Encryption Keeps Strider Malware Hidden for 5 Years

Security researchers have discovered a nasty piece of spyware that’s being called “super-sophisticated” due to its use of encryption, which helped it stay hidden for five years.

Symantec and Kasperksy Lab earlier this month uncovered a piece of spyware known as Ramsec, which was launched by a hacking group dubbed “ProjectSauron,” a nod to The Lord of the Rings villain referenced in the code, which is also known as “Strider.”

According to reports, the spyware is modular and includes a network monitor. It can also deploy custom modules as required. Once it infects a computer, it can open backdoors, log keystrokes and steal files, researchers said. From there, it can create a framework that gives attackers complete control over an infected machine, then traverses a network stealing data.

What makes this spyware particularly powerful is its heavy use of encryption and other stealth features that help it avoid detection and fly under the radar of traditional anti-virus and cyber security software. Because the spyware’s functionality is deployed over the network, it resides in a computer’s memory, not on the disk, which makes it that much harder to detect.

“Symantec has found evidence of infections in 36 computers across seven separate organizations. It has detected it in individuals' PCs in Russia, in an airline in China, in an organization in Sweden, and in an embassy in Belgium …” TechNewsWorld reported. “Kaspersky has found more than 30 infected organizations in Russia, Iran and Rwanda, and it suspects that Italy also have might been targeted.”

While the spyware appears to have gone dark, both firms suggested that a nation-state may be behind the attack. Symantec’s Jon DiMaggio told TechNewsWorld that if it is a nation-state attacker “it is likely only a matter of time before Strider attacks begin against new victims and targets.”

Hiding in (not so) plain sight
This recent discovery is just one of myriad threats that can hide in encrypted traffic. The amount of encrypted traffic is expected to more than double this year — it’s estimated that 67 percent of traffic will be encrypted this year, up from just over 29 percent last year. By 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls.

The increasing number of threats attempting to go undetected by hiding in encrypted traffic reaffirms the importance of an SSL inspection platform that empowers businesses to decrypt and analyze traffic to better protect their systems and their data.

In a study commissioned by A10 Networks, the Ponemon Institute surveyed 1,023 IT and IT security practitioners and found that of the 81 percent of respondents who were victims of a cyberattack or malicious insider activity over the last 12 months, 41 percent suffered an attack where actors evaded detection by obfuscating their activities and/or payload within SSL encryption. However, nearly two-thirds of respondents said their organizations cannot detect malicious SSL traffic.

A10’s SSL Insight decryption technology, available in the A10 Thunder Convergent Firewall and Thunder SSLi platforms, helps organizations defend against malicious encrypted traffic. Additionally, A10 is working with partner Cylance to integrate CylancePROTECT with SSLi customers to better analyze encrypted traffic to protect against these covert threats.

With SSLi, you can:

  • Eliminate blind spots in corporate defenses by decrypting SSL traffic at high speeds
  • Maximize uptime by load-balancing multiple third-party security appliances
  • Scale performance and throughput to successfully counter cyber attacks
  • Prevent costly data breaches and loss of intellectual property by detecting advanced threats, fast

Learn more about SSLi in this short video.

Add new comment