Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Analysis of Red October malware

Imperva : 01 February, 2013  (Technical Article)
Imperva provides some background to the long-standing Red October malware and its approach to spear phishing attacks
Analysis of Red October malware

The recent discovery of the Red October malware has focused a lot on its effects, but inadequate attention has been given to its purpose - which successfully evaded anti-virus and network intrusion detection systems for at least five years.

The malware contained many of the traditional functions associated with malware, such as key logging. But focusing on these traditional capabilities misses a key point: hijacking local data, such as files and credentials, was the means—but not the end.

Red October contained two interesting aspects:

* Attackers recycled stolen data from victims of the same sector to make their spear phishing emails less suspicious by incorporating some context that would be familiar to the victim.
* Ability to identify and access the important data centres.

The victims of this cyber-espionage operation belonged to the most protected and threat aware sectors – government, energy, aerospace and military. The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more.

Rocra, the name of the malware used in the Red October campaign, is APT by the book. It has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration.

Specifically, it has capabilities to access both unstructured data (files) as well as structured data (database records), or as the Kaspersky Labs Report noted, it would “Collect information about installed software, most notably Oracle DB…”

What do these modules do? Let’s break down some of them:

* The purpose of the “Recon” modules is to help the attacker find the right data.
* The purpose of the “Exfiltration” modules is to deliver the data to the attacker.

Overall, Rocra’s modules are capable of reaching FTP servers, remote network shares as well as local disk drives and copy files from these resources. Unlike the “Recon” data collection modules which are invoked by the attacker “on demand”, the “Exfiltration” modules are designed to run repeatedly and bring only new valuable data.

The infiltration to the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. The attached files recycled stolen data (and therefore context) from other victims of the same sector, making what would otherwise be a suspicious email, a legitimate email. It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance.

These targeted social engineering messages (“Spear Phishing”) bypassed “perimeter” security measures.

New software exploits will always be around to help circumvent “perimeter” security measures. DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size. However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.

Was it possible to detect and prevent the data theft? Yes—had the victims monitored their data more closely rather than just monitoring the network perimeter and endpoints.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo