Smantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years.
A previously unknown group called “Strider” has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec.
The APT spyware is called “ProjectSauron” or “Strider” in Kaspersky’s report.
The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer’s systems.
Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.
“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” said Sándor Bálint, security lead for applied data science at Balabit.
“Installing antivirus software and running a personal firewall provide only a bare minimum of protection,” he told TechNewsWorld.
The spyware is modular, and it includes a network monitor. It can deploy custom modules as required. It opens backdoors on infected computers, and it can log keystrokes and steal files.
Its modules create a framework that provides complete control over an infected computer, Symantec said, moving across a network and stealing data.
Encryption is heavily used to prevent detection, as are stealth features. Several components are in the form of executable Binary Large OBjects, or blobs, which are difficult for traditional antivirus software to detect, according to Symantec.
Further, much of the spyware’s functionality is deployed over the network, so it resides only in a computer’s memory and not on disk — again, making detection difficult.
To read the full article click here.