This article deals about the malware Red October. This part explains the real part of this malware. This malware is a really classic trojan, it uses a web C&C.
A complete commented .idb file for IDA Pro Free is available here
The library starts firstly DllMain() and then with the function dispatcher() (sub_10001100):
In this function, SetTimer() is used to periodically execute the function TimerFunc() (sub_10001040):
TimeFunc() creates a thread and executes the function CC_handler_switch_0() (sub_10001020) in this thread:
The function CC_handler_switch_0() simply calls the function CC_handler_switch() (sub_100013A0). This function is the main function of this trojan. Here is the global graph of this function:
Here is step by step the execution (to follow the execution, we strongly recommand to download the .idb file mentionned at the begining of the article):
This sample is a really classic trojan. It periodically connects to a CC by forging its requets and receive an order. The order can be: download a file, dowload and execute a file, execute a file or install another version of the malware. To conclude with this APT, it does not include advanced techniques. The only complexity is the targets of this malware.