Super-Sophisticated Spyware Spotted After 5-Year Run

2016.08.18 03

Symantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years.

A previously unknown group called “Strider” has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec.

The APT spyware is called “ProjectSauron” or “Strider” in Kaspersky’s report.

The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer’s systems.

Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.

“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” said Sándor Bálint, security lead for applied data science at Balabit.

“Installing antivirus software and running a personal firewall provide only a bare minimum of protection,” he told TechNewsWorld.

Antimalware systems “stop 99.999 percent of known attacks,” claimed Balabit CEO Zoltán Györkő.

However, the Strider APT mimicked a password filter module, which “is yet another clear sign that passwords are dead and behavior is the new authentication,” he told TechNewsWorld. “The only way to catch these attacks is to spot changes in the behavior of users at the end points.”

Super-Sophisticated Spyware Spotted After 5-Year Run