Monday, January 28, 2013

Red October

Another story that could have been a plot for a James Bond movie ... if it were not in real life.

I saw it on Slashdot: searchers at Kaspersky Labs have uncovered a very powerful malware apparently designed and engineered to act as a virtual spy and collect sensitive and very sensitive data: once it infects a host, besides trying to replicate to the internal networks, it slowly reports all the office documents, plus a number of other formats usually used by NATO.

Was it developed by a state-nation? Hard and too early to tell, but the researchers claim that there are at least Chinese and Russian involvements in it. Another possibility is that this is a product from the crime underground, and that all the information collected is to be sold to the highest bidder.

While it seems to target the official entities of Eastern Europe, it was also found in agencies around the globe, as shown in the following map.


The malware uses at least three exploits: CVE-2009-3129 (buffer overflow in excel when opening crafted spreadsheet), CVE-2010-3333 (buffer overflow in several office components when processing RTF data) and CVE-2012-0158 (Buffer overflow in a windows component while processing tree views).  I said "at least" as the malware is highly modular, there is a chance that additional payload could have been delivered to exploit specific situations.

The initial entry is a classic social engineering technique in which the victim is tricked into clicking a file. This promptly exploited the three vulnerabilities mentioned to execute code onto the victim's computer. This first phase completes with the connection to a Command & Control ("C&C") server, which provides additional orders and modules.

Phase 2 is when the spy work is done: removable medias are searched, connected phones's contact lists are downloaded, Windows Mobile Phones are infected, survival mechanisms are put in place and so forth. A lot of information is captured one time, some of it that can be used to further infect the local network, for instance windows cached or DB credentials. The malware also tries to exploit directly hosts by using MS08-067 . If admin credentials were found, it will also use them to propagate.

Kaspersky's searchers have classified the modules into 10 groups: recon, password, email, USB drive, keyboard, persistence, spreading, mobile, exfiltration and USB infection. A second paper from Kaspersy's searchers describes each module they found. The description of each module is very interesting, and lot of information is scattered all across the document that can be used to generate some IDS/IPS signatures..