The Latest in IT Security

Red October Botnet Hides Calls to Control Server

03
Mar
2013

MrRich

While working on the release of the latest version of the McAfee Network Security Platform, which offers advanced malware and botnet protection, we tested a sample of the malware Red October. With the help of our in-house advanced botnet analysis framework, we analyzed the network traffic generated by this sample and tracked its communications with the botnet control server.

Today, most malware uses cryptography in its communications to evade detection from network-monitoring appliance such as intrusion detection and prevention systems. The cryptography makes it very challenging to find the messages’ structure. The is the case with Red October, which collects infected machine information such as volume drive serial number, Internet Explorer product key, available MAC IDs, etc. and encrypts those messages with an SHA1-like algorithm and sends them to its control server. We find it useful to know the exact structure of the encrypted network communication because it also reveals what kind of data the malware steals and how it is encrypted.

Red October uses various layers of packers and obfuscation techniques to execute its final code. One of interesting bit of the code tells us how it triggers a function that sends user data to the control server after encryption.

The code uses the SetTimer API to execute the TimeProc function after 15 minutes.

1.SetTimer

We find the code for its cryptic stuff here:

red_october_traffic

And finally it sends to the control server:

red_october traffic2

In response, the control server sends encrypted commands to the infected machine. This command data is parsed accordingly:

parsing C&C commands

McAfee customers are well protected with our UDS-BOT signature, which is now integrated with the Network Security Platform.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments