Getting Geeky: ProjectSauron

Code Fragment from ProjectSauton

Code Fragment from ProjectSauron

WC is going to get geeky here: be warned.

It seems that for at least five years, there has been a very sophisticated malware tool out in the digital universe that is a kind of swiss army knife of hacking tools. It is so sophisticated that it was almost certainly developed by a government somewhere. Quite possibly the United States.

ProjectSauron was discovered when Kapersky Lab, one of the leading software security companies, was asked to determine why an unnamed government computer network had high volumes of network traffic. What Kapersky found was a previously unknown, extremely powerful malware platform. We’ll have a look at some of the very clever features of this hacker powerhouse.

On an infected computer, ProjectSauron generates a special program that tells the computer it is password filter. Password filters establish and enforce the rules for your computer’s passwords: so many characters long, a mix of numbers and letters. As a password filter, the program necessarily sees every one of the passwords that the infected computer uses. And the malware relays all that information to the bad guys.

The classic way to protect your computer from internet-based attacks was to simply not connect the computer to the ‘net. In the computer security business, it’s called “air-gapping,” because there’s nothing but air between the secure computer and the internet. Of course, you still need to get data to and from the air-gapped computer out to internet. An air-gapped computer does that by USB thumb drives. Special software on the air-gapped computer scans the directory of the USB thumb drive each time it’s connected to make certain there is no malware. ProjectSauron defeats the air-gap by creating a special, hidden directory – marked as bad blocks – on the USB thumb drive. The hidden directory executes on insertion into the air-gapped computer.

ProjectSauron has a large number of “sleeper modules,” programs that aren’t active until they receive a coded message from outside. That makes it very hard for malware detection programs to find ProjectSauron. The “sleeper modules” exist only in active memory; they can’t be detected by scanning the infected computer’s hard disk. When ProjectSauron does need to write a file, it disguises the name and then securely deletes the file afterwards.

At least some of the ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks.

Worse still, ProjectSauron’s modular structure is extensible, meaning that still more modules can be downloaded through the internet. That allows the bad guys to tailor their attacks to a specific computer. So we don’t know and can’t know everything that ProjectSauron can do.

Even the way ProjectSauron talks to the bad guys is pretty sophisticated. Instead of sending data in one continuous stream, that might be monitored and detected, ProjectSauron sends parts in several different communication protocols, hiding the stolen data in different streams of data. One of those data streams involves construction of an apparently benign email message with a binary attachment. The attachment is the stolen data from your computer, encrypted. ProjectSauron then sends the fake email directly, bypassing the protections in your mail server application.

It says a lot about just how well-disguised ProjectSauron is that it has been “in the wild,” spying on folks’ data, for five years without being detected. But now the malware cat is well and truly out of the bag. What was likely state-sponsored malware will be studied and replicated by the criminal bad guys, who will use it to attack us.

Doubtlessly, Kapersky and Symantec and the other software security companies will devise detection tools for ProjectSauron, but the tricks and techniques in this new super-malware can be lifted, tweaked and made invisible. The escalating digital arms race will ratchet up another notch.