Rocra malware spies on governments

Kaspersky Labs has released a report into its discovery of a complex, active malware kit that appears to have beem used over the past five years to spy on diplomatic missions and government agencies around the world.

Named Rocra - which is short for Red October - the malware steals user and network credentials, files, Outlook email storage files as well as messages from POP/IMAP mail servers and data from FTP file servers. The malware also contains modules designed to steal data from Windows Mobile, iPhone and Nokia devices.

Kaspersky used time-stamps on the malware executables to trace its use back to 2007. The researchers said Red October was discovered in October last year and rivals the Flame malware in complexity and ability.

Kaspersky engineers believe the malware targets Eastern European, former USSR countries and Central Asian nations. Western European and and North American countries have also been in the firing line.

At this time, there is no evidence linking Red October to any particular country, but Kaspersky Labs notes the exploits in Red October that target Microsoft Word and Excel seem to have been created by Chinese Hackers and malware modules by Russian-speaking coders.

Red October has been active in attacking trade, research, nuclear power and energy institutions, oil and gas companies as well as aerospace enterprises and the military.

Over sixty domain names were used by the attackers  to control the malware and to collect the data it steals, with Internet Protocol addresses geolocated mostly in Russia and Germany, the report noted. By monitoring some of the attackers' domains, Kaspersky was able to record around 55,000 connections from 250 different IP addresses.