Online security software developer Symantec announced the firm’s discovery of an extremely sophisticated and persistent threat that had been functioned unnoticed by security researchers for over five years.
The Kapersky Lab also caught on to the bug’s existence and announced their discoveries separately.
A recently discovered group called “Strider” has apparently been using an advanced spyware tool called Remsec. Symantec shared that Remsec’s complex coding also contains references to Sauron, the main villain in The Lord of the Rings. The spyware is titled “ProjectSauron” in Symantec’s report, or “Strider” in Kapersky’s report.
Since October 2011, ProjectSauron has been active in Symantec customers’ computer systems. Kapersky was able to trace ProjectSauron when its software found an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller.
“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” admitted Sandor Balint, security lead for applied data science Balabit. “Installing antivirus software and running personal firewall provide only a bare minimum of protection,” he warned.
Symantec found that the ProjectSauron spyware was created with a foundation that made it possible for the spyware to have complete control over infected computers and move across networks stealing data. The spyware also utilized sophisticated encryption methods and stealth features that allowed for it to avoid detection. Some of these components come in the form of Binary Large Objects, or Blobs, which are exceedingly difficult for current forms of antivirus software to notice. ProjectSauron is further protected from detection by the fact that it is deployed through a network and doesn’t have to be copied onto a computer’s disk.
The targets of this spyware span the globe; Symantec was able to detect ProjectSauron software infections in 36 computers belonging to seven different organizations based in Russia, China, Sweden, Belgium, Iran, Rwanda, and Italy.
While the targeted organizations could be considered minor players in comparison with much larger government organizations for example, “the fact that they’re not the typical targets of APT campaigns makes this more interesting,” said Jon DiMaggio, senior threat intelligence analyst at Symantec.
Both Symantec and Kasperky have suggested the possibility that a nation-state may have created the new APT. According to Kaspersky, ProjectSauran shares some notable similarities with Flame, Duqu and Regin. Flame and Duqu have been tied back to the United States’ NSA.
While the spyware has gone dark, DiMaggio stated that Symantec “cannot comment on whether or not the operations have ceased.” He added that if the spyware was created by a nation-state, “it is likely only a matter of time before new Strider attacks begin against new victims and targets.”
CEO at Red Canary Brian Beyer stated that mitigating a breach is a lot like trying to treat cancer:
“Even after extensive and successful treatment, the patient is in remission- not cured, and needs more intensive health checks for life to identify any troubling activity early,” he explained.
Balabit CEO Zoltan Gyorko said that the Strider APT’s ability to mimic password filture modules were “yet another clear sign that passwords are dead and behavior is the new authentication. The only way to catch these attacks is to spot changes in the behavior of users at the end points.”