Dell SecureWorks found the malicious item, now dubbed “Skeleton Key.” Researchers found it on a network in a DLL file called “ole64.dll.”
The flaw requires administrative access to the network before it can be deployed. It links itself into Active Directory once this access has been obtained. Dell researchers noted that they had observed this first step being overcome by using credentials previously stolen from workstations on the attacked domains.
Once active on the system, attackers can use a password of their choosing to gain “unfettered” access to any user account on the domain. It is only possible on networks where one-factor authentication is used though. If two-factor authentication — through an external PIN or authentication code generated by a mobile app, for example — is used, it would appear as though you are in the clear for now.
The most interesting part about Skeleton Key is the way in which it is saved on the target system. It locates itself in RAM, making it almost undetectable as access is not logged. It communicates silently too so traditional network traffic monitoring techniques will all prove fruitless.
Fortunately, this seemingly perfect way to hide itself actually presents an easy way to remove the malware from a system. RAM is the memory used by a computer during operation and is always volatile: Its contents are lost when the power goes off.
The threat of Skeleton Key can be simply removed by rebooting the infected system. It is still a wake-up call for system administrators dependent on password-based, single -factor authentication though. Such methods are now more vulnerable than ever as increasing amounts of services make the switch to the much more secure two-factor authentication.