> When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.
Wait, am I getting this right? The router isn't simply configured via web, telnet, ssh, or a simple proprietary tool that talks its own protocol with the router, but actually a proprietary tool that downloads and executes code from the router that you're trying to configure? If so, why on earth would you design anything like this? What were they thinking? I mean, apparently those DLLs aren't even signed or anything.
This is one of the reasons it's frustrating to have so many routers with proprietary firmware that can't be replaced.
These routers essentially never get updated.
Interesting that the story references this malware's similarities to Project Sauron, and that the two main modules here are named GollumApp and Cahnadr, which looks not entirely dissimilar from how one might play with the Russian version of "Gandalf" if one were to convert the Cyrillic letters into approximate English look-a-likes.
At some point are we going to think signing each IP packet is a good idea? I struggle to see how we can ever clean the internet without something on the order of "I expect packets from this list of servers certificate" (ok I know some malware would alter that list but that's a much smaller target area to defend)
I am just wondering if this level of unstoppable infection is just going to be it, or are we at the pre-cellular structure of life point in the internet?
It has been very interesting to see a lot of hardware/firmware based vulnerabilities coming out recently, although they have been around for a while.
Different vectors have different advantages but I wonder if there will be a push towards more hardware based anti-malware/vulnerability detection devices.
At this point is there a way for small organizations and individuals to protect themselves from data theft? IP and trade secrets are hard to develop in a closed network without internet access at all points.
Here's a much better link: https://securelist.com/apt-slingshot/84312/ and PDF: https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/upl...
>despite infecting at least 100 computers worldwide.
Really? Then why is it so surprising lol