h1

Red October – operation that concerning mobile spyware…..

March 19, 2013

kaspersky_1

Red October

By late 2012, if anyone had any lingering doubts about the relevance of mobile spyware, they were surely quashed after the publication of information about Red October operations: mobile devices are finding themselves on the receiving end of targeted and espionage attacks, just like conventional computers.

We have evidence that certain unknown individuals behind this operation are interested in harvesting data from mobile devices. They can access this information not only by using mobile malware, but also by using modules for Windows that operate when devices are connected to an infected computer. In this section, we will summarize the information we have about Red October’s mobile modules as well as other information that may be related in some way.

One of the Red October modules — RegConn — is responsible for collecting system data and information about the software installed and used on the infected computer. This data is harvested by reading certain registry keys (a list of keys is contained in the module itself). Among the keys, the following stand out:


Registry keys in the RegConn module

In one way or another, these registry keys are all associated with software that works with mobile devices (iTunes, Nokia PC Suite, etc.) that might be installed on an infected computer.

Another component of Red October was created for iPhone. This module is designed to harvest information from a smartphone when it is connected to a computer infected with the module. It uses the iTunes directory file CoreFoundation.dll. Note that the module can launch one of two different services: one for phones that have been jailbroken, and one for phones that have not. In either case, the module will attempt to collect the following:

  • information about the device itself, starting with its EMEI and ending with its firmware version;
  • files with the following extension: .jpg, .jpeg, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dot, .dotx, .odt, .djvu, .odts, .reg, .rtf, .zip, .rar, .pdf, .7z, .wab, .pab, .vcf, .ost, .wav, .mp4, .m4a, .amr, .log, .cer, .em, .msg, .arc, .key, .pgp, .gpg;
  • the contents of files with data on SMS text messages, contacts, call logs, notes, the calendar, voicemail, Safari browser history, and email.

The module for Nokia has a similar function and also harvests data about the device itself, text and media messages, the calendar, contacts, and installed apps. It also attempts to locate and harvest files with the following extensions: .txt, .cdb, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dot, .dotx, .odt, .djvu, .odts, .reg, .rtf, .zip, .rar, .pdf, .7z, .wab, .pab, .vcf, .ost, .jpg, .waw, .mp4, .m4a, .amr, .exe, .log, .cer, .eml, .msg, .arc, .key, .pgp, .gpg. It uses ConnAPI.dll from PC Connectivity Solution to interact with mobile devices hooked up to the infected computer.

Equally worthy of mention are the components of Red October that run on Windows Mobile. These modules can be broken down into two groups:

  1. modules running on infected Windows computers (used to infect/update Windows Mobile devices connected to an infected computer);
  2. modules installed on connected Windows Mobile smartphones by a Windows component.

With the first group, the objective is not to harvest information from the connected Windows Mobile device. Instead, the main goal is to install a backdoor onto the smartphone (or update one that has already been installed). A backdoor component that installs a module in the first category onto a smartphone is referred to in some circles as a “zakladka” or “bookmark.”

In addition to backdoors, the Windows component also downloads other executable files onto devices. These .exe files are used to change the device’s configuration, and launch, update, and delete backdoors. They can also copy a special configuration file (winupdate.cfg) from a computer onto a smartphone.

This file is initially encrypted. The deciphered file looks like this:


winupdate.cfg deciphered

This file contains data on MCC/MNC codes (MCC = Mobile Country Code; MNC = Mobile Network Code — in other words, the country code and the cellular provider’s code). We have tallied up a total of 129 unique countries and over 350 cellular providers in those countries.

The zakladka backdoor component determines a smartphone’s MCC/MNC and then compares the data it has collected with the data from the winupdate.cfg file, and writes everything into a log file.

In its operations with the C&C the zakladka module attempts to send a POST request to the command center addresses specified in the module (win-check-update.com or, if that domain is unavailable, mobile-update.com):

'POST %s HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 Content-Length: %d Host: %s'

In response, the module receives a file from the remote server which it then stores in \Windows\%u.exe and launches.

And speaking of C&C domains — in addition to win-check-update.com and mobile-update.com, Kaspersky Lab has detected the following names of suspected C&Cs:

  • cydiasoft.com
  • htc-mobile-update.com
  • mobile-update.com
  • playgoogle-market.com
  • security-mobile.com
  • world-mobile-congress.com

In brief, one can draw the following conclusions.

First of all, we know about several Red October modules designed to steal information from different types of mobile devices.

Second, there are indirect signs (registry key lists, domain names) that there are other Red October modules designed to work with other mobile devices, including those running on Android and BlackBerry. However, at the time of this article’s publication, we have not detected modules for those platforms.

* These articles is taken from an excerpt from http://securelist.com (Securelist is a Kaspersky website about security threats that infected mobile phones , Android phones , Iphones and Smartphones , and also about Viruses ans Spyware that are spreading around nowadays).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: