I may have missed it in the article, but as a sysadmin, i’m trying to figure out what I should do. It appears the CIA has created malware. I assume, if they have exploited some hole, others will too.
While I appreciate the heads up, Can anyone offer suggestions on how to mitigate this malware? What do I do? Do I have to rely on Kaspersky?
Almost all government created malware uses 0days that they've kept back or held back from public disclosure, so there's nothing really you can do (aside from waiting for disclosure). That's the point of a CIA hack isn't it?
If there's something you can do, then they've failed at their job, and it's time for hiring the next batch of developers (yes these are developers with a paid day job - to make malware for the CIA).
In university, most computer science or computer engineering students had to make a choice whether to work for the country's security agencies and/or the military industries (via internships, being recruited, or just plain applying to government/pentagon/fbi/cia/nsa/csis jobs, etc), and that's their choice to make.
From the government's point of view, it's no different than recruiting soldiers for the Army/Navy/Marines. If they couldn't train you to their standards for basic fitness and basic shooting skills, they've failed and you'd probably wash out from infantry school.
The other thing you could do is to contribute to initiatives that do specific research into looking for vulnerabilities. It's no guarantee that you'll find the same vulnerabilities that the CIA is exploiting though, or you might find entirely other ones that they've been using for other exploits.
The only thing you can truly do is look for anomalies in network traffic, processes, files, etc. This malware is not immune to that unless it has features specifically to hide from monitoring tools.
Even then there will almost always be evidence if you log network traffic. But obviously this is very difficult.
> Even then there will almost always be evidence if you log network traffic.
You'd need to know what to look for though. It was shown that the CIA can hide its communication in metadata of legitimate traffic which is then recovered at intermediate hops to the target. So, do you know precisely what an innocent DNS packet looks like to detect this anomaly?
>do you know precisely what an innocent DNS packet looks like to detect this anomaly
Wouldn't an abnormal amount of DNS data also stand out? I assume for this to work they'd still have to send a lot of data unless they're willing to wait for half an eternity.
Just curious, since I hadn't heard of this before.
If you want to be protected from the US made malware you do not go to US antimalware vendor. If you want to be protected against Russian malware you do not get antimalware from Russia.
> Kaspersky said that while it has not seen any of these samples in the wild, they believe Purple Lambert samples “were likely deployed in 2014 and possibly as late as 2015.”
You don’t do anything because you are not the target. It’s never been seen in the wild.
Rather than try to protect yourself from this, I personally would just live in a constant state of fear and paranoia. Maybe join a social group who can help you through it, like the Targeted Individuals club?
While I appreciate the heads up, Can anyone offer suggestions on how to mitigate this malware? What do I do? Do I have to rely on Kaspersky?