The Red October malware that infected hundreds of computer networks in diplomatic, governmental, and scientific research organizations around the world was one of the most advanced espionage platforms ever discovered, researchers with antivirus provider Kaspersky Lab have concluded.
Its operators had more than 1,000 modules at their disposal, allowing them to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them. Most of the tasks the components carried out—including extracting e-mail passwords and cryptographically hashed account credentials, downloading files from available FTP servers, and collecting browsing history from Chrome, Firefox, Internet Explorer, and Opera—were one-time events. They relied on dynamic link library code that was received from an attacker server, executed in memory, and then immediately discarded. That plan of attack helps explain why the malware remained undetected by antivirus programs for more than five years.
The malware was also capable of using more traditional Windows EXE files to carry out persistent tasks when necessary. One example was modules that waited for an iPhone, Nokia smartphone, or USB drive to be connected to an infected computer. There were also extensions for the Microsoft Word and Adobe Reader programs that watched for specially crafted documents. When they arrived in e-mail, the modules immediately reinstalled the main malware component, ensuring attackers could regain control of a machine in the event that it had been partially disinfected.