Red October malware discovered after years of stealing data in the wild
By Ian Paul
PCWorldJan 15, 2013 10:20 am PST
A shadowy group of hackers has siphoned intelligence data worldwide from diplomatic, government, and scientific research computer networks for more than five years, including targets in the United States, according to a report from Kaspersky Lab.
Kaspersky Lab began researching the malware attacks in October and dubbed them “Rocra,” short for “Red October.” Rocra uses a number of security vulnerabilities in Microsoft Excel, Word, and PDF documents types to infect PCs, smartphones, and computer networking equipment. On Tuesday researchers discovered the malware platform also uses Web-based Java exploits.
It’s not clear who is behind the attacks, but Rocra uses at least three publicly known exploits originally created by Chinese hackers. Rocra’s programming, however, appears to be from a separate group of Russian-speaking operatives, according to the report from Kaspersky Lab.
The attacks are ongoing and targeted at high-level institutions in what are known as spear-fishing attacks. Kaspersky estimates that the Red October attacks have likely obtained hundreds of terabytes of data in the time it has been operational, which could be as early as May 2007.
Rocra infections were discovered in more than 300 countries between 2011 and 2012, based on information from Kaspersky’s antivirus products. Affected countries were primarily former members of the U.S.S.R., including Russia (35 infections), Kazakhstan (21), and Azerbaijan (15).
Other countries with a high number of infections include Belgium (15), India (14), Afghanistan (10), and Armenia (10). Six infections were uncovered at embassies located in the United States. Because these numbers came only from machines using Kaspersky software, the real number of infections could be much higher.
Take it all
Kaspersky said the malware used in Rocra can steal data from PC workstations and smartphones connected to PCs including the iPhone, Nokia, and Windows Mobile handsets. Rocra can acquire network configuration information from Cisco-branded equipment, and grab files from removable disk drives including deleted data.
The malware platform can also steal e-mail messages and attachments, record all keystrokes of an infected machine, take screenshots, and grab browsing history from Chrome, Firefox, Internet Explorer, and Opera Web browsers. As if that wasn’t enough, Rocra also grabs files stored on local network FTP servers and can replicate itself across a local network.
Par for the course
Even though Rocra’s capabilities appear extensive, not everyone in the security field was impressed by Rocra’s methods of attack. “It appears the exploits used were not advanced in any way,” the security firm F-Secure said on its company blog. “The attackers used old, well-known Word, Excel and Java exploits. So far, there is no sign of zero-day vulnerabilities being used.” A zero-day vulnerability refers to previously unknown exploits discovered in the wild.
Despite being unimpressed by its technical capacity, F-Secure says the Red October attacks are interesting because of the length of time Rocra has been active and the scale of the espionage undertaken by a single group. “However,” F-Secure added. “The sad truth is that companies and governments are constantly under similar attacks from many different sources.”
Rocra starts when a victim downloads and opens a malicious productivity file (Excel, Word, PDF) that can then retrieve more malware from Rocra’s command-and-control servers, a method known as a Trojan dropper. This second round of malware includes programs that collect data and send that information back to hackers.
Stolen data can include everyday file types such as plain text, rich text, Word, and Excel, but the Red October attacks also go after cryptographic data such as pgp and gpg encrypted files.
In addition, Rocra looks for files that use “Acid Cryptofile” extensions, which is cryptographic software used by governments and organizations including the European Union and the North Atlantic Treaty Organization. It’s not clear whether the people behind Rocra are capable of deciphering any encrypted data they obtain.
Rocra is also particularly resistant to interference from law enforcement, according to Kaspersky. If the campaign’s command-and-control servers were shut down, the hackers have designed the system so they can regain control over their malware platform with a simple e-mail.
One of Rocra’s components searches for any incoming PDF or Office document that contains executable code and is flagged with special metadata tags. The document will pass all security checks, Kaspersky says, but once it’s downloaded and opened, Rocra can start a malicious application attached to the document and continue feeding data to the bad guys. Using this trick, all the hackers have to do is set up some new servers and e-mail malicious documents to previous victims to get back in business.
Rocra’s servers are set up as a series of proxies (servers hiding behind other servers), which makes it much harder to discover the source of the attacks. Kasperksy says the complexity of Rocra’s infrastructure rivals that of the Flame malware, which was also used to infect PCs and steal sensitive data. There is no known connection between Rocra, Flame, or malware such as Duqu, which was built on code similar to Stuxnet.
As noted by F-Secure, the Red October attacks don’t appear to be doing anything particularly new, but the amount of time this malware campaign has been in the wild is impressive. Similar to other cyber espionage campaigns such as Flame, Red October relies on duping users into downloading and opening malicious files or visiting malicious websites where code can be injected into their devices. This suggests that while computer espionage may be on the rise, the basics of computer security can go a long way to prevent these attacks.
Useful precautions such as being wary of files from unknown senders or watching out for files that are out of character from their purported sender is a good start. It’s also useful to be wary of visiting websites you don’t know or trust, especially when using corporate equipment. Finally, make sure you have all the latest security updates for your version of Windows, and seriously consider turning off Java unless you absolutely need it. You may not be able to prevent all manner of attacks, but adhering to basic security practices can protect you from many bad actors online.
Kaspersky says it’s not clear if the Red October attacks are the work of a nation state or criminals looking to sell sensitive data on the black market. The security company plans to release more information about Rocra in the coming days.
If you’re concerned about whether any of your systems are affected by Rocra, F-Secure says its antivirus software can detect the currently known exploits used in the Red October attacks. Kaspersky’s antivirus software can also detect threats from Rocra.