One Malware to Rule Them All

A newly discovered malware strain, dubbed Project Sauron after Tolkien’s villain in The Lord of the Rings, has been secretly infecting and spying on the world’s top computers for five years.  It’s a fitting moniker, as the dark lord of Middle-Earth was always in his own right associated with espionage.  From the beginning he was a spy of Morgoth, feeding him information about the Valar on the paradisal Isle of Almaren so that Morgoth could eventually cast down the Lamps Illuin and Ormal.  Later, his instruction led the Elf smith Celebrimbor to forge the great rings and distribute them to the various races of Middle-Earth.  All were unaware, however, that Celebrimbor had just delivered malware to their fingers, since Sauron retained remote access to the rings and through them hoped to corrupt their users to his own designs.  These are not the only examples, but if I don’t stop here I’ll never shut up.

Anyway, researchers from Kaspersky Labs discovered the virus this week, software so sophisticated that its development is suspected to have had state assistance.  Either that, or deft mimicry of previous state-sponsored viruses.  Similar to Sauron’s rings, this threat can manifest itself as innocuous, seemingly legitimate files, only to then spy on the compromised computer.  Project Sauron can also steal files, log all keystrokes, and also open a back door to allow the hacker access to the system—much as the real Sauron used the nine rings to bend the Nazgul to his will.

Kaspersky’s experts, meanwhile, claim that they have currently found evidence of the malware at a minimum of 30 organizations in Russia, Iran, Rwanda, China, Sweden and Belgium, specifically in the fields of science, government, military, communications, and finance.  These were seemingly targeted in order to obtain passwords, encryption keys, configuration files and IP addresses related to any encryption software in use.  Another element of the software’s unusual capability, and that of its creators, can be seen in how it was written: that is, in such a way to leave distinct software artifacts in its targets, which complicates discovery of the virus, since security specialists tend to rely on patterns when searching for an infection.

Perhaps the most astonishing thing about Project Sauron, however, is its ability to “jump the air gap.”  What this means is that it can steal data from computers that aren’t even connected to the Internet.  All it takes is a specially prepared USB drive being inserted into the computer, whether through human error or a rogue employee, which is then vulnerable to malware delivered from the drive’s invisible storage space.  How this exfiltration assumes control of a computer, exactly, is not known, but it’s suspected that zero-day exploits are involved.  “Once installed, the main Project Sauron modules start working as ‘sleeper cells,’ displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic,” Kaspersky researchers wrote, saying that “this method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations.”

Project Sauron exhibits a level of advancement comparable to infamous strains like Stuxnet, Duqu and Flame, which has led the researchers who found it to their theory of its origins.  At any rate, malware like this highlights how some threats can lurk hidden in the background for years, gathering information, with no one the wiser.