By now, you've probably read the news about "Red October" and you're wondering how worried you should be? Red October is the latest AV industry case study of digital espionage. (Kaspersky Lab's post here.)
From a technical point of view Red October looks very much like any other targeted corporate espionage attack. The attackers use exploit documents with credible looking content so the victim will open the file, drop a malicious payload to the infected device, and start mining all information they can from the infected system.
It appears the exploits used were not advanced in any way. The attackers used old, well-known Word, Excel and Java exploits. So far, there is no sign of zero-day vulnerabilities being used.
Our back end systems automatically analyze document exploits. Here are screenshots of some used in the Red October attacks:
We see thousands of similar documents in our systems every month. The Red October attacks are interesting because of the large scale of the espionage done by a single entity, and the long timespan they cover. However, the sad truth is that companies and governments are constantly under similar attacks from many different sources. In that sense, this really is just everyday life on the Internet.
The currently known exploit documents used by the Red October attacks are detected by F-Secure antivirus with various detection names, including Exploit:Java/Majava.A, Exploit.CVE-2012-0158.Gen, Exploit.CVE-2010-3333.Gen, and Exploit.CVE-2009-3129.Gen.
P.S. If you are wondering what you should do as a system administrator to prevent such attacks against your environment, we'll soon have a follow-up post by Senior Researcher Jarno Niemela for you.