Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.
Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?
Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.
AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works to circumvent very specific and uncommon high-end security software indicates its in the APT category.
Microsoft, who’s operating systems it attacks, has yet to comment.
Kaspersky Labs has announced that someone had been conducting a hitherto unknown campaign wide-scale international espionage, dubbed Red October, for many years. Except it that I don’t think it has.
The story broke quietly on Friday in the Washington Post and has been repeated over some Internet news sites and blogs, almost verbatim, yesterday and today. Although keen for breaking news (especially where international intrigue is concerned), one should really take a step back and match the claims with the substance.
You can find the report here, although not the the Kaspersky site. It’s not the subject of any press release I’ve seen. No one could be contacted at Kaspersky for comment. Hmm. Specialist IT security sites, like Steve Gold’s IT Security Pro, aren’t treating this as a top story either. The only reason I’m hitting the keyboard is that people keep drawing it to my attention.
The report (assuming it isn’t a hoax) does contain a good analysis of what appears to be a new-ish botnet, although one that’s not very widespread (we’re not talking about Flame V2 here). Kaspersky has a lot of smart cookies working for them, and they do some very valuable research, but reading the posts on the subject you’d think they’d uncovered the next Watergate or similar. Perhaps they have, but all I’m seeing details so far is of another botnet.
If their analysis is correct, the perpetrators do seem to be targeting government and diplomatic sites in particular, but this isn’t actually novel. They’ve identified targets in most of the developed world, with the interesting exception of England and China. As the code appears to be of Russian origin, and not particularly well obfuscated, it’s also noteworthy that the majority of the attacks have been launched against Russian targets.
So, as it stands, this looks like a competent investigations of a botnet. Well done Kaspersky. Now lets get some sleep.