Project Sauron, Super Malware & Spyware

I have heard about this off and on over the last two or three years.
This is first publicly written report I've seen on it.
This is some very nasty code.
I have heard about in depth intrusion software in the past, but something of this nature and sophistication in the wild is a major game changer.

Project Sauron- that’s the name of the sinister malware that has been spying on government computers and computers at major organizations for over five years. Researchers who have detected this malware have given it the name Project Sauron because of the reference to Sauron, the main antagonist in J. R. R. Tolkien’s ‘Lord of the Rings’, in its source code. Project Sauron was first detected reportedly on a government network, an unspecified government network last September in the course of investigating some malicious activity that was detected on one of the machines in the network. Subsequent probes revealed that the malware was present in many other networks too. Project Sauron has been found in the networks of at least 30 organizations. This includes government networks and strategic ones like the networks of military, financial and telecommunications organizations. Reports say that the malware has been detected in an airline in China, an embassy in Belgium, and an unidentified organization in Sweden. Researchers who probed the issue found the presence of a strange executable file that claimed to be a Windows password filter. Whenever a user would log on or enter a password, this executable would start up. This malware could be used to steal passwords, encryption keys, configuration files and log stores, which would then be passed on directly to the hackers. Next, the malware logs key strokes and thereby opens a backdoor for a hacker to take control of a system or network. Project Sauron is a malware that’s almost impossible to detect and unlike usual malware, appears differently on different systems/networks. The malware doesn’t leave behind tell-tale signs like other malware would and thus it becomes rather difficult to identify other infections. The creators of Project Sauron make sure that no two infections are similar and that no two infected systems create the same software “artifacts”. The malware is also able to disguise itself in many ways, like for example as files with names similar to those published by Microsoft. The method of sending data back to the hacker also is not the same always. This would baffle researchers who are constantly looking for patterns. Project Sauron is,in fact, a very sophisticated malware and can get through some of the most extensive firewalls too. The malware could also infect systems which are air-gapped, which are not connected to the internet and thus not accessible to usual malware. Here the entry is made possible through specially prepared USB drives, which would appear to be like the usual mass storage devices, but would also contain a hidden partition of several hundred Mbs. A virtual file system is stored here which makes possible the transfer of data from air-gapped systems. Researchers think that this rather complex attack is done making use of some unknown and undiscovered zero-day vulnerability. Well, this zero-day vulnerability angle is just speculation and is yet to be confirmed. Project Sauron, which is a very sophisticated malware, is still the subject of analysis and researchers even think of the possibility of some government-sponsored group to be behind the whole thing.

blog.comodo.com...

www.infosecurity-magazine.com...

Buck

a reply to: flatbush71
It´s just a copy-cat. It´s also far from being the first public article.

“Here the entry is made possible through specially prepared USB drives, which would appear to be like the usual mass storage devices, but would also contain a hidden partition with a virtual file system, which makes possible the transfer of data from air-gapped systems,” Comodo said, adding that this rather complex attack may be done by making use of some unknown and undiscovered zero-day vulnerability. “[The] zero-day vulnerability angle is just speculation and is yet to be confirmed,” they added.

Uh, never heard about that bad usb behavior, must be an undiscovered zero-day... (sarcasm). What are these "researchers"? If you do a search, you will get more detailed informations, from more knowledgeable people.

This, however is just a translated article from the german online magazine "Heise"/PC-Welt.
Here is an article from 09.08.2016 (German)
www.heise.de...
www.wired.de...

Thanks for the links verschickter !!!

Here's the Wired english translation per Google

Security experts have discovered a malware that apparently is already at least five years to certain computer systems. The perfect disguise the malware suggests a state-sanctioned development at the highest level. Even after the discovery remain virus scanner while virtually powerless. Both Kaspersky Lab and Symantec have published reports on the malware, writes t3n. In Kaspersky software is currently called Project Sauron and the competition from Symantec has named it Remsec, elsewhere Strider is used. The Super Trojan spreads via USB sticks and even bypassing protections - and remain thanks to an ingenious modular structure on the target system undetected. According to Kaspersky Project Sauron was first discovered last year, as a government organization, the company commissioned to analyze irregularities in its own traffic. Project Sauron was discovered now on the systems of at least 30 organizations, according to Kaspersky, including governments, research institutions, military networks, telecommunications companies and banks including Russia, China, Sweden and Belgium. Project-Sauron / Remsec consists of about 50 modules, which can be adapted to the target as required. So there are no identical pattern on different computers, which extremely difficult to find. Also be used for controlling from outside changing IP addresses. The previously discovered victims are therefore likely to represent only a fraction of the actual infected systems. The Kaspersky Lab believe that the development of the spy program that stores passwords, encryption and configuration files espied, cost several million dollars must have - a state sponsor such an intelligence is therefore reasonable. Similar to Equation, Regin, Duqu, Careto and other similar trojans Kaspersky Project Sauron has classified as advanced persistent threat. This makes it one of the top tools in the Cyber ​​espionage, which also offline systems can sound out - and against which there currently is no effective protection.

And the heise article in English here

In ProjectSauron is a large-scale and constant espionage campaign that is targeting government institutions and economic institutions. Security researchers from Kaspersky met for the first time in September 2015 to the sniffing trojan that analyzed its complex operation and now published a report. The results suggest that there is a "nation-state threat actor" who has been operating since July 2011 to the present. The espionage campaigns are modular and the masterminds have ready made solutions for different targets, explained Kaspersky. Affected are computers with different versions of Windows. Pull Targeted encrypted information ProjectSauron should have targeted particular encrypted communication and thereby selectively filter out data. In order to evaluate copied information, the pest reach if possible from passwords and keys. Previously infections, among others, governmental organizations and the military from Italian countries, Iran, Rwanda and Russia are known. Other organizations and regions, according to Kaspersky probably also affected. In the procedure itself ProjectSauron oriented to professional spy software as Duqu, Equation, Flame and Regin. The backers of ProjectSauron should have adopted many techniques of Lost Dreams. In addition, other tactics have been implemented so ProjectSauron can operate undetected, perform the security researchers. The original route of infection is unknown to this day. Avoid patterns Thus the spying trojan excited as little stir in his work, he should consciously avoid patterns and hide effectively. So ProjectSauron knit According Kaspersky always individual for his goals campaigns that always come only once for use in a particular form. Accordingly, always have some core elements of an action different file names and sizes in order to aggravate discovery. In addition, the threat encrypt its modules and network protocols. When a computer is infected, should ProjectSauron the scripts of legitimate software updates abuse and work as Backdoor. So to download new modules and commands the attacker can run in memory of the threat. Moreover ProjectSauron sets According to security researchers for reasons of flexibility on LUA scripts, which rarely is the case with malware. So the developer can implement about more than 50 plug-ins. The pest should also not be able to sneak connected air-gap systems on a network or the Internet. That done on a prepared USB stick, are stored on the copied information in a hidden area, explained Kaspersky. (of)

Buck

Hmm.. It was all fine and dandy until that bit about remote USB connection! Really? I'll have to look into that.

Thanks for sharing.

a reply to: surfer_soul
Because you misunderstood that part. It jumped the air gap via infected and prepared USB drives, not wireless/remote in the sense of USB ports being able to emit and receive via radio waves.

Although, the NSA has made it possible with manipulated USB jacks and cables:

en.wikipedia.org...

Look for "cottonmouth".

a reply to: verschickter

Thanks for the info, I'll check it out.