Information Security News
mailing list archives
Why Red October malware is the Swiss Army knife of espionage
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 18 Jan 2013 08:52:08 -0600 (CST)
By Dan Goodin
Jan 17 2013
The Red October malware that infected hundreds of computer networks in
diplomatic, governmental, and scientific research organizations around the
world was one of the most advanced espionage platforms ever discovered,
researchers with antivirus provider Kaspersky Lab have concluded.
Its operators had more than 1,000 modules at their disposal, allowing them to
craft highly advanced infections that were tailored to the unique
configurations of infected machines and the profiles of those who used them.
Most of the tasks the components carried out—including extracting e-mail
passwords and cryptographically hashed account credentials, downloading files
from available FTP servers, and collecting browsing history from Chrome,
Firefox, Internet Explorer, and Opera—were one-time events. They relied on
dynamic link library code that was received from an attacker server, executed
in memory, and then immediately discarded. That plan of attack helps explain
why the malware remained undetected by antivirus programs for more than five
The malware was also capable of using more traditional Windows EXE files to
carry out persistent tasks when necessary. One example was modules that waited
for an iPhone, Nokia smartphone, or USB drive to be connected to an infected
computer. There were also extensions for the Microsoft Word and Adobe Reader
programs that watched for specially crafted documents. When they arrived in
e-mail, the modules immediately reinstalled the main malware component,
ensuring attackers could regain control of a machine in the event that it had
been partially disinfected.
The details are contained in 140 pages of technical analysis that concludes Red
October dwarfs most other advanced espionage operations, including the Aurora
campaign that targeted Google and three dozen other companies three years ago,
or the Night Dragon attacks that penetrated energy companies in 2011. The
breathtaking breadth of the malware comes into sharp focus, thanks to the
unprecedented level of technical detail.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
- Why Red October malware is the Swiss Army knife of espionage InfoSec News (Jan 18)