Yet Another Government-Sponsored Malware

Both Kaspersky and Symantec have uncovered another piece of malware that seems to be a government design:

The malware -- known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec -- has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes.

[...]

Part of what makes ProjectSauron so impressive is its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the "air-gapped" machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron's extended persistence on the servers of targeted organizations."

We don't know who designed this, but it certainly seems likely to be a country with a serious cyberespionage budget.

EDITED TO ADD (8/15): Nicholas Weaver comment on the malware and what it means.

Posted on August 15, 2016 at 1:43 PM • 24 Comments

Comments

k15August 15, 2016 1:57 PM

Off topic: Bruce, why do apps and websites not fix security flaws that have been reported to them? And why do others not even provide a channel for making reports?

rAugust 15, 2016 2:33 PM

@k15,

https://yro.slashdot.org/story/16/08/14/1728250/can-we-avoid-government-surveillance-by-leaving-the-grid

Discuss! fast-flux penetration or slow cold infiltration?

Security flaws have been reported to end users for ages, do we apply fixes to ourselves?

Do we cut out our tongues for the sharing of secrets? Do we lop of fingers and hands for &trig? Do we stone and ridicule the public? (yes)

Ridicule is not radical, it's as old (if not older) as exile and justice.

Law was created to balance the public want vs the public need.

ianf thinks I am leaky, doesn't add O+P+M and DPI/inference. Doesn't recognize someone trying to be honest with a good foot forward in public, despite reticence.

Where I live, we had a rapist in the park - he got caught - but that stopped women from going down there alone and sometimes at all. Sometimes they over compensated with not leaving their homes, it's a nutty world out there.

What's the balance?

There are simple fixes, I could die from smoking cigarettes - I could die from driving my car. Changing the environment? You'd better start acting like green peace, but then again... They've made great strides against the parasite's para-sites haven't they?

To me, the whole hands-offish stuff is starting to look more and more like the FCC and various other CPAs (consumer protection agencies). Keep the market open, when people are fed up with FUDrakers they will gravitate towards responsible entities. If you mandate restrictions now you may cripple development and lose your edge in a non-mediated enternational (that's the carrot) market.

It would be nice wouldn't it? If we legislated all American companies secure their code, their clients, their computers... But what we do mandate is that for public decency they fasten their belts, they don't steal from us - and they do their (half-assed in some cases) best to maintain a stable environment. We're not asking for undue things, we're not mandating you pay some super coder $500 an hour to autit your 200kloc. If you want to you can, and then you can advertise THAT. You can make a half-assertion like OpenBSD: "Only two remote holes in the default install in a heck of a long time."

You can code better, you can buy better but what you're asking is: can we be better?

Can you sell better?

Certainly, but the market is open and it's waiting for you as either a buyer - or as a seller.

DanielAugust 15, 2016 4:21 PM

So who has the links for the downloads so that I can install this on the computer of
the neighbor I hate and frame him for child pornography? Yes, that's dark humor but you and I both know that it won't be long before this malware shows up at the public library or internet cafe of choice.

Clive RobinsonAugust 15, 2016 7:14 PM

The thing is that so far from what has been said there appears to be no original ideas in the code.

For instance,

    To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system.

This is not new, there are Russian sites you can search for that have software to repurpose and resize USB thumb drives. At the simplest you can change the size the thumb drive saya it is. This trick has been used by "supply chain crooks" to make small thumb drives look bigger than they realy are.

As for jumping "air gaps" I worked out ways to do this when thinking about how to sabotage voting machines quite a few years ago (I talked about it on this blog long prior to stuxnet).

Alien JerkyAugust 15, 2016 7:16 PM

A little off-topic, sort of

http://www.bbc.com/news/technology-37084009

A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.

Technical support scams try to convince people to buy expensive software to fix imaginary problems.

But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.

He told the BBC he wanted to waste the man's time to make the scheme unprofitable.

WaelAugust 15, 2016 7:29 PM

Attribution is hard and reliable attribution is rarely possible in cyberspace. [...] Rather than speculate on the perpetrators behind such a sophisticated attack, we instead highlight a few relevant observations made during analysis.

Basically means, don't attribute anything to us (Russia,) implying the previous DNC thing. I am wondering if the timing is related to that incident. Another question I have is when did they really find out about this malware, and how can they assert it was active since 2011?

ProjectSauron is able to ex-filtrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operating system.

Some possibilities: USB Drive aids person to take data out and pass inspection, because the payload is hidden. USB Drive goes from work to home, where the security controls are lax, then USB Drive starts the upload process after it infects the home computer (target is bad OpSec and people who don't conform to internal security guidelines.) Happened in a previous thread with USB drives that are "lost" in parking lots -- I wonder if the two stories are related. In a good security environment, USB ports must be locked down (user convenience must suffer.)

displaying no activity of their own and waiting for ‘wake­up’ commands in the incoming network traffic.

How would an air-gapped computer recieve a 'wakeup' command? Is it a sound? And after the malware is activated, how is the data going to jump the air-gap?

This suggests that originally the ProjectSauron developers worked and tested their code on systems with a Latin character set and only after deploying it in a real-world scenario found Lua’s features deficient. Instead of scraping their interpreter of choice, they decided to modify it to implement the missing features.

This is really hard to believe.

The italian keywords and filenames targeted by ProjectSauron data theft modules can be translated as...

The hacking group?

Most ProjectSauron modules contain standard embedded usage output in proficient English, i.e. -r Resolve hosts that answer, -l Print only replying Ips. -m Do not display MAC addresses. That basically means, if I read between the lines, it's not a Chinese developer, because it's really hard to screw up these lines of text :)
However, there is no common style of outputting module usage and it varies from module to module. Here is an example of a different usage output...

So it's a team of Unix old timers and younger types. Also modules were constructed by developers with different skill sets from an OS target perspective. It could also be indicative of multi-country collaboration efforts, or a single small group that integrated various modules obtained from several places.

It seems that the same developer created several tools, as indicated by further identical-style usage formatting.

That's not the only possible suspicion! Code going through review and conformance to certain coding guidelines would produce similar styles. Another possibility is two or more developers who worked on certain opensource projects and are used to same style...

The term cruft is rarely used by non-native speakers

A clever "attacker" would run the code through an obfuscation engine (not the one that makes it hard to understand) to massage the comments and print statements to have the desired profile, I would think.


WaelAugust 15, 2016 7:43 PM

I missed a slash somewhere -- gotta fix this one!

Most ProjectSauron modules contain standard embedded usage output in proficient English, i.e. -r Resolve hosts that answer, -l Print only replying Ips. -m Do not display MAC addresses.

That basically means, if I read between the lines, it's not a Chinese developer, because it's really hard to screw up these lines of text :)

I'll also link it to a possibly related thread.

Joe StalinAugust 15, 2016 7:43 PM

Kaspersky = Rooskies, da? So why does Bruce now believe the Rooskies instead of blaming them for hacking the NSA tools?

Rob BAugust 15, 2016 10:26 PM

All our external USB devices are white listed...only after an extensive amount of paperwork and four management-level signatures. We are the purchasers of the devices, so unless they're infected at the factory or in-transit, we're safe after a complete format before use, right?

Nope. The users have been told not to take the things home or plug them into other clients, but frankly, I have no way of monitoring if they are.

Marcos MaloAugust 15, 2016 11:07 PM

@Rob B
Obvs, you need Bluetooth interpreted in your external USB devices for tracking purposes. :D (What could possibly go wrong?)

Joe KAugust 15, 2016 11:59 PM

From the kaspersky blog post:

Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’.

Keywords / filenames targeted by ProjectSauron data theft modules:


    Italian keyword → Translation
  • Codice → code

  • CodUtente → Usercode

  • Segreto → Secret

This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment.

@Wael Responding to a similar passage, you say, "The hacking group?"

You posit Hacking Team as a target?

As long as we're making conjectures, based on targeted Italian filenames, then how about Libya?

WaelAugust 16, 2016 12:10 AM

@Joe K,

You posit Hacking Team as a target?

No, I meant as a developer. And I also meant "Team", not "Group" -- thanks.

then how about Libya?

A few fighting tribes doing this? Unlikely, they have much bigger problems occupying them.

WaelAugust 16, 2016 12:20 AM

@Joe K,

But if you mean Libya was a target, and since they claim the malware was active since 2011, then that's very likely. Although they'd have better chances looking at Arabic encoding.

Perhaps that's how Qadhafi was found, since we're conjecturing about ;)

HermanAugust 16, 2016 1:39 AM

A proper air gap system actually has a double air gap. There is a special machine, which is used to scan the incoming media and rewrite the data to new media. The media is used once only and shredded after use.

ianfAugust 16, 2016 1:45 AM

Joe K: […] then how about Libya?

    Wael: A few fighting tribes doing this? Unlikely, they have much bigger problems occupying them.
CORRECTION: … much bigger problems to cause, more like it—but of course macho infighting trumps everything. Also, Qadhafi was captured by some militia inside an oversized irrigation(?) pipe – how do you encrypt that.

WaelAugust 16, 2016 1:55 AM

@ianf,

much bigger problems to cause, more like i

That too!

Qadhafi was captured by some militia inside an oversized irrigation(?) pipe – how do you encrypt that.

That's not cryptography-like tactic; it's steganography-like.

Clive RobinsonAugust 17, 2016 4:59 AM

@ SchneironSecurityFan,

Survey of exfiltration of data from air-gapped computer methods

Yup sound or any other mechanical vibration signal that can radiate through air or conduct through solids, will just like an EM signal cross an "air-gap". It's why I differentiate between "air-gaps" and "energy-gaps" with air-gaps being not just a subset but also a very very poor cousin of "energy-gaps".

EmSec in it's various forms is about controling energy, not just in it's ability to travel outside a controled environment, but it's bandwidth, coherence and what form it gets transported to before it inevitably leaves the controled environment. Whilst --almost-- easy to say it is quite complex not just in practice but in theory as well.

SchneieronSecurityFanAugust 17, 2016 11:59 AM

@ Clive Robinson

I wonder if there's a standard for computer cases, both tower and rack-mountable, that takes into account energy emissions, both acoustic and electro-magnetic, that is beyond the current FCC EM emissions standard in the U. S., for instance.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.