The operators of the Red October espionage campaign have begun shutting down the infrastructure behind it.
According to Kaspersky Lab's Costin Raiu, the attackers have begun shutting down their infrastructure and the hosting providers and registrars involved with some of the command-and-control (C&C) domains are shutting those down too. Speaking to Threatpost, Raiu said that since the discovery last Monday, hosting providers and domain owners have been shutting down servers used to help run the campaign.
He said: “It's clear that the infrastructure is being shut down. This time it's being shut down for good. Not only [are] the registrars killing the domains and the hosting providers killing the C&C servers, but perhaps the attackers [are] shutting down the whole operation.”
Speaking to SC Magazine, Raiu said that the shutdown began on the evening of the 14th January, nine hours after the report was released. He said: “I think this was down to three factors: some of the domains were suspended; some of the hosting providers for the C&Cs began to shut them down; while some other hosting providers shut down the servers themselves.
“We provided lots of the access points in the report to help law enforcement and hosting providers who observed the Red October report and proceeded with the shutdown.
“What is interesting is that Flame had a shutdown process for its C&Cs but it could set up a new one to self-destruct; in Red October there is nothing of the sort, as a few infected users are coming to our sinkholed servers. We find that of the 350 detected infected users, there are 35 still infected.”
Kaspersky Lab's report on the campaign, which was announced last week, said that the attackers used up to 60 C&C servers and at least three different exploits for previously known vulnerabilities to infect users and harvest data from desktops and mobile devices.
Luis Corrons, technical director of PandaLabs, told SC Magazine that this was not something he had seen before, but it would make sense for the controllers to have a ‘panic button'. “I have seen that kind of option in botnet operations, but not for the C&C server itself, but for the bots,” he said.
“It is like a suicide option, or uninstall is another way of seeing it. First time I saw that was in a botnet we were tracking back in 2007. I made a presentation at Virus Bulletin about this botnet. Why does such an option not exist in C&C servers? Well, there is an easy answer to that: when we talk about botnets and C&C servers we always think on complicated stuff, and up to a certain point it is.
“However, to remove it, the only thing that has to be done is to delete the folder containing all files, as simple as that. Once they have a backup of the stolen information, deleting the stuff in the C&C server is as trivial as that in most cases.”