Security Experts Find Red October Virus Has Been Attacking US Computers For More Than 5 Years
January 14, 2013

Security Experts Find Red October Virus Has Been Attacking US Computers For More Than 5 Years

Michael Harper for — Your Universe Online

The Security experts at Kaspersky Labs have discovered malware which has been targeting Eastern Europe and North America since 2007. Known as “Red October,” this malware has been attacking these nations for over 5 years, stealing confidential and encrypted documents.

According to the Russian security experts, this is a “high-level cyber-espionage campaign” which has successfully been installed on computers in “diplomatic, governmental and scientific research organizations.” This malware has even been found on mobile devices and network equipment. Over the past several months, Kaspersky has been researching Red October to discover how it works and which countries it targets.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," said Kaspersky Labs in a statement.

According to Kaspersky's research, Red October (sometimes referred to as Rocra) is an active piece of malware, sending data back and forth to “multiple command-and-control servers.”

"It appears to be trying to suck up all the usual things - word documents, PDFs, all the things you'd expect," explained Professor Alan Woodward with University of Surrey, speaking to the BBC's Dave Lee. "But a couple of the file extensions it's going after are very specific encrypted files."

Whoever runs Red October has a particular interest in diplomatic and governmental agencies, lifting documents and information which has been encrypted by the EU and NATO. Some pieces of this information, such as credentials and passwords, are used in later attacks. The attackers have set up more than 60 domain names to host the malware in different countries, though the majority of these domains are registered in Germany and Russia. Each of these domains work to hide the main command-and-control (C&C) server.

The C&C server is capable of standing up to a takeover, operating on a multi-functional framework which allows the operator to quickly recover access to the network.

Kaspersky Labs has also found that this campaign attacks mobile phones, even devices from Apple and Nokia.

Red October has even been found to have what Kaspersky Labs are calling a “resurrection mode.”

The malware hides bits of its code in Adobe Reader and Microsoft Office applications. Should the malware be discovered and removed, these leftover bits are able to reinstall the malware and continue its operation.

The malware has been found to specifically target files encrypted with a system called “Cryptofiler.” This system was once an encryption standard among intelligence agencies but has since become less common. Though these agencies are using this system less often, Professor Woodward told the BBC that some extremely sensitive documents are still being encrypted in this way.

According to their research, Kaspersky has found Red October to target at least 55,000 connections in 250 IP addresses. This means those behind the malware are targeting many computers in specific areas or buildings. Kaspersky has said they´ve been watching this malware since October and will issue a lengthy paper about this malware in the coming days.