I’m going to watch this to see if it is really something to be concerned about or not. However the e-mail re-infection component has me a bit concerned. If that’s the case anyone who thinks ANY machine with malware can be cleaned is foolish. I may have to re-evaluate my malware handling procedures.
Researchers have uncovered an ongoing, large-scale computer espionage network that’s targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.
Operation Red October, as researchers from antivirus provider Kaspersky Lab have dubbed the highly coordinated campaign, has been active since 2007, raising the possibility it has already siphoned up hundreds of terabytes of sensitive information. It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.
“This is a pretty glaring example of a multiyear cyber espionage campaign,” Kaspersky Lab expert Kurt Baumgartner told Ars. “We haven’t seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven’t seen before at this level.”
The main purpose of the campaign is to gather classified information and geopolitical intelligence. Among the data collected are files from cryptographic systems such as the Acid Cryptofiler, with the collected information used in later attacks. Stolen credentials, for instance, were compiled and used later when the attackers needed to guess secret phrases in other locations.
Little is known about the people or organizations responsible for the project, and conflicting data makes it hard to attribute the nationality of the attackers. While the malware developers spoke Russian, many of the exploits used to hijack victim computers were initially developed by Chinese hackers. Also clouding the identity of the attackers is the long roster of victims. The Russian Federation was the most targeted country, followed by Kazakhstan, Azerbaijan, Belgium, India, Afghanistan, Armenia, Iran, and Turkmenistan. In all computers belonging to 39 countries from a variety of continents are infected.
The command-and-control infrastructure that receives the stolen data uses more than 60 domain names as proxy servers to obscure the final destination. These domains are believed to funnel data to a second tier of proxy servers, which in turn are believed to send the information to a “mother ship” that Kaspersky researchers still know little about. The ability of the infrastructure to shield the identity of the attackers and to resist takedown efforts rivals the command-and-control system used by Flame, the espionage malware reportedly developed by the US and Israel to spy on Iran. The Red October malware itself has remained undetected on more than 300 PCs and networks for more than five years.
“It’s been a very-well-maintained and set-up infrastructure that’s supported with multiple levels of proxies in order to hide away the mothership,” Baumgartner said. “They’ve been very effective at cycling through these domains and staying under the radar for the past five years.”
One novel feature contained in Red October is a module that creates an extension for Adobe Reader and Microsoft Word on compromised machines. Once installed, the module provides attackers with a “foolproof” way to regain control of a compromised machine, should the main malware payload ever be removed.
“The document may be sent to the victim via e-mail,” the researchers explained. “It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.”
Red October is also notable for the broad array of devices it targets. Beside PCs and computer workstations, it’s capable of stealing data from iPhones and Nokia and Windows Mobile smartphones, along with Cisco enterprise network equipment. It can also retrieve data from removable disk drives, including files that have already been deleted, thanks to a custom file recovery procedure.