to endpoint security that
will keep out a determined well resourced adversary.

~~~
Zigurd
You get what you pay for. Right now, endpoint systems are undefended, even
intentionally compromised. The design of endpoint systems assumes all
components can be trusted. But those components don't usually undergo testing
for vulnerabilities and hidden capabilities.

------
anonbanker
Anyone know of an instance of airgapped USB-based exploits for Linux-based
systems?

------
milesf
What's with all this nonsense about could have "been developed only with the
active support of a nation-state"? Do nations suddenly have access to some
sort of advanced, alien software development teams?

Feels more like political sabre-rattling to get the public to eventually
condone a future attack from our homeland shores of Oceania against the evil
Eastasia or Eurasia.

~~~
breadtk
I believe it's less about fear mongering and more about understanding the
level of sophistication of the software. Talk to anti malware analyst and
they'll tell you how commoditized the malware game is nowadays. There's an
endless stream of malware and ransomware which can be linked back to just a
handful of frameworks. These types of malware families also fall under the
spray-n-pray mentality for distribution. Spam, drive-by-downloads, infected
torrents, etc.

Compare the mass of malware that is out there with the level of technical
sophistication, OPSEC to prevent detection, and precise targeting of its
victims. Along with other big name malwares (i.e. Stuxnet, Flame, etc.), this
class of malware is very precise in its objective. It isn't trying to make
money for its owners. It isn't trying to replicate itself across the internet
endlessly. Rather it has a key objective of infecting a specific set of
networks. So when researchers call out the fact that it is likely to be "state
sponsored", they are saying the purpose of the malware is very different than
your average piece of malware.

~~~
celticninja
Essentially depending on what malware does we can easily identify government
software because criminal software has a different set of objectives. Is it
possible though that corporate software could have similar objectives? I'm
thinking corporate espionage type behaviour.

~~~
breadtk
> Is it possible though that corporate software could have similar objectives?
> I'm thinking corporate espionage type behaviour.

Yes, it is possible.

------
ayyn0n0n0
Anyone know what IPs the C&C servers used?

Interested to see what hosting company in the US they used.

------
nyan4
> It was also funny to see "Windows" as an approved security blessed OS and
> then Debian, Ubuntu, OpenBSD rejected

Bribes always help.

~~~
jpollock
Paying for certification is what's required. Governments require various
certifications to sell to them, and that certification costs money in
consultancies. RHEL paid for the testing, they get a certification and access
to the customer.

It looks like this is probably referring to EAL [1][2].

In a market with a large number of vendors interacting with a large number of
relatively unknowledgeable buyers, an oversight team is going to try to find a
certification to give guidance (and ass covering).

Yes, this is a barrier to entry, but it's also a learned behaviour as buyers
get repeatedly burned.

I would argue that this is equivalent to requiring your plumbers and
electricians to be licensed.

[1]
[https://en.wikipedia.org/wiki/Evaluation_Assurance_Level](https://en.wikipedia.org/wiki/Evaluation_Assurance_Level)
[2] [https://www.redhat.com/en/about/press-releases/red-hat-
achie...](https://www.redhat.com/en/about/press-releases/red-hat-achieves-top-
security-certification-for-red-hat-enterprise-linux-6)

~~~
rdtsc
EAL (Common Criteria) and also FIPS-140-2 for crypto.

