Red October Botnet Hides Calls to Control Server

MrRich

While working on the release of the latest version of the McAfee Network Security Platform, which offers advanced malware and botnet protection, we tested a sample of the malware Red October. With the help of our in-house advanced botnet analysis framework, we analyzed the network traffic generated by this sample and tracked its communications with the botnet control server.

Today, most malware uses cryptography in its communications to evade detection from network-monitoring appliance such as intrusion detection and prevention systems. The cryptography makes it very challenging to find the messages’ structure. The is the case with Red October, which collects infected machine information such as volume drive serial number, Internet Explorer product key, available MAC IDs, etc. and encrypts those messages with an SHA1-like algorithm and sends them to its control server. We find it useful to know the exact structure of the encrypted network communication because it also reveals what kind of data the malware steals and how it is encrypted.

Red October uses various layers of packers and obfuscation techniques to execute its final code. One of interesting bit of the code tells us how it triggers a function that sends user data to the control server after encryption.

The code uses the SetTimer API to execute the TimeProc function after 15 minutes.

1.SetTimer

 

We find the code for its cryptic stuff here:

red_october_traffic

 

And finally it sends to the control server:

red_october traffic2

 

 

 

 

 

 

 

 

 

In response, the control server sends encrypted commands to the infected machine. This command data is parsed accordingly:

parsing C&C commands

 

McAfee customers are well protected with our UDS-BOT signature, which is now integrated with the Network Security Platform.