Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Red October" Espionage Malware Campaign Uncovered

Posted by samzenpus on from the protect-ya-neck dept.

L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."

16 of 53 comments (clear)

  1. Not just that- by Anonymous Coward · · Score: 5, Funny

    It also stole first post! How devious!

    1. Re:Not just that- by Anonymous Coward · · Score: 4, Funny

      One ping only.

    2. Re:Not just that- by alphatel · · Score: 3, Informative

      Captain Ramius: Re-verify our range to target... one ping only.
      Capt. Vasili Borodin: Captain, I - I - I just...
      Captain Ramius: Give me a ping, Vasili. One ping only, please.
      The Hunt for Red October

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  2. Least-interesting targets by Anonymous Coward · · Score: 2, Interesting

    Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus

    In other words, it's mostly collecting information from the least-interesting countries in Europe (geopolitically speaking.) One has to assume that the real target(s) are just being drowned out by collateral traffic.

    If, and that's a big if, there actually is a defined target.

  3. Time to ask some hard questions by Papa+Legba · · Score: 5, Interesting

    Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong. This makes the third or fourth MAJOR espionage virus/malware/trojan of a very large size that has been apparently rampaging for years. How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years, and they are huge programs!

    I am not a big conspiracy theorist, but something is going on here. Why aren't these things being spotted and reported?

    --
    Papa Legba come and open the gate
    1. Re:Time to ask some hard questions by Errol+backfiring · · Score: 2

      True. I want to know who this Russian is who has a backup of my files.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:Time to ask some hard questions by Anonymous Coward · · Score: 3, Funny

      True. I want to know who this Russian is who has a backup of my files.

      his name is Kaspersky

    3. Re:Time to ask some hard questions by Charliemopps · · Score: 5, Informative

      How can I now trust symantic to find a zero day and protect my systems...

      You can't. You do not understand how malware/viruses work. If I wanted to write a virus to infect YOUR computer, it would never be detected. Antvirus software protects you against known threats. That's it. Someone, somewhere, figures out they are infected, figures out the file doing the infection and sends it in to Symantec or whomever. They find common code in the infected file that resembles other files that are infected and now they have something to look for when scanning. If no-one ever figures out that they are infected, and the people that wrote the virus didn't use bits of code from other viruses, then there's no way for the anti-virus companies to search for it.

      Some of the better antivirus packages scan for "suspect behavior" and such, but it really doesn't do much good. Antivirus protects you from getting the eveil toolbar viruses... stuff written by the worlds intelligence organizations that do not take over the computer and infest it with ads so the users never has a clue anything is wrong? It's never going to find that.

    4. Re:Time to ask some hard questions by Runaway1956 · · Score: 5, Interesting

      You've had some good answers posted already to the question, "How can I now trust symantic to find a zero day?"

      Let me make this painfully clear for you. Antivirus is a reactive defense. Malware writers are an active offense. In any kind of gamesmanship, be it real life combat, business, online gaming, or whatever, the offense always has the advantage. Hence, the old adage, "The best defense is a good offense."

      People who rely on antivirus programs to protect them are playing the game all wrong. It's a losing game, short term and long term.

      Want a better method? How about we catalog and fingerprint all programs and processes on our machines. A new or changed process can be identified and sandboxed or killed. Screw the whole antivirus strategy - all that does is to ineffectively use system resources that might be better used in another manner.

      Whether we fingerprint all processes or not, we can monitor communications. Each system establishes "trusted" protocols, ports, and addresses, everything else is blocked by default. That might throw a whammy into advertising networks, but so be it.

      Heuristics are far better than any semi-static list of "bad things", even if that list is updated every day, or every week.

      ALERT: An untrusted program is attempting to communicate with an unknown destination. Do you want to permit "PWNDMUTHAFUCKA.exe" to communicate with "bonedyomama.net" located at a proxy server in Singapore?

      That may be a waste of time though. Most users will just click "yes", even if the details of their recent banking transactions are printed below the warning.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:Time to ask some hard questions by dgatwood · · Score: 2

      Some security software actually does just that (to varying degrees). For example: Little Snitch, Gatekeeper (classic Mac OS), Gatekeeper (OS X), and so on.

      The problem is that it's really hard to identify certain types of attacks in that way. For example, if there were a security hole in a web browser, unless the attacker modifies the browser to send data over a port other than port 80 or port 443, any side channel retransmission of your data is likely to be entirely transparent to any sort of external profiling that you could reasonably do. This is why it is so critically important to make sure that web browser code is, in fact, robust against attacks to begin with.

      This is also arguably a valid reason for moving away from general-purpose browsers for high-security transactions, and using separate apps instead. For example, a banking app would be whitelisted for the bank, period, and if it tried to communicate with any other server, that would be suspicious.

      Or we could just pass a law requiring that all financial transactions be signed using a non-Internet-connected PK crypto dongle and be done with it, but I digress.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    6. Re:Time to ask some hard questions by village+fool · · Score: 2

      You mean "Who is General Failure and why is he reading my hard drive"?

  4. This business will get out of hand by Alranor · · Score: 4, Funny

    It will get out of hand, and we'll be lucky to live through it.

  5. Question already answered by daveschroeder · · Score: 4, Informative

    "The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses."

    (The linked New York Times story is a great read.)

    1. Re:Question already answered by jbmartin6 · · Score: 2

      Just for fun, here's F-Secure's rebuttal: http://www.f-secure.com/weblog/archives/00002482.html

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  6. Phishing by schneidafunk · · Score: 2

    And it starts with: "Like most of these APT-style targeted attacks, this one begins with a spear phishing message; one example provided was an announcement of a diplomatic car for sale.The email messages contain one of three attachments, each a different exploit of an existing vulnerability. "

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
  7. Red October? by guttentag · · Score: 4, Funny
    Middle school cafeterias are abuzz with the news:

    When I was twelve, I helped my daddy set up an email server in our basement because some fool in China compromised a few diplomats' Gmail accounts. Well, this thing could compromise a coupla hundred accounts in Washington and New York and no one would know anything about it till it was all over.