The recent discovery of the Red October malware has focused a lot on its effects, but inadequate attention has been given to its purpose.  The real goal of this campaign—which successfully evaded anti-virus and network intrusion detection systems for at least five years.

The malware contained many of the traditional functions associated with malware, such as key logging.  But focusing on these traditional capabilities misses a key point:  hijacking local data, such as files and credentials, was the means—but not the end.

Red October contained two interesting aspects:

1. Attackers recycled stolen data from victims of the same sector to make their spear phishing emails less suspicious by incorporating some context that would be familiar to the victim. 
2. Ability to identify and access the important data centers.

The victims of this cyber-espionage operation belonged to the most protected and threat aware sectors – government, energy, aerospace and military.  The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more.

Rocra, the name of the malware used in the Red October campaign, is APT by the book.  It has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration.

Specifically, it has capabilities to access both unstructured data (files) as well as structured data (database records), or as the Kaspersky Labs Report noted, it would “Collect information about installed software, most notably Oracle DB…”

What do these modules do?  Let’s break down some of them:

• The purpose of the “Recon” modules is to help the attacker find the right data.
• The purpose of the “Exfiltration” modules is to deliver the data to the attacker.

Overall, Rocra’s modules are capable of reaching FTP servers, remote network shares as well as local disk drives and copy files from these resources. Unlike the “Recon” data collection modules which are invoked by the attacker “on demand”, the “Exfiltration” modules are designed to run repeatedly and bring only new valuable data.

The infiltration to the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. The attached files recycled stolen data (and therefore context) from other victims of the same sector, making what would otherwise be a suspicious email, a legitimate email. It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance.

These targeted social engineering messages (“Spear Phishing”) bypassed “perimeter” security measures.

New software exploits will always be around to help circumvent “perimeter” security measures. DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size. However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.

Was it possible to detect and prevent the data theft?  Yes—had the victims monitored their data more closely rather than just monitoring the network perimeter and endpoints.

Yesterday, the Iranian CERT made an announcement about a new piece of malware that was designed to corrupt data. This malware joins the list of data corruption malware discovered in April, November and December 2012 – Wiper, Narilam and now GrooveMonitor respectively.  They wrote:

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.

GrooveMonitor does not pose a real threat to companies since it attack local files only and not the datacenter (databases or file shares) nor the datacenter backup. However, the Narilam malware discovered last month is a database sabotage malware. Its purpose is to corrupt databases of three financial applications from TarrahSystem used for banking, loans, retails and industrial applications.  But it is not a technical beauty pageant. When all of your data gets wiped and your antivirus proves to be worthless , do you take comfort in the fact the malware was simplistic?

Indeed, this new malware raises the question – are these just singular incidents or do we witness a trend of malware designed to corrupt data rather than steal it? While all three malware attacks originated in Iran, a country of great interest for several espionage agencies around the world, only Wiper is believed to be state-sponsored. The authors of the other two were probably inspired by Wiper to some extent. As Microsoft’s director of trustworthy computing Tim Rains stated nicely this week: “Unintended consequence of operating a sophisticated cyber espionage activity is that criminal groups are essentially given free research on how to infect systems and little-known vulnerabilities are brought to the forefront.”

This is just as true for method of operation. It is easier to hurt a competitor’s business by sabotaging its production systems by corrupting data rather than operating a complicated long term espionage campaign for stealing data. Roel from Kaspersky security blog sums it up: “If it wasn't clear already - the era of cyber-sabotage has arrived. Be prepared.”