Sauron's Spies Are Everywhere — Even on Computers

Sauron's Spies Are Everywhere  Even on Computers New Line/Lushik/Turnervisual/Getty
Sauron's Spies Are Everywhere Even on Computers New Line/Lushik/Turnervisual/Getty

Security researchers recently identified an insidiously clever piece of malware that went unnoticed for at least five years. Half a decade! Experts at Symantec call it "Remsec," while others call it "Strider," but the folks at Kaspersky Lab gave it the name "ProjectSauron," after the main antagonist in "The Lord of the Rings."

We all know which name is best.


The malware is sophisticated and modular. An attacker can modify the malware to best fit the intended target machine. This poses a big challenge for security experts, who typically look for patterns to find evidence of malware (both Kaspersky and Symantec say they've uncovered evidence of ProjectSauron, according to the BBC). With a customizable approach, patterns are few and far between.

It also takes advantage of zero-day exploits, which are security vulnerabilities in software that not even the software's creator knows about. Attacking through a zero-day exploit gives you a huge advantage — no one knows what to look out for. Once someone identifies and patches a vulnerability that avenue can be shut off.

On top of that, the attackers used different methods of infecting computer systems. One was to infect computers through USB storage drives. This means attackers could aim for computers that have no connection to the Internet. Such devices are called "air gap" computers. Typically, these computers are part of critical systems, such as a country's nuclear weapons program.

To infect those computers, you need physical access to the machines. Whether attackers connected the USB storage devices themselves or convinced someone else to do it through social engineering is impossible to say right now. But the first step is plugging the USB cable into the port on a target machine.

The malware on the storage device hides its true purpose from simple detection methods. A virtual file system undetectable by Windows is on the storage drive. It can file away sensitive data such as cryptographic keys, passwords and IP addresses of computer servers for critical systems. You know, top secret stuff.

Exfiltration — that's computer security speak for retrieving the data — relied on a few methods. For systems that had either a direct or indirect connection to the Internet, the hackers used domain name server requests to mask data transmissions. ProjectSauron could send data when the network was busy with high-volume traffic, allowing the stolen info to get lost in the general shuffle. Air-gapped systems present more of a challenge — you need to get physical access to the USB storage drives (or have someone on the inside collect the data for you).

In fact, the whole operation is so complicated and sophisticated that security experts are pretty sure it must be the product of a state-sponsored program. Developing the technology would cost millions of dollars. And the programmers must have studied earlier examples of malware to develop a set of best practices. After all, it worked for five years.

The targets include facilities in Rwanda, China, Sweden, Belgium, Russia and Iran. And that just represents the identified systems — the malware is hard to detect and it may be present on thousands of other machines. Research experts aren't pointing fingers at any particular country as being responsible, but looking at the targets might lead some to create a short list of possible suspects.

Do you need to worry about ProjectSauron? If you're not in charge of a critical computer system in a highly classified department, you're probably OK. But just to be on the safe side, don't plug in any USB drives you received from a stranger into your computer for the next few years.