Almost every day on the World Wide Web, several new computer viruses are discovered. And it's very rare that viruses can not be destroyed. Moreover, a rare virus can hide for years from the developers of antivirus software. But according to a recent report from Kaspersky Lab specialists, they were able to detect just such a virus: it is almost impossible to destroy it, and it has been "working" since 2012.
The virus software is called Slingshot and is used to pinpoint users. The virus can save keystrokes, send screenshots, intercept traffic, passwords and all data before they are encrypted. Moreover, the work of the virus does not cause any errors in the kernel of the system. We also managed to find out how the virus was injected into the system: it happened through the vulnerability of MikroTik routers. Manufacturers have already released a new firmware, but Kaspersky Lab admits that the virus can use other ways of implementation. Having penetrated the router, the virus replaces one of the DDL-libraries with malware, loading it into the computer's memory at startup. Thus, a malicious DLL library is launched on the computer and connects to a remote server to download the Slingshot program itself. As experts noted, malware includes two parts: Cahnadr (kernel mode module) and GollumApp (user mode module), designed to collect information, preserve the presence on the system and steal data. As the Kaspersky Lab staff stated,
"The Cahnadr module, also known as NDriver, has the functions of anti-debugging, rootkit and traffic analysis, installation of other modules and much more. Written in the C programming language, Canhadr provides full access to the hard disk and RAM, despite the security limitations of the device, and monitors the integrity of various system components to avoid detection by security systems. "
The high level of protection of the virus itself from detection also deserves a separate mention. For example, another of its modules is called Spork. It collects information about the OS and what antiviruses are installed on it. Depending on this, the virus uses different methods of infection.
"For example, the virus used an encrypted virtual file system that was created in an unused part of the hard drive. This solution is very complex, and Slingshot is almost the only virus that is equipped with this technology. Moreover, every text line in the modules of the virus is encrypted. "
Who is the author of the virus, it was not possible to find out at the moment, but, according to the Engadget publication, based on code analysis, it can be concluded that malicious software was created, most likely , English-speaking programmers. A number of governmental organizations of Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, the Sudan and the United Arab Emirates were also reported as the main victims of the hackers.