'Red October' Virus Revives via Malicious Email

Dennis Faas's picture

Security researchers have uncovered a complex virus capable of reappearing even after it is thought to have been removed from a computer system. This so-called 'Red October' virus reportedly attaches itself to Adobe Reader and Microsoft Office software.

The virus is named after the Tom Clancy novel about a Soviet submarine crew trying to defect. It's an appropriate moniker because the majority of computers infected by the virus are located in Russia and Eastern Europe (though there are victims in at least 37 other countries).

The infections mostly affect computers used by government organizations and scientific research centers. This pattern suggests the virus' creators may be trying to disrupt government activity or steal important experimental data.

The virus is also known to contain code with information about NATO's and the European Union's encryption systems.

'Resurrection' Module Makes Virus Removal Tricky

According to security firm Kaspersky, the most notable aspect of the 'Red October' virus is its "resurrection" module. When the virus infects a computer, it hides a secret section of malicious code inside a plug-in tool for Adobe Reader or Microsoft Office. (Source: gadget.co.za)

If the computer's user then discovers and removes the 'Red October' virus, this hidden code can remain in place. The virus creators can send emails with attached PDFs or Office documents which, when opened, activate the hidden code and reinstall the original virus.

The 'Red October' virus has been written to do more than simply target desktop computers. It can also infect mobile devices, network equipment, and even external hard drives.

Virus Active Since 2007

Kaspersky says it has found evidence of at least 60 domain names that have been used to issue commands to the 'Red October' virus.

Many of these domain names have now been seized by international authorities, and the infected computers have been disconnected from the Internet. Kaspersky believes this virus operation is so widespread its creators may have voluntarily shut down their network. (Source: arstechnica.com)

That's not necessarily a good sign, however. The people behind the 'Red October' virus may be planning to lay low for a while before coming back with another attack using a different strategy.

Rate this article: 
No votes yet