Red October Malware Discovered After Years of Stealing Data in the Wild
A shadowy group of hackers has siphoned intelligence data worldwide from diplomatic, government, and scientific research computer networks for more than five years, including targets in the United States, according to a report from Kaspersky Lab.
Tue, January 15, 2013
PC World —
Kaspersky Lab began researching the malware attacks in October and dubbed them "Rocra," short for "Red October." Rocra uses a number of security vulnerabilities in Microsoft Excel, Word, and PDF documents types to infect PCs, smartphones, and computer networking equipment. On Tuesday researchers discovered the malware platform also uses Web-based Java exploits.
It's not clear who is behind the attacks, but Rocra uses at least three publicly known exploits originally created by Chinese hackers. Rocra's programming, however, appears to be from a separate group of Russian-speaking operatives, according to the report fromA Kaspersky Lab.
The attacks are ongoing and targeted at high-level institutions in what are known as spear-fishing attacks. Kaspersky estimates that the Red October attacks have likely obtained hundreds of terabytes of data in the time it has been operational, which could be as early as May 2007.
Rocra infections were discovered in more than 300 countries between 2011 and 2012, based on information from Kaspersky's antivirus products. Affected countries were primarily former members of the U.S.S.R., including Russia (35 infections), Kazakhstan (21), and Azerbaijan (15).
Other countries with a high number of infections include Belgium (15), India (14), Afghanistan (10), and Armenia (10). Six infections were uncovered at embassies located in the United States. Because these numbers came only from machines using Kaspersky software, the real number of infections could be much higher.
Take it all
Kaspersky said the malware used in Rocra can steal data from PC workstations and smartphones connected to PCs including the iPhone, Nokia, and Windows Mobile handsets. Rocra can acquire network configuration information from Cisco-branded equipment, and grab files from removable disk drives including deleted data.
The malware platform can also steal e-mail messages and attachments, record all keystrokes of an infected machine, take screenshots, and grab browsing history from Chrome, Firefox, Internet Explorer, and Opera Web browsers. As if that wasn't enough, Rocra also grabs files stored on local network FTP servers and can replicate itself across a local network.
Par for the course
Even though Rocra's capabilities appear extensive, not everyone in the security field was impressed by Rocra's methods of attack. "It appears the exploits used were not advanced in any way," the security firm F-Secure said on its company blog. "The attackers used old, well-known Word, Excel and Java exploits. So far, there is no sign of zero-day vulnerabilities being used." A zero-day vulnerability refers to previously unknown exploits discovered in the wild.