Why Red October malware is the Swiss Army knife of espionage
The Red October malware that infected hundreds of computer networks in diplomatic, governmental, and scientific research organizations around the world was one of the most advanced espionage platforms ever discovered, researchers with antivirus provider Kaspersky Lab have concluded.
Its operators had more than 1,000 modules at their disposal, allowing them to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them. Most of the tasks the components carried out—including extracting e-mail passwords and cryptographically hashed account credentials, downloading files from available FTP servers, and collecting browsing history from Chrome, Firefox, Internet Explorer, and Opera—were one-time events. They relied on dynamic link library code that was received from an attacker server, executed in memory, and then immediately discarded. That plan of attack helps explain why the malware remained undetected by antivirus programs for more than five years.
The malware was also capable of using more traditional Windows EXE files to carry out persistent tasks when necessary. One example was modules that waited for an iPhone, Nokia smartphone, or USB drive to be connected to an infected computer. There were also extensions for the Microsoft Word and Adobe Reader programs that watched for specially crafted documents. When they arrived in e-mail, the modules immediately reinstalled the main malware component, ensuring attackers could regain control of a machine in the event that it had been partially disinfected.
The details are contained in 140 pages of technical analysis that concludes Red October dwarfs most other advanced espionage operations, including the Aurora campaign that targeted Google and three dozen other companies three years ago, or the Night Dragon attacks that penetrated energy companies in 2011. The breathtaking breadth of the malware comes into sharp focus, thanks to the unprecedented level of technical detail.
"According to our knowledge, never before in the history of ITSec has a cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration." Kaspersky researchers wrote.
Many malware analyses suffer from the researchers' lack of access to the victim data or to a large base on the attack code.
"To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," the report continued. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attacks."
Malware in the Red October campaign belongs to a code family Kaspersky has dubbed Sputnik. It infects computers using booby-trapped Microsoft Word and Excel documents, which appear to have exploited vulnerabilities Microsoft had already patched at the time they compromised the computers. With more than 1,000 separate modules to catalog, Kaspersky researchers have broken them into 10 categories. They include:
- Recon: Short for reconnaissance, these modules are used during the first stage of an attack, immediately after a computer has been infected. They collect general information about the target system so operators can understand how valuable it is and decide what other modules they want to install. These modules also collect browsing history, stored passwords, and FTP client settings using the one-time task method described earlier.
- Password: Modules in this category extract credentials from an array of programs, including from the secure temporary folder of Microsoft Outlook, and Mail.ru Agent, a popular free application available from Mail.ru. Modules also collect Windows account hashes, apparently for offline cracking.
- E-mail: Specific modules extract messages and data stored locally by clients such as Outlook and Thunderbird, as well as from remote POP3 or IMAP mail servers. They're capable of dumping message headers and bodies, in addition to attachments with pre-defined file-name extensions.
- USB Drive: Steals files from drives attached over USB connections. Modules have the ability to collect files with pre-defined extensions, sizes, or dates. They can also use a file-system parser to recognize, restore, and copy deleted Microsoft Office files.
- Keyboard: Records keystrokes, grabs text entered into password fields, and makes screen captures.
- Persistence: Contains installers and payload code for Word and Reader plugins used to regain control of previously compromised computers that may have been partially disinfected.
- Spreading: Scans for hosts on a local network, and then infects them using previously extracted credentials or attacks that exploit unpatched vulnerabilities. One module in this group can use SNMP commands to dump Cisco network router configuration data.
- Mobile: Dumps valuable information from attached smartphones, including contacts, calendars, SMS and e-mail messages. Some modules can check to see if a device is jailbroken.
- Exfiltration: Transfers data stored on local hard drives and available FTP servers and remote network shares to command servers controlled by the attackers. Unlike the Recon modules above, these modules run repeatedly.
- USB Infection: Copy execution logs and other data files related to the current malware family from USB drives. This is the only one of the categories that Kaspersky has not been able to retrieve modules for.
It's interesting to contrast the sophistication of the Sputnik malware, and the work that went into its engineering, with the rudiments of the exploits used to spread it. The exploits discovered so far in the campaign came in e-mails that contained Word and Excel documents that exploited vulnerabilities which in some cases had been patched years earlier. Some of the attack code appears to have been developed by hackers in China and was also used against Tibetan activists and others. It may be possible that attackers used additional exploits that have yet to be unearthed.
Holding a candle to Flame
As advanced as the Red October's Sputnik family of malware is, it still doesn't outshine Flame, the surveillance and espionage malware that Kaspersky discovered targeting Iran. Among the features that make Flame stand out was its ability to hijack Microsoft's Windows Update mechanism so it could spread from machine to machine over an infected network. To pull off the feat, Flame achieved what's believed to be the only in-the-wild cryptographic collision attack using a technique that required the expertise of world-class cryptographers.
"In my opinion, Flame is the queen mother of advanced attack methodology," Kaspersky Lab Senior Security Researcher Kurt Baumgartner told Ars. "For example, the complexity and uniqueness of the 'God-mode cheat' used for the Windows Update MiTM replication methods were not challenged by the Red October exploit code re-use."
Still, he said, Red October's "deep level of detail when interacting with and penetrating an environment is new." Further, command and control infrastructure used to coordinate the Red October operation was more developed than the one used by Flame, despite comprising fewer registered domains.
Red October Espionage Platform Unplugged Hours After Its Discovery
Command servers and domains that targeted governments around the world go dark.
by Dan Goodin
Update: January 18, 2013
The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.
"It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation."
One of Red October's innovations is a command infrastructure that uses multiple layers of servers and domains that act as proxies to camouflage the core functions in the operation. Mashable reporter Lorenzo Franceschi-Bicchierai quoted Raiu as describing the design as an "onion with multiple skins" with a mothership at its center that collects all the stolen data. Raiu said most of the unplugged domains and disconnected servers seen so far represent first-level proxies. He speculated the operation may go dormant for a while and then come back using different servers or domains, or even different malware altogether.
Raiu said the full extent of the infrastructure likely hasn't been uncovered yet. He estimated the campaign may use several dozen more servers. If correct, the total number would rival the command infrastructure used by Flame, the state-sponsored malware campaign that targeted sensitive networks in Iran.
As Ars reported on Thursday, the Red October malware platform was another innovation of the campaign. It contained 1,000 separate modules in 30 module categories, allowing operators to serve unique combinations of components to targets based on their specific system configurations and end-user profiles. They were created as early as 2007 and as recently as January 8.