Forgot your password?
typodupeerror
Security IT

"Red October" Espionage Malware Campaign Uncovered 53

Posted by samzenpus
from the protect-ya-neck dept.
L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."
This discussion has been archived. No new comments can be posted.

"Red October" Espionage Malware Campaign Uncovered

Comments Filter:
  • by Anonymous Coward on Monday January 14, 2013 @11:17AM (#42581787)

    It also stole first post! How devious!

  • by Anonymous Coward

    Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus

    In other words, it's mostly collecting information from the least-interesting countries in Europe (geopolitically speaking.) One has to assume that the real target(s) are just being drowned out by collateral traffic.

    If, and that's a big if, there actually is a defined target.

  • And have a reliable phone in your toolkit - http://en.wikipedia.org/wiki/Nokia_5110 [wikipedia.org].
    It has Snake, you know ...
  • by Papa Legba (192550) on Monday January 14, 2013 @11:57AM (#42582125)

    Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong. This makes the third or fourth MAJOR espionage virus/malware/trojan of a very large size that has been apparently rampaging for years. How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years, and they are huge programs!

    I am not a big conspiracy theorist, but something is going on here. Why aren't these things being spotted and reported?

    • True. I want to know who this Russian is who has a backup of my files.
      • Re: (Score:3, Funny)

        by Anonymous Coward

        True. I want to know who this Russian is who has a backup of my files.

        his name is Kaspersky

        • True. I want to know who this Russian is who has a backup of my files.

          his name is Kaspersky

          Me too My hard drive crashed and I want to know if they can restore some of the files I lost...

    • by daveschroeder (516195) * on Monday January 14, 2013 @12:19PM (#42582323)

      "The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses." [nytimes.com]

      (The linked New York Times story is a great read.)

    • by Charliemopps (1157495) on Monday January 14, 2013 @12:20PM (#42582349)

      How can I now trust symantic to find a zero day and protect my systems...

      You can't. You do not understand how malware/viruses work. If I wanted to write a virus to infect YOUR computer, it would never be detected. Antvirus software protects you against known threats. That's it. Someone, somewhere, figures out they are infected, figures out the file doing the infection and sends it in to Symantec or whomever. They find common code in the infected file that resembles other files that are infected and now they have something to look for when scanning. If no-one ever figures out that they are infected, and the people that wrote the virus didn't use bits of code from other viruses, then there's no way for the anti-virus companies to search for it.

      Some of the better antivirus packages scan for "suspect behavior" and such, but it really doesn't do much good. Antivirus protects you from getting the eveil toolbar viruses... stuff written by the worlds intelligence organizations that do not take over the computer and infest it with ads so the users never has a clue anything is wrong? It's never going to find that.

    • by Runaway1956 (1322357) on Monday January 14, 2013 @12:47PM (#42582607) Homepage Journal

      You've had some good answers posted already to the question, "How can I now trust symantic to find a zero day?"

      Let me make this painfully clear for you. Antivirus is a reactive defense. Malware writers are an active offense. In any kind of gamesmanship, be it real life combat, business, online gaming, or whatever, the offense always has the advantage. Hence, the old adage, "The best defense is a good offense."

      People who rely on antivirus programs to protect them are playing the game all wrong. It's a losing game, short term and long term.

      Want a better method? How about we catalog and fingerprint all programs and processes on our machines. A new or changed process can be identified and sandboxed or killed. Screw the whole antivirus strategy - all that does is to ineffectively use system resources that might be better used in another manner.

      Whether we fingerprint all processes or not, we can monitor communications. Each system establishes "trusted" protocols, ports, and addresses, everything else is blocked by default. That might throw a whammy into advertising networks, but so be it.

      Heuristics are far better than any semi-static list of "bad things", even if that list is updated every day, or every week.

      ALERT: An untrusted program is attempting to communicate with an unknown destination. Do you want to permit "PWNDMUTHAFUCKA.exe" to communicate with "bonedyomama.net" located at a proxy server in Singapore?

      That may be a waste of time though. Most users will just click "yes", even if the details of their recent banking transactions are printed below the warning.

      • by dgatwood (11270)

        Some security software actually does just that (to varying degrees). For example: Little Snitch [obdev.at], Gatekeeper (classic Mac OS) [cmu.edu], Gatekeeper (OS X) [apple.com], and so on.

        The problem is that it's really hard to identify certain types of attacks in that way. For example, if there were a security hole in a web browser, unless the attacker modifies the browser to send data over a port other than port 80 or port 443, any side channel retransmission of your data is likely to be entirely transparent to any sort of external pr

      • This would require the user to know what is required for the system to do what they want, which isn't going to happen. Malware doesn't come named "PWNDMUTHAFUCKA.exe" anymore, it comes named msexplorer.exe or something like that. How many users recognize that THAT file shouldn't be allowed? The only way to implement this approach for an ignorant user (just a fact, not a put down) would be the walled garden approach.
      • Want a better method? How about we catalog and fingerprint all programs and processes on our machines.

        Some of us do. On Linux, it's called tripwire. It's been in repositories at least as far back as Debian 4.0, so it's undoubtedly available on all modern Debian derivatives, and probably all RedHats and its derivatives. It fingerprints all the system directories, crytographically, and stores the results. Then it checks the system against the hashes, usually every day. If you're paranoid and have a lot of system resources to spare, move its file from /etc/cron.daily to /etc/cron.hourly. If you're less p

        • by drinkypoo (153816)

          No, there's an even better method. It's called selinux and the NSA of all groups developed it. But we still have no convenient tool for creating policies, so it remains drastically underutilized. The user should not have to be a security expert to develop a capabilities policy.

      • by a_hanso (1891616)

        This may be a dumb question, but why aren't everyone doing this? I know nothing about desktop apps, but if I were to do this on a server environment, I would catalogue all the executables with their checksums and verify it every time before launching. Then (if I had that sort of influence), I'll create a system where all respectable software vendors (and OSS writers) separately distribute checksums as well. That'll take care of infections of legit software.

        Why even use AV software? This safeguard could be d

        • Simplistic? Certainly it's a simplistic view. But, from an engineering point of view, simple is good! KISS: Keep It Simple Stupid!

          Overly simplistic? Depends on who you're talking to. Here we delve into business and politics, mingled together. Add in a dash of everyday opinion, from whomever you might be talking to.

          Let's start with Microsoft, who believes that they have some kind of inherent "right" to control who uses their operating system, and how. They want a degree of control over the operating

    • by sl4shd0rk (755837)

      Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong.

      Dude, get serious. AV isn't going to stop 0-day (which these attacks were *NOT*) anyway so it's pointless to expect 100% efficacy. AV is a last-ditch defense. If it worked like everyone thinks it does it would be magic. This is another run-of-the-mill application exploit caused by yet another exploit in some really popular software that I don't need to point out. Said software had 5 YEARS to fix the problems and did not. This is simply negligence on the part of the software vendor. Just saying.. put the b

    • its called a 0day for a reason. Exploiters dont run around screaming about the new buffer overflow they found.

      Look at the browser competitions, you really think they cracked it in about 20 seconds? They had that exploit for MONTHS, all they did was streamline how fast they could do it.

      For that matter, it is Not hard to turn off an antivirus or to slightly change the code of an already widely available virus to avoid detection.

    • by TheLink (130905)

      How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years

      You can't. The "Detect Malware Problem" is harder than the Halting Problem (which is unsolvable in the general case). You can use heuristics for specific cases and typical cases but you are not going to defeat a competent determined attacker.

      I don't bother running AV on my machine because the AV makers are more likely to screw up my machine than a virus is (they seem to screw up every 2 years or so). Slashdotters have flamed me and accused me of being stupid, but it works for me. I configure my browsers (an

    • I'm not sure if I'm reading things right, or not, but when they refer to 35 infected systems in Russia, is that 35 networks? 35 companies? 35 government offices? 35 computers?

      The way I read it, it's 35 computers, and if so, this is NOT a large, or even a medium sized attack, this is a couple of pissants who figured out an exploit, and it just happened to show up in a few random computers. But I could be wrong. It's happened before.

  • by Alranor (472986) on Monday January 14, 2013 @11:58AM (#42582129)

    It will get out of hand, and we'll be lucky to live through it.

    • by timeOday (582209)
      Hmm, what surprises me is how transparent we're finding things have been all along, and with what little apparent consequence. Not unlike Manning's wikileaks.
    • Funny? Try insightful.

  • ... or just one? Or three? At no point does the article reveal what the target is. IMO, even if this was some universal malware affecting all operating systems known to mankind, it should be indicated. Therefore it is a very crappy article. It would be like saying, "the French are bombing a country". And then going on at length about how the attacks proceed, but never mentioning which damn country. You'd want that information, wouldn't you?
  • by Anonymous Coward

    That China is not on the map of infected countries? I mean, this is right up their alley, and It is pretty damn suspicious that there are no (known) infections there.

  • by schneidafunk (795759) on Monday January 14, 2013 @01:40PM (#42583261)
    And it starts with: "Like most of these APT-style targeted attacks, this one begins with a spear phishing message; one example provided was an announcement of a diplomatic car for sale.The email messages contain one of three attachments, each a different exploit of an existing vulnerability. "
  • by guttentag (313541) on Monday January 14, 2013 @01:40PM (#42583269) Journal
    Middle school cafeterias are abuzz with the news:

    When I was twelve, I helped my daddy set up an email server in our basement [imdb.com] because some fool in China compromised a few diplomats' Gmail accounts. Well, this thing could compromise a coupla hundred accounts in Washington and New York and no one would know anything about it till it was all over.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...