Hacker News new | comments | ask | show | jobs | submit login
Potent malware that hid for six years spread through routers (securelist.com)
203 points by jonbaer 11 months ago | hide | past | web | favorite | 63 comments

> When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.

Wait, am I getting this right? The router isn't simply configured via web, telnet, ssh, or a simple proprietary tool that talks its own protocol with the router, but actually a proprietary tool that downloads and executes code from the router that you're trying to configure? If so, why on earth would you design anything like this? What were they thinking? I mean, apparently those DLLs aren't even signed or anything.

You can use any of those methods to configure a Mikrotik router, you don't have to use Winbox.

Winbox has a couple of nice features over the web interface:

- the ability to connect over raw ethernet (rather than IP) which is useful if you've misconfigured the firewall or routing tables

- the ability to broadcast packets to discover new, unconfigured Mikrotik devices

Winbox has previously downloaded components from the router to enable the UI to update the available options based on the firmware on the device. These components are part of the firmware update provided by Mikrotik, which is itself signed and verified before the firmware update is applied. But yes, they were missing a follow up check between Winbox and the router itself, to ensure the router itself was not tampered with.

This is one of the reasons it's frustrating to have so many routers with proprietary firmware that can't be replaced.

These routers essentially never get updated.

Mikrotik's good about this, though. I have several Mikrotiks at home (difficult WLAN due to walls etc), purchased by a company that later upgraded to 802.11n-capable APs. Some of what I have is >10 years old. Mikrotik still makes new OS images for them, and they answer support mail without asking me for a customer number, registration or anything.

To be fair, a whole heap of routers DO have third party firmware available.

Pretty much anything using Qualcomm 802.11a/b/g/n/ac chips usually has OpenWRT/LEDE/DDWRT builds available, and more recent fullmac Broadcom chips are seeing more support.

Quantenna and Mediatek can still be difficult to get working, but they have a far smaller market share.

If you want a good, open-source friendly, router manufacturer for the home stick to NetGear. They've got an entire community called MyOpenRouter where people provide customised builds of the official firmware, as well as versions of DD-WRT and NetGear themselves often have a version of OpenWRT available.

I've been running LEDE (OpenWRT) on a Netgear R7800 in my home for the past year and it's been rock steady, is nicer to administer than the stock firmware and I can strip out anything that I don't want running on there very easily with a custom build.

Seconded. LEDE/OpenWRT is now running my and lots of my friends' routers. Once they see my OpenVPN server running on it with a roadwarrior setup that lets me get onto my local network, security cams, and Home Assistant self-hosted home automation stuff they all want one too. Very slick stuff. You can even set up VLANs and lots of other fun advanced features.

Yep, I've got an OpenVPN server running on mine as well for similar reasons.

It's also useful to get fine-grained control of the firewall for parental controls - tag the mac addresses of the kids devices as having to use OpenDNS websafe DNS resolvers, then block any other DNS traffic on the firewall and enforce time limits on internet usage.

I've got a small NAS connected to it as well to serve as backup repository for all computers in the house (which is then synced off to a cloud backup storage provider) and media server.

Microtik gets frequent updates. You get what you pay for.

Crap router for $20, no updates. Microtik or other well supported router for >$100, I've done about 20 updates since I got it years ago.

Even if the firmware can be replaced, 99% of the time it won't be. And while it's nice that volunteer hackers are producing third-party firmware, we can't rely on that as the solution for Internet security.

> we can't rely on that as the solution for Internet security.

We could if updating router firmware were an easy and prolific practice.

The reason that it isn't is that it can't be done on most routers, especially the cheaper or ISP-provided ones that most people use.

What we really can't rely on is "security by obscurity". Let's drop the notion that software is more secure simply because you don't release the source.

People maintaining their own cars used to be a prolific practice, but I think we're better off now with cars that require dramatically less maintenance.

Unfortunately the IOT market is in a bad situation because products are advertised as not requiring any maintenance but they aren't reliable enough to live up to that.

We could have automatic updates. There is nothing technical preventing that from happening.

People defragmenting their NTFS filesystems used to be a prolific practice, but I think we're better off now with filesystems that require dramatically less maintenance.

My point is that the only thing holding us back is politics: manufacturers think that it is in their best interest to sell routers with proprietary firmware, even though it really isn't.

OpenWRT and the Turris Omnia are an interesting alternative, for home/SOHO use.

I'm not sure how I feel about a router with a built in simcard slot.

Does that mean that it has the 4g radio built in as well?

Can I trust that chip and hte software that runs on it?

Do you own a smartphone? You've got less access to the 4G chip there.

The 4G card is an option on the Turris. You could always use a Quectel card and then run Linux on that, too!

LTE is an mPCi expansion. The LTE chipset is not included by default.

Conversion instructions:


Especially now that the remaining OpenWRT devs have seen the light and LEDE is being merged back into the project, with governance modelled on the successful fork.

Interesting that the story references this malware's similarities to Project Sauron, and that the two main modules here are named GollumApp and Cahnadr, which looks not entirely dissimilar from how one might play with the Russian version of "Gandalf" if one were to convert the Cyrillic letters into approximate English look-a-likes.

There's a rich history of Russian appreciation of Lord of the Rings, see e.g. https://en.wikipedia.org/wiki/The_Last_Ringbearer.

That is quite an interesting premise for a book. Probably in the same spirit as the subreddit /r/EmpireDidNothingWrong (or how they call it) which claims Star Wars is also a series of movies written by the victors (with a heavy dosage of memes)

OTOH the article says explicitly "Text clues in the code suggest it is English-speaking.", so I'm gonna go with non-Russian as a first guess. They also note "accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error".

Cahnadr Гандальф how is it similar :)?

I can see the visual similarity. Г=C, а=a, н=H, д=n...

Would Kaspersky Labs report on Russian malware?

The meta-game at this point is open to just about any type of psychological trick. We know/suspect Kaspersky helping FSB/GRU, but we also know that CIA/NSA store and use fingerprints from other nation states and can assume Russia does the same. So if something looks Russian but Kaspersky reports on it, does that mean it is NSA trying to false flag Russia? Or is it Kaspersky deflecting Russian suspicions and pointing to the US by bringing it to light...6 years later?

The abilities and willingness of certain nation states to wage cyber warfare and make it appear like someone else are so great at this point, that only solid forensic evidence, and usually not even that, can be indicative.

>So if something looks Russian but Kaspersky reports on it, does that mean it is NSA trying to false flag Russia?

It could be Russian, it could be not. What is really important that only the Kaspersky reported it.

The way to understand this sort of thing is to try to think like someone in their shoes.

First, you're innocent. What would you do over time to try to survive the accusations and suspicion?

Next, you're implicated in past bad acts. Maybe you were forced to stick malicious code in a past version, or maybe you had a rogue employee. What would you do to try to move on?

Finally, you're an active part of the state intelligence apparatus. What would you do to try to appear like one of the other hypotheticals?

There are other possibilities; people get themselves in all sorts of weird situations, but most of them are some shade of the above.

If you are an av company you can't just whitelist every other piece of malware.

which is exactly the kind of string symbol the US might use :)

At some point are we going to think signing each IP packet is a good idea? I struggle to see how we can ever clean the internet without something on the order of "I expect packets from this list of servers certificate" (ok I know some malware would alter that list but that's a much smaller target area to defend)

I am just wondering if this level of unstoppable infection is just going to be it, or are we at the pre-cellular structure of life point in the internet?

There's a project called SCION [1] that (among other things) does roughly this. In essence, participants announce their presence over a multicast-type protocol, and in order to send packets to anyone, you must have received a recent announcement from them.

It's a quite fascinating re-imagination of the Internet, solving many of its problems (and probably introducing a whole slew of new ones).

[1] https://www.scion-architecture.net/

> without something on the order of "I expect packets from this list of servers certificate"

Even now as it is it's worse than it should be: I can't control which pairs of (address,certificate) will be allowed to be accepted for specific sites. Instead, every browser vendor allows any "man in the middle" with the access to any CA (and CA's are known to be very bad(1)) to insert itself between my own server and my own client.

1) Read and weep: https://arstechnica.com/information-technology/2018/03/23000...

If you want secure browser access to some resource (for values of 'secure' where it matters more than your bank account but less than situations in which you wouldn't trust _any_ browser), you really need to remove certs from any commercial CA and install only the CA you need.

I know that it is possible to somehow achieve that, the thing is, it should be possible by default, so that I can simply say to e.g. my not-too-technical friend "this is my server, this is my cert, click there in your browser to compare the cert for my site before you connect and the browser will provably also not trust anybody else but your check."

This should be a basically available scenario for the secure connection, just like what we have in SSH. Don't believe "the users are too stupid" excuse. It's just an excuse:


We simply shouldn't have to have the "trust in every crooked CA" when we connect to the servers we directly know.

If we get DNSSEC (or a less complicated alternative) working in widespread use then we could simply parse CAA records in the browser.

That way a website owner can whitelist only a very specific CA for their certificates.

Ideally with DNSSEC we could also get DANE and issue our own certificates and CA's would only be necessary as cosigner for OV, EV and similar.

The problem I describe and its easy solution are completely independent of DNSSEC.

DNSSEC is required to secure DNS responses which can be crucial to prevent "every crooked CA" to issue a cert for you. If CAA was interpreted by the browser, you could determine exactly which CA is trusted to issue certs for your site and DNSSEC would ensure that the browser gets the correct list of trusted CAs.

We did at one point, IPsec was the future that never happened. Protocol RFCs used to justify lack of crypto because ipsec was going to cover it soon[1]. Then VPN gateway vendors gave IPsec a hug of death and drowned out the end-to-end IPsec vision, TLS became popular and didn't require OS support, etc. There were problems with IPsec too of course, it was too complicated, OS support was colourful, no standard APIs for apps to configure or query IPsec status etc.


I don't really see how that would help. The victim's computer expected to connect to the router, because the victim's computer was intentionally downloading and running dlls from the router.

I don't think it would help with the initial compromise of the router either. Buffer overflows (for example) can be exploited over https just as well as http, and that would be similar for other cryptographic strategies.

Does QUIC do this in a way?

It has been very interesting to see a lot of hardware/firmware based vulnerabilities coming out recently, although they have been around for a while.

Different vectors have different advantages but I wonder if there will be a push towards more hardware based anti-malware/vulnerability detection devices.

At this point is there a way for small organizations and individuals to protect themselves from data theft? IP and trade secrets are hard to develop in a closed network without internet access at all points.

you can never 100% eliminate the risk of data theft.

all you can do is implement controls that manage that risk based on how valuable the data is.

certain controls like mandatory 2FA give a very good bang-for-buck, highly recommend it for an organization of any size

How do you plan on keeping the employees from being able to access the data? Even the NSA has a slight problem on this front.

I believe L. Bob Rife had some thoughts on that.


Thanks, we changed to the first link from https://arstechnica.com/information-technology/2018/03/poten..., which cribs content from it.

>despite infecting at least 100 computers worldwide.

Really? Then why is it so surprising lol

At the same time many MikroTik models are for ISP/micro-ISP setups, that have hundreds of people behind a router. An administrator machine being compromised could potentially expose many other network devices and allow tens of thousands of people to be compromised.

Of all infections, this is the type an administrator should be most worried about. Its rare, but exceptionally damaging. Most A/V tools aren't going to catch it, so unless you are monitoring all IP activity from your computer and doing offline filesystem checks, a virus like this could compromise your systems for years.

Not being sarcastic but sometimes it's about quality, not quantity.

Usually something this sophisticated is used to target specific individuals/organizations as they aren't generic botnet/bitcoin mining operations.

They might be after specific info and after they get it, they might even wipe their tracks as it's better to have a tool that nobody knows to look for than one that can get on as many computers as possible.

Reminded me of this book I very much enjoyed about Stuxnet - "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon". Stuxnet was a targeted attack directed at Iran's nuclear program. Quality, not quantity indeed. Super interesting to learn about these things!

Stuxnet was highly targeted malware and certainly extremely sogisticated. That said, it infected probably >200,000 computer systems. To the parents point, it makes it easy to get a sample due to the volume of breaches. 100 targets with a highly covert mission objective is a different type of threat model compared to stux

Wasnt this attack triggered by scattering payloaded USBs around the facility, and someone plugged it in? lol

Yeah, that bugs me a bit about this story. The (known) targets seem unimpressive for an attack tool this sophisticated. (Unless the targeted individuals were not just "individuals", but individuals who were prominent in certain organizations...)

> Unless the targeted individuals were not just "individuals", but individuals who were prominent in certain organizations...

I have to assume that's absolutely the case here. I didn't read this as "100 random individuals" being infected.

I didn't either. I read it as "activists", and on re-reading, I can't see where I got that. The actual targets could be a lot more important than that...

Yeah this kind of APT work seems like it would be targeted at high-value individuals, for either political or economic espionage..

So leaders of industry or government, etc..

If no known target thus far is high-profile, it could very well be that the current targets are guinea-pig-targets that test the malware for future applications.

There's a big difference between an indiscriminate worm and a targeted attack. Those 100 computers are high-value targets and would have been carefully guarded. Hiding in an environment like that is pretty impressive.

Come on, we're not talking about countries with any impressive capabilities here. https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/upl...

There's nothing impressive about hiding on these governments networks for years.

Ars needs to generate ad revenue.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact