BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Kaspersky Labs Uncover Java Exploit in the Red October Malware

by Abhay Bakshi on Feb 08, 2013 |

The investigating agency Kaspersky Labs uncovered in mid January that the Red October attackers used the Rhino exploit in Java as an additional delivery vector.

Red October ("Rocra"), a five year malware campaign named after the novel "The Hunt for Red October", is still active. It has successfully infiltrated the computer networks and mobile devices of the diplomatic, governmental and scientific research organizations in 39 countries. It steals highly sensitive information such as geopolitical data and intelligence from the infected network systems.

Kaspersky Labs has published a detailed analysis of the Java delivery vector. Their researchers have uncovered that the attackers exploit the Java vulnerability -- the Rhino exploit. It is a flaw in Java runtime that allows untrusted Java Web Start applications and untrusted applets to execute malicious scripts. The attackers' modus operandi sends e-mails with an embedded link directing the potential victims to a specially crafted PHP page. The Kaspersky Labs' report explains that the attack involves three stages. In the first stage, the PHP script on Rocra's server encrypts a URL to feed it off to a Java applet. The applet itself contains the decryption key and constructs the URL through which a downloader executable is written to the victim's disk and run there.

Red October web page exploiting Java vulnerability
Figure: Red October web page exploiting Java vulnerability (Courtesy: Kaspersky Labs)

 

In the second and third stages of the attack, the downloaded module manipulates Windows registry values and establishes connection through another downloaded module for posting HTTP requests to the attackers' Command-and-Control (C&C) servers at frequent regular intervals.

The seculert blog says that "The JAR file of the Java exploit was compiled in February 2012, even though the patch for the vulnerability was available as of October 2011, yet another example of attackers making use of known vulnerabilities.".

In October 2012, one of the Kaspersky Lab's partners (Kaspersky Labs did not disclose their name) pointed them to some spear phishing (a Phishing attempt directed at specific individuals or companies) and malware modules. Through their analysis, Kaspersky Labs observed that the sample malware modules manipulated vulnerabilities in Microsoft Word, Microsoft Excel, PDF and Java (through its Rhino exploit) leading the attackers to infect PCs, smartphones, and computer networking equipment. The file formats infected by the malware were extended to include .cer, .crt, .txt and several more.

 

Red October C2 Infrastructure
Figure: The Red October Command-and-Control Network Infrastructure (Courtesy: Kaspersky Labs)

 

The distinction between the Rocra malware and the previous malwares such as Aurora and Night Dragon is that Rocra is finely tuned based on the victim system's configuration, making it a lot more "personal" and thus more penetrating for information retrieval.

The Kaspersky Lab's vector analysis report mentions

However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible for serving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. ... the victim systems were running an outdated version of Java.

In the context of Java being increasingly targeted by malwares similar to Rocra, Oracle's recent announcement covered by InfoQ at "Oracle Will Stop Providing Security Updates for Java 6 Next Month" becomes of increasingly significant. The general advice though to keep your local Java install up-to-date, and disable Java in the browser until you need it, still holds.

Kaspersky Labs continues to monitor the situation on the Red October malware. The investigating agency group has also released a white paper explaining the detection and mitigation of the Red October threat.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT