"Red October" Espionage Malware Campaign Uncovered

L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."

Least-interesting targets

Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus

In other words, it's mostly collecting information from the least-interesting countries in Europe (geopolitically speaking.) One has to assume that the real target(s) are just being drowned out by collateral traffic.

If, and that's a big if, there actually is a defined target.

Time to ask some hard questions

[Papa+Legba]

Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong. This makes the third or fourth MAJOR espionage virus/malware/trojan of a very large size that has been apparently rampaging for years. How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years, and they are huge programs!

I am not a big conspiracy theorist, but something is going on here. Why aren't these things being spotted and reported?

Re:Time to ask some hard questions

[Runaway1956]

You've had some good answers posted already to the question, "How can I now trust symantic to find a zero day?"

Let me make this painfully clear for you. Antivirus is a reactive defense. Malware writers are an active offense. In any kind of gamesmanship, be it real life combat, business, online gaming, or whatever, the offense always has the advantage. Hence, the old adage, "The best defense is a good offense."

People who rely on antivirus programs to protect them are playing the game all wrong. It's a losing game, short term and long term.

Want a better method? How about we catalog and fingerprint all programs and processes on our machines. A new or changed process can be identified and sandboxed or killed. Screw the whole antivirus strategy - all that does is to ineffectively use system resources that might be better used in another manner.

Whether we fingerprint all processes or not, we can monitor communications. Each system establishes "trusted" protocols, ports, and addresses, everything else is blocked by default. That might throw a whammy into advertising networks, but so be it.

Heuristics are far better than any semi-static list of "bad things", even if that list is updated every day, or every week.

ALERT: An untrusted program is attempting to communicate with an unknown destination. Do you want to permit "PWNDMUTHAFUCKA.exe" to communicate with "bonedyomama.net" located at a proxy server in Singapore?

That may be a waste of time though. Most users will just click "yes", even if the details of their recent banking transactions are printed below the warning.