Encryption keeps Strider malware hidden for 5 years

Security researchers have discovered a nasty piece of spyware that’s being called “super-sophisticated” due to its use of encryption, which helped it stay hidden for five years.

Symantec and Kasperksy Lab earlier this month uncovered a piece of spyware known as Ramsec, which was launched by a hacking group dubbed “ProjectSauron,” a nod to The Lord of the Rings villain referenced in the code, which is also known as “Strider.”

According to reports, the spyware is modular and includes a network monitor. It can also deploy custom modules as required. Once it infects a computer, it can open backdoors, log keystrokes and steal files, researchers said. From there, it can create a framework that gives attackers complete control over an infected machine, then traverses a network stealing data.

What makes this spyware particularly powerful is its heavy use of encryption and other stealth features that help it avoid detection and fly under the radar of traditional anti-virus and cyber security software. Because the spyware’s functionality is deployed over the network, it resides in a computer’s memory, not on the disk, which makes it that much harder to detect.

“Symantec has found evidence of infections in 36 computers across seven separate organisations. It has detected it in individuals’ PCs in Russia, in an airline in China, in an organisation in Sweden, and in an embassy in Belgium …” TechNewsWorld reported. “Kaspersky has found more than 30 infected organisations in Russia, Iran and Rwanda, and it suspects that Italy might also have been targeted.”

While the spyware appears to have gone dark, both firms suggested that a nation-state may be behind the attack. Symantec’s Jon DiMaggio told TechNewsWorld that if it is a nation-state attacker “it is likely only a matter of time before Strider attacks begin against new victims and targets.”Hiding in (not so) plain sight This recent discovery is just one of myriad threats that can hide in encrypted traffic. The amount of encrypted traffic is expected to more than double this year — it’s estimated that 67 per cent of traffic will be encrypted this year, up from just over 29 per cent last year. By 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls.

The increasing number of threats attempting to go undetected by hiding in encrypted traffic reaffirms the importance of an SSL inspection platform that empowers businesses to decrypt and analyse traffic to better protect their systems and their data.

In a study commissioned by A10 Networks, the Ponemon Institute surveyed 1,023 IT and IT security practitioners and found that of the 81 per cent of respondents who were victims of a cyberattack or malicious insider activity over the last 12 months, 41 per cent suffered an attack where actors evaded detection by obfuscating their activities and/or payload within SSL encryption. However, nearly two-thirds of respondents said their organisations cannot detect malicious SSL traffic.

An SSL inspection platform can help companies eliminate blind spots in defences, scale performance and throughput to successfully counter cyber attacks and prevent costly data breaches and loss of intellectual property by detecting advanced threats, fast.

Duncan Hughes, Systems Engineering Director EMEA for A10 Networks

Photo Credit: andriano.cz/Shutterstock