> When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.
Wait, am I getting this right? The router isn't simply configured via web, telnet, ssh, or a simple proprietary tool that talks its own protocol with the router, but actually a proprietary tool that downloads and executes code from the router that you're trying to configure? If so, why on earth would you design anything like this? What were they thinking? I mean, apparently those DLLs aren't even signed or anything.
You can use any of those methods to configure a Mikrotik router, you don't have to use Winbox.
Winbox has a couple of nice features over the web interface:
- the ability to connect over raw ethernet (rather than IP) which is useful if you've misconfigured the firewall or routing tables
- the ability to broadcast packets to discover new, unconfigured Mikrotik devices
Winbox has previously downloaded components from the router to enable the UI to update the available options based on the firmware on the device. These components are part of the firmware update provided by Mikrotik, which is itself signed and verified before the firmware update is applied. But yes, they were missing a follow up check between Winbox and the router itself, to ensure the router itself was not tampered with.
Mikrotik's good about this, though. I have several Mikrotiks at home (difficult WLAN due to walls etc), purchased by a company that later upgraded to 802.11n-capable APs. Some of what I have is >10 years old. Mikrotik still makes new OS images for them, and they answer support mail without asking me for a customer number, registration or anything.
To be fair, a whole heap of routers DO have third party firmware available.
Pretty much anything using Qualcomm 802.11a/b/g/n/ac chips usually has OpenWRT/LEDE/DDWRT builds available, and more recent fullmac Broadcom chips are seeing more support.
Quantenna and Mediatek can still be difficult to get working, but they have a far smaller market share.
If you want a good, open-source friendly, router manufacturer for the home stick to NetGear. They've got an entire community called MyOpenRouter where people provide customised builds of the official firmware, as well as versions of DD-WRT and NetGear themselves often have a version of OpenWRT available.
I've been running LEDE (OpenWRT) on a Netgear R7800 in my home for the past year and it's been rock steady, is nicer to administer than the stock firmware and I can strip out anything that I don't want running on there very easily with a custom build.
Seconded. LEDE/OpenWRT is now running my and lots of my friends' routers. Once they see my OpenVPN server running on it with a roadwarrior setup that lets me get onto my local network, security cams, and Home Assistant self-hosted home automation stuff they all want one too. Very slick stuff. You can even set up VLANs and lots of other fun advanced features.
Yep, I've got an OpenVPN server running on mine as well for similar reasons.
It's also useful to get fine-grained control of the firewall for parental controls - tag the mac addresses of the kids devices as having to use OpenDNS websafe DNS resolvers, then block any other DNS traffic on the firewall and enforce time limits on internet usage.
I've got a small NAS connected to it as well to serve as backup repository for all computers in the house (which is then synced off to a cloud backup storage provider) and media server.
Even if the firmware can be replaced, 99% of the time it won't be. And while it's nice that volunteer hackers are producing third-party firmware, we can't rely on that as the solution for Internet security.
> we can't rely on that as the solution for Internet security.
We could if updating router firmware were an easy and prolific practice.
The reason that it isn't is that it can't be done on most routers, especially the cheaper or ISP-provided ones that most people use.
What we really can't rely on is "security by obscurity". Let's drop the notion that software is more secure simply because you don't release the source.
People maintaining their own cars used to be a prolific practice, but I think we're better off now with cars that require dramatically less maintenance.
Unfortunately the IOT market is in a bad situation because products are advertised as not requiring any maintenance but they aren't reliable enough to live up to that.
We could have automatic updates. There is nothing technical preventing that from happening.
People defragmenting their NTFS filesystems used to be a prolific practice, but I think we're better off now with filesystems that require dramatically less maintenance.
My point is that the only thing holding us back is politics: manufacturers think that it is in their best interest to sell routers with proprietary firmware, even though it really isn't.
Especially now that the remaining OpenWRT devs have seen the light and LEDE is being merged back into the project, with governance modelled on the successful fork.
Interesting that the story references this malware's similarities to Project Sauron, and that the two main modules here are named GollumApp and Cahnadr, which looks not entirely dissimilar from how one might play with the Russian version of "Gandalf" if one were to convert the Cyrillic letters into approximate English look-a-likes.
That is quite an interesting premise for a book. Probably in the same spirit as the subreddit /r/EmpireDidNothingWrong (or how they call it) which claims Star Wars is also a series of movies written by the victors (with a heavy dosage of memes)
OTOH the article says explicitly "Text clues in the code suggest it is English-speaking.", so I'm gonna go with non-Russian as a first guess. They also note "accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error".
The meta-game at this point is open to just about any type of psychological trick. We know/suspect Kaspersky helping FSB/GRU, but we also know that CIA/NSA store and use fingerprints from other nation states and can assume Russia does the same. So if something looks Russian but Kaspersky reports on it, does that mean it is NSA trying to false flag Russia? Or is it Kaspersky deflecting Russian suspicions and pointing to the US by bringing it to light...6 years later?
The abilities and willingness of certain nation states to wage cyber warfare and make it appear like someone else are so great at this point, that only solid forensic evidence, and usually not even that, can be indicative.
The way to understand this sort of thing is to try to think like someone in their shoes.
First, you're innocent. What would you do over time to try to survive the accusations and suspicion?
Next, you're implicated in past bad acts. Maybe you were forced to stick malicious code in a past version, or maybe you had a rogue employee. What would you do to try to move on?
Finally, you're an active part of the state intelligence apparatus. What would you do to try to appear like one of the other hypotheticals?
There are other possibilities; people get themselves in all sorts of weird situations, but most of them are some shade of the above.
At some point are we going to think signing each IP packet is a good idea? I struggle to see how we can ever clean the internet without something on the order of "I expect packets from this list of servers certificate" (ok I know some
malware would alter that list but that's a much smaller target area to defend)
I am just wondering if this level of unstoppable infection is just going to be it, or are we at the pre-cellular structure of life point in the internet?
There's a project called SCION [1] that (among other things) does roughly this. In essence, participants announce their presence over a multicast-type protocol, and in order to send packets to anyone, you must have received a recent announcement from them.
It's a quite fascinating re-imagination of the Internet, solving many of its problems (and probably introducing a whole slew of new ones).
> without something on the order of "I expect packets from this list of servers certificate"
Even now as it is it's worse than it should be: I can't control which pairs of (address,certificate) will be allowed to be accepted for specific sites. Instead, every browser vendor allows any "man in the middle" with the access to any CA (and CA's are known to be very bad(1)) to insert itself between my own server and my own client.
If you want secure browser access to some resource (for values of 'secure' where it matters more than your bank account but less than situations in which you wouldn't trust _any_ browser), you really need to remove certs from any commercial CA and install only the CA you need.
I know that it is possible to somehow achieve that, the thing is, it should be possible by default, so that I can simply say to e.g. my not-too-technical friend "this is my server, this is my cert, click there in your browser to compare the cert for my site before you connect and the browser will provably also not trust anybody else but your check."
This should be a basically available scenario for the secure connection, just like what we have in SSH. Don't believe "the users are too stupid" excuse. It's just an excuse:
DNSSEC is required to secure DNS responses which can be crucial to prevent "every crooked CA" to issue a cert for you. If CAA was interpreted by the browser, you could determine exactly which CA is trusted to issue certs for your site and DNSSEC would ensure that the browser gets the correct list of trusted CAs.
We did at one point, IPsec was the future that never happened. Protocol RFCs used to justify lack of crypto because ipsec was going to cover it soon[1]. Then VPN gateway vendors gave IPsec a hug of death and drowned out the end-to-end IPsec vision, TLS became popular and didn't require OS support, etc. There were problems with IPsec too of course, it was too complicated, OS support was colourful, no standard APIs for apps to configure or query IPsec status etc.
I don't really see how that would help. The victim's computer expected to connect to the router, because the victim's computer was intentionally downloading and running dlls from the router.
I don't think it would help with the initial compromise of the router either. Buffer overflows (for example) can be exploited over https just as well as http, and that would be similar for other cryptographic strategies.
It has been very interesting to see a lot of hardware/firmware based vulnerabilities coming out recently, although they have been around for a while.
Different vectors have different advantages but I wonder if there will be a push towards more hardware based anti-malware/vulnerability detection devices.
At this point is there a way for small organizations and individuals to protect themselves from data theft? IP and trade secrets are hard to develop in a closed network without internet access at all points.
At the same time many MikroTik models are for ISP/micro-ISP setups, that have hundreds of people behind a router. An administrator machine being compromised could potentially expose many other network devices and allow tens of thousands of people to be compromised.
Of all infections, this is the type an administrator should be most worried about. Its rare, but exceptionally damaging. Most A/V tools aren't going to catch it, so unless you are monitoring all IP activity from your computer and doing offline filesystem checks, a virus like this could compromise your systems for years.
Not being sarcastic but sometimes it's about quality, not quantity.
Usually something this sophisticated is used to target specific individuals/organizations as they aren't generic botnet/bitcoin mining operations.
They might be after specific info and after they get it, they might even wipe their tracks as it's better to have a tool that nobody knows to look for than one that can get on as many computers as possible.
Reminded me of this book I very much enjoyed about Stuxnet - "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon". Stuxnet was a targeted attack directed at Iran's nuclear program. Quality, not quantity indeed. Super interesting to learn about these things!
Stuxnet was highly targeted malware and certainly extremely sogisticated. That said, it infected probably >200,000 computer systems. To the parents point, it makes it easy to get a sample due to the volume of breaches. 100 targets with a highly covert mission objective is a different type of threat model compared to stux
Yeah, that bugs me a bit about this story. The (known) targets seem unimpressive for an attack tool this sophisticated. (Unless the targeted individuals were not just "individuals", but individuals who were prominent in certain organizations...)
I didn't either. I read it as "activists", and on re-reading, I can't see where I got that. The actual targets could be a lot more important than that...
If no known target thus far is high-profile, it could very well be that the current targets are guinea-pig-targets that test the malware for future applications.
There's a big difference between an indiscriminate worm and a targeted attack. Those 100 computers are high-value targets and would have been carefully guarded. Hiding in an environment like that is pretty impressive.
Wait, am I getting this right? The router isn't simply configured via web, telnet, ssh, or a simple proprietary tool that talks its own protocol with the router, but actually a proprietary tool that downloads and executes code from the router that you're trying to configure? If so, why on earth would you design anything like this? What were they thinking? I mean, apparently those DLLs aren't even signed or anything.