14:40 GMT +323 February 2017
Live
    Hacking

    Security Firm Uncovers 'Strange' Malware in Russian, Iranian Govt Computers

    © Flickr/ Ivan David Gomez Arce
    Tech
    Get short URL
    84232223

    According to researchers at Kaspersky Lab, a malware code known as "Project Sauron" has been operating undetected since 2011.

    "In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network," reads a report published by the software company on Monday.

    "Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server…Additional research revealed signs of a previously unknown threat actor, responsible for large-scale attacks against key governmental entities."

    The malware has been discovered on at least 30 targets and has been active for some five years. Given that it went this long without detection, the software firm suspects a state-sponsored group is behind the release.

    "The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operations will be harder to discover," the report reads.

    "We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg."

    Detailing the exact number of infected servers could prove difficult. While most malware reuses certain parts of code, Project Sauron appears to customize itself for each target. Uncovering it in one server does little to help track it down in others.

    Even stranger, Project Sauron can infect computers that are not connected to the internet.

    "To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine," the report says.

    "These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes."

    The malware’s primary goal appears to be to obtain passwords, IP addresses, cryptographic keys, and configuration files. While researchers have not revealed which government agencies were infected, Kaspersky Lab did confirm it infected servers in Russia, Iran, and Rwanda.

    Researchers also said they could not confirm which nation may have been behind the virus.

    "When dealing with the most advanced threat actors, as is the case with Project Sauron, attribution becomes an unsolvable problem."

    Related:

    Hacker Who Posts Porn on Daesh Twitter Accounts Promises Not to Stop
    Kosovo Hacker Assembled Daesh Kill List With Data on 1,351 US Officials
    'Is This a Joke?': US Media Not Getting Behind Clinton's Russian Hacker Story
    Tags:
    computer virus, malware, Project Sauron, Kaspersky Lab, Iran, Russia
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik
    • Сomment

    All comments

    • avatar
      jas
      Researchers also said they could not confirm which nation may have been behind the virus.
      --
      Israel and the US, again. I solved that mystery in 3 seconds.
    • avatar
      jas
      Some readers may also have an interest in the Kaspersky blog. I think it's worth reading. It let me know I had an update on my phone even though one was made only last week.
      threatpost.com
    • avatar
      michaelin reply tojas(Show commentHide comment)
      jas, they do have a good rep. Thanks for the reminder. :)
    • avatar
      jasin reply tomichael(Show commentHide comment)
      michael, Thanks for the reply. One of favorite quotes came from Eric Raymond: "No problem should ever have to be solved twice." Share solutions to problems.
    • avatar
      Free man
      Information Technology is one of the keys to sovereignty. Maybe Russia should envision to develop its own software and hardware technologies.
    • avatar
      michaelin reply tojas(Show commentHide comment)
      jas, I do like the Raymond quote - excellent. Thanks! :)
    Show new comments (0)