Tag Archives: virus

Operation “Red October”

Cyber espionage against Governments of many countries. Kaspersky research lab was the first to found the threat. During the past five years, a high-level cyber-espionage campaign has been running successfully.And stealing classified and sensitive information. It’s suspected that the attack is either from Russian or Chinese hackers.

 

Operation Red October

 

The Red October targeted number of

  • Government
  • Diplomatic / embassies
  • Research institutions
  • Trade and commerce
  • Nuclear / energy research
  • Oil and gas companies
  • Aerospace
  • Military

 

The attack spread from a rtf file (word file) that had the infection.

 

red oct

The exploits used for the attack were:

  • CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
  • CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
  • CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

 

Interestingly the name Red October was inspired from the novel “The Hunt For The Red October” and it was named so probably because it started on the month of October.

pie chart Red Oct

 

Interesting text from the malware, misspelt words and typos.

 

network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”

imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”

mapi_client: “Default Messanger”, “BUFEER IS FULL”

msoffice_plugin: “my_encode my_dencode”

winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”

PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”

 

The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:

 

  • conn_a.D_CONN
  • conn_a.J_CONN
  • conn_a.D_CONN
  • conn_a.J_CONN

 

Information stolen from infected systems includes documents with extensions:
txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.

 

red oct infect chart

 

A list of MD5s of known documents used in the Red October attacks:

114ed0e5298149fc69f6e41566e3717a
1f86299628bed519718478739b0e4b0c
2672fbba23bf4f5e139b10cacc837e9f
350c170870e42dce1715a188ca20d73b
396d9e339c1fd2e787d885a688d5c646
3ded9a0dd566215f04e05340ccf20e0c
44e70bce66cdac5dc06d5c0d6780ba45
4bfa449f1a351210d3c5b03ac2bd18b1
4ce5fd18b1d3f551a098bb26d8347ffb
4daa2e7d3ac1a5c6b81a92f4a9ac21f1
50bd553568422cf547539dd1f49dd80d
51edea56c1e83bcbc9f873168e2370af
5d1121eac9021b5b01570fb58e7d4622
5ecec03853616e13475ac20a0ef987b6
5f9b7a70ca665a54f8879a6a16f6adde
639760784b3e26c1fe619e5df7d0f674
65d277af039004146061ff01bb757a8f
6b23732895daaad4bd6eae1d0b0fef08
731c68d2335e60107df2f5af18b9f4c9
7e5d9b496306b558ba04e5a4c5638f9f
82e518fb3a6749903c8dc17287cebbf8
85baebed3d22fa63ce91ffafcd7cc991
91ebc2b587a14ec914dd74f4cfb8dd0f
93d0222c8c7b57d38931cfd712523c67
9950a027191c4930909ca23608d464cc
9b55887b3e0c7f1e41d1abdc32667a93
9f470a4b0f9827d0d3ae463f44b227db
a7330ce1b0f89ac157e335da825b22c7
b9238737d22a059ff8da903fbc69c352
c78253aefcb35f94acc63585d7bfb176
fc3c874bdaedf731439bbe28fc2e6bbe
bb2f6240402f765a9d0d650b79cd2560
bd05475a538c996cd6cafe72f3a98fae
c42627a677e0a6244b84aa977fbea15d
cb51ef3e541e060f0c56ac10adef37c3
ceac9d75b8920323477e8a4acdae2803
cee7bd726bc57e601c85203c5767293c
d71a9d26d4bb3b0ed189c79cd24d179a
d98378db4016404ac558f9733e906b2b
dc4a977eaa2b62ad7785b46b40c61281
dc8f0d4ecda437c3f870cd17d010a3f6
de56229f497bf51274280ef84277ea54
ec98640c401e296a76ab7f213164ef8c
f0357f969fbaf798095b43c9e7a0cfa7
f16785fc3650490604ab635303e61de2

 

Source: Kaspersky

Abuse of Dropbox and spreading viruses through shared folders and public links.

Recently there is a new group of cybercriminals in Brazil that are spreading some virus using Dropbox. As I am a big fan of Dropbox , I thought that it would be nice to draw the attention and warn other fellow users.

Infected Dropbox link

The cybercriminals claiming that they got some leaked nude photos of the actress Carolina Dieckmann, in a Youtube video they showed a link shortened by Google URL shortner, that is actually a Dropbox referral link(free space). The victim has to signup to Dropbox and install it. Then the cybercriminal shares a shared folder where they claim to have the pictures, but actually here where they have stored the viruses. And in some cases they are also giving a public download link, from a file in their pubic folder.

We have seen earlier that this kind of files being shared on popular file sharing sites, but the abuse of such a nice service like Dropbox! I haven’t imagined. It’s my request to the dear Dropbox please make a check, at least to the link of public folders, if you want the infected files link which are stored in the attackers Dropbox I can provide it to you.

Note: According to my antivirus the virus was a variant of Win32/Spy.Banker.WXM trojan there may be other variants or different viruses too.

Wikipedia don’t have ads it’s your computer that has virus.

Advertisements on web are a most common thing now a day, but many don’t know the fact that some ads are a form of virus! Recently there were reports that people are seeing ads on the one of the largest website, Wikipedia. The site is known to share many valuable information at free of cost and the site is also known for not showing any ads. The site runs on donations and some time to time campaigns.

Wikipedia Infected with ads

 

Wikipedia also mentioned in their official blog that

We never run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry (see screenshot for an example) or anything but our fundraiser, then your web browser has likely been infected with malware.

The ads which you see on Wikipedia are because your computer is virus infected. Its highly recommended that you get the latest update of antivirus and scan your computer.

Source