After a slew of attacks against computer networks targeting international diplomatic service agencies, in October 2012, Kaspersky Lab started an investigation that uncovered massive cyber-espionage network active in about 20 countries globally.
The attack, aimed at stealing sensitive data from several organisations, was dubbed Red October. In addition, more than 60 different domain names and several proxy servers hosted in various territories were used by the attackers, to obfuscate the whereabouts of the main server.
Sergey Novikov, deputy director, Global Research & Analysis Team at Kaspersky Lab, said Red October used spear-phishing e-mails containing a customised Trojan dropper in its attacks, and made use of exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel to install the malware and infect the system.
He said as these attacks were highly targeted, they could have evaded detection for years, but Kaspersky Security Network's logs revealed that the executable files driving Red October campaign were being blocked by its solutions long before Red October was discovered.
This is where Automatic Exploit Prevention (AEP) that is found in Kaspersky Lab's technologies comes in, Novikov said. The toolset targets malware that exploits software vulnerabilities.
The development of AEP began with an extensive analysis of both the behaviour and features of the most common exploits that assisted in identifying specific types of exploit behaviour that help to distinguish advanced threats from other types of malicious programs and also legitimate software.
AEP technology, he added, keeps a particularly close eye on the most frequently targeted programs, such as Adobe Reader, MS Office, Internet Explorer and suchlike, and an attempt to launch suspicious executable files or code within these programs will raise a red flag, that will start the process for additional security checks.
Data on program activity prior to any attempt to launch suspicious code can also be used to identify malicious software. AEP technology tracks this activity and finds the source of the attempt to launch the code, which may originate from the software itself, or be the result of the actions of an exploit. This is effective even when a zero-day vulnerability is used, Novikov added.
AEP technology is effective in fighting even the latest and most complex exploits, which are not yet blocked by other security measures, he concluded.
Share