Latest in Gear

Image credit: Thomas Trutschel/Photothek via Getty Images

Sophisticated malware attacks through routers

It's likely the creation of a government surveillance agency.
1983 Shares
Share
Tweet
Share
Save

Sponsored Links

Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive.

Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there.

The malware can effectively steal whatever it wants, including keyboard strokes, network traffic, passwords and screenshots. It's not certain how Slingshot gets into a system besides taking advantage of the router management software, but Kaspersky pointed to "several" instances

The combination of this sophistication with the spying focus led Kaspersky to believe that it's likely the creation of a state agency -- it rivals the Regin malware GCHQ used to spy on Belgian carrier Belgacom. And while text clues hint that English speakers might be responsible, the culprit isn't clear. Just shy of 100 individuals, government outfits and institutions fell prey to Slingshot in countries including Afghanistan, Iraq, Jordan, Kenya, Libya and Turkey. It could be one of the Five Eyes countries (Australia, Canada, New Zealand, the UK and the US) keeping watch on nations with significant terrorism issues, but that's far from certain.

Slingshot should be fixed as of recent MikroTik router firmware updates. The concern, as you might guess, is that other router makers might be affected. If they are, there's a possibility that Slingshot has a far wider reach and is still taking sensitive data.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1983 Shares
Share
Tweet
Share
Save

Popular on Engadget

'The Outer Worlds' DLC is coming next year

'The Outer Worlds' DLC is coming next year

View
TCL's 2018 65-inch 6-Series 4K TV drops to $500

TCL's 2018 65-inch 6-Series 4K TV drops to $500

View
The $1,399 Pixelbook Go with 4K display is now available

The $1,399 Pixelbook Go with 4K display is now available

View
US cancels plans for new penalty tariffs on Chinese-made products

US cancels plans for new penalty tariffs on Chinese-made products

View
Tesla Cybertruck will likely get medium-duty truck classification like Ford Super Duty and others

Tesla Cybertruck will likely get medium-duty truck classification like Ford Super Duty and others

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr