Employees of "Kaspersky Lab" found neubivaemy computer virus
Almost every day in the World Wide Web reveals several new viruses. And very rarely it happens that the virus can not be destroyed. Moreover, a rare virus can hide for years of anti-virus software developers. But according to a recent report by experts "Kaspersky Lab", they managed to find just such a virus: it is almost impossible to destroy, but "worked" with it in 2012.
Viruses received Slingshot name and is used to spot spy on users. The virus can save keystrokes, send screenshots to capture network traffic, passwords and all data before they are encrypted. Moreover, the work of the virus does not cause any errors in the system kernel. It is also possible to find out how the virus being introduced into the system: it is going through a vulnerability MikroTik routers. Manufacturers have released a new firmware, but in the "Kaspersky Lab" admit that the virus may use other ways of implementation. Penetrating to the router, the virus replaces one of the libraries DDL malware by downloading it to your computer's memory when running. Thus, a malicious DLL-library runs on your computer and connects to a remote server to download the program Slingshot. As experts noted, malicious software includes two parts: Cahnadr (kernel-mode module) and GollumApp (user-mode module) designed to gather information, maintain a presence on the system and steal data. As stated by the employees of "Kaspersky Lab",
"Module Cahnadr, also known as NDriver, has the functions of anti-debugging, and rootkit traffic analysis, installation of other modules and more. Written in C, Canhadr software provides full access to the hard drive and memory, despite the security constraints device and performs control of the integrity of the various components of the system to avoid detection by security systems. "
The high level of protection from the virus detection also deserves special mention. For example, one of its modules called Spork. It collects information about the operating system and what antivirus software installed on it. Depending on this, the virus uses different methods of infection.
"For example, the virus use an encrypted virtual file system that was created in an unused portion of the hard disk. This solution is very complex, and Slingshot - almost the only virus that is equipped with such technology. Moreover, each text string in the encrypted virus modules. "
Who is the author of the virus, at the moment it was not possible to find out, but, as the newspaper writes Engadget, based on the analysis of the code, we can conclude that the malware created, most likely, the English-language programmers. It also reported that the main victims of hackers has become a number of Kenyan government agencies, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.