Print 10 comment(s) - last by tng.. on Jan 16 at 11:25 AM

A rogue malware program is targeting government data stored on European and U.S. networks.  (Source: Rex Features)
Cyberespionage code has been stealing secrets for at least five years

Russia's Kaspersky Lab, a top international security firm, has uncovered a stunningly sophisticated piece of malware that's been infiltrating defense machines with North Atlantic Treaty Organization (NATO) and other Western military groups over the last half decade.

I. Red October Runs Wild, Evades Deletion

Kaspersky researchers write, "During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment."

Much attention has been devoted of late to cyber-espionage efforts allegedly perpetrated by the U.S. and Israel.  The Flame and Stuxnet campaigns against Iran captivated readers and infuriated supporters of the Islamist republic of Iran.

But with this new malware, which researchers have dubbed "Red October", the tables are turned U.S. and its allies are the targets.

To give one example of the sophistication of the multi-module attack package, if the user detects Red October and deletes it, a secondary hidden package can detect the deletion and carry out a protocol to reinstall the malware.  The so-called "Resurrection Module" masquerades as plug-ins to Adobe Systems Inc.'s (ADBE) PDF Reader or Microsoft Corp.'s (MSFT) Office suite and is inactive until the malware is deleted.

Microsoft Word
Red October can resurrect itself via a malicious Office plug-in.

The malware has pieces that spread onto USB drives, allowing remote command servers to access deleted files.  The malware can spread to a variety of mobile devices including Apple, Inc.'s (AAPL) iPhone, Nokia Oyj.'s (HEX:NOK1V) Symbian OS, and Microsoft's Windows Phone/Windows Mobile (Android was not mentioned).  The malware can even infect routers and switches, stealing their configuration information.

The packages aboard the core malware are designed to defeat a broad range of cryptography, including specialized government protocols such as the Acid Cryptofiler, a series of packages commonly used by European Union governments.

II. Who's Piloting Red October?

The malware features a grab bag of features, mostly from Eastern European, Russian, and Chinese sources.  Spear-phishing emails, designed to infect high-profile targets, copy the attack methodology and code of campaigns that China allegedly used against Tibetan activists.  Other attack modules borrow heavily from malware allegedly traced to freelance hackers in the employ of the Chinese government.  And the vulnerability discovery code, which identifies how best to attack the local machine closely matches that of Conficker, a piece of malware believed to have been developed by hackers in Ukraine.

But there's also a strong Russian influence in malware (hence the name Kaspersky gave it). The researchers comment:

Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins.

In other words, there's Russian words nestled in the code.  When the malware gains access to the system, it orders words to the command prompt be rendered in Cyrillic fonts.  Cyrillic is the alphabet used by the Russian language and various other related languages from the Balkans and Northern Eurasia.

But are those true clues or just red herrings?  It's hard to say.  It's widely held that China and Iran -- who happen to be close trade partners and allies -- are the two most aggressive and sophisticated cyber-aggressors when it comes to attacking the U.S. and its allies.  But often China is believed to rely on third parties -- e.g. hackers in Eastern Europe or Russia -- to do its "dirty work".

USB Stick
Red October is the first known malware to salvage deleted files on USB sticks.
[Image Source: Akihabara]

H.D. Moore, chief security officer of security firm Rapid7 and creator of the popular security testing software Metasploit, said in an interview with NBC News that he was "surprised it got as far as it did" given it's proclivity for stealing not just a handful of files, but all sorts of settings and documents from the target machine.

He adds that the recovery software to steal deleted files from USB disks also is a new twist and shows substantial creativity/sophistication.  He comments, "We hadn't seen that before in malware.  The threat is that USB drives are often shared between people, especially at conferences. Even if you take precautions to delete files and you trust the person you are sharing this with, this malware would be able to automatically recover deleted files and siphon them off without either party being aware."

He argues that Flame is more advanced, but that the sophisticated Red October can still do plenty of "scary things".

The U.S. Computer Emergency Readiness Team (US-CERT), a subagency of the U.S. Department of Homeland Security (DHS) tasked with cyberdefense, is currently investigating the newly discovered malware and assessing whether it gained access to any important files during its silent rampage.

Sources: Kaspersky Labs, NBC News

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Captain Orgazmo on 1/15/2013 6:28:29 PM , Rating: 2
The current state of Western vulnerability to e-warfare is very concerning, and destabilizing to world peace. Military, infrastructural, and financial computer systems are all at extreme risk of crippling cyber attacks by the better prepared government agencies of adversarial foreign powers, and malicious non-state actors.

Israel's most recent military action against Hamas could be seen as a test of its defensive capabilities, not just versus rockets and other methods of direct warfare, but against a massive, coordinated cyber attack aimed at its government and military systems. Although the media coverage focused on the success of its anti-missile systems (a clear message to Iran and other foes), less discussed was Israel's effective defense of its computer systems in a very real cyber war with attacks originating from numerous other countries and non-state groups (like "Anonymous").

If the US and allies actually found themselves at war with a more sophisticated enemy than medieval jihadis, I think the potential damage that could be inflicted on the Western economies and populace through purely computer based attacks would be more serious than any event since the second world war.

RE: Forget the cruiser gap, or the missile gap...
By roykahn on 1/15/2013 7:02:57 PM , Rating: 2
I don't think the US officials are as concerned as you are.

"Needless to say, if any cyber-attack is directed at the U.S. –rather than by the U.S.–it will be instantly depicted as an act of unparalleled aggression and evil: Terrorism."

Basically, the US is granting itself permission to attack another country with military force on the basis of a cyber attack. Just like many US foreign policies, it is highly hypocritical. The most aggressive nation in recent history gets to dictate who else is acting aggressively. Brilliant.

So don't worry, pal. The US has bombs to take care of its enemies.

By MechanicalTechie on 1/15/2013 7:48:33 PM , Rating: 2
Just like many US foreign policies, it is highly hypocritical

God no... what are you talking about?!?

The US is such a well-respected and peace loving country... honourable in every way which would never behave like a mentally challenged ogre

I mean seriously how could you make such a ridiculous statement.. hypocritical as if!!!

RE: Forget the cruiser gap, or the missile gap...
By tng on 1/16/2013 8:09:21 AM , Rating: 2
The US is such a well-respected and peace loving country...
While I will agree that US foreign policy is sometimes really off, how do you respond to such an attack?

So a third world country cripples the US economy with a cyber attack, when there is no real way to respond in kind, you go back to old methods (good old fashioned high explosives). You can't just let it happen without a response.

By blueaurora on 1/16/2013 9:54:05 AM , Rating: 2
You can't encourage aggression either a head of time by manipulation of the world stage. We have stolen so much from the 3rd world (resource wise) I don't see how we can't be hated.

Best thing we can do is keep to ourselves for a generation or two and bring our military forces home. Remove our threats and let those with a chip on their shoulders to die out then begin anew.

Damn you Ron Paul. If you were only a better orator lol.

By tng on 1/16/2013 11:25:59 AM , Rating: 2
Damn you Ron Paul. If you were only a better orator lol.
Well, put it bluntly, he makes to much sense. How can you take him seriously?

"I modded down, down, down, and the flames went higher." -- Sven Olsen

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki