Operation “Aurora” Hit Google, Others
Thursday, January 14th, 2010 at 3:34 pm by George Kurtz
McAfee Labs has been working around the clock, diving deep into the attack we are now calling Aurora that hit multiple companies and was publicly disclosed by Google on Tuesday.
We are working with multiple organizations that were impacted by this attack as well as the government and law enforcement. As part of our investigation, we analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations.
New Internet Explorer Zero Day
In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft published an advisory and a blog post on the matter on Thursday afternoon.
As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.
Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.
Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.
While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.
Operation “Aurora”
I am sure you are wondering about the name “Aurora.” Based on our analysis, “Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation.
Changing The Threat Landscape
Blaster, Code Red and other high profile worms are definitely a thing of the past. The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection.
These highly customized attacks known as “advanced persistent threats” (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered – it is too late.
Operation Aurora is changing the cyberthreat landscape once again. These attacks have demonstrated that companies of all sectors are very lucrative targets. Many are highly vulnerable to these targeted attacks that offer loot that is extremely valuable: intellectual property.
Similar to the ATM heist of 2009, Operation Aurora looks to be a coordinated attack on many high profile companies targeting their intellectual property. Like an army of mules withdrawing funds from an ATM, this malware enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays. Without question this attack was perpetrated during a period of time that would minimize detection.
All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value.
We will continue to provide updates on this event as it continues to unfold. As I said in my last post, this is only the tip of the iceberg.
(To get real time updates on this story follow George on Twitter at http://www.twitter.com/george_kurtzCTO)
(Update: Added detail on IE 6 being a primary attack vector at 1.55 PM PT on 01/14/10)
(Update 2: Added link to Microsoft advisory and blog at 6.47 PM PT on 01/14)
Tags: cybercrime, google, Operation Aurora
- Posted in CTO
- |
And I am sure people running as local administrators and allowing all outbound traffic to the entire world had nothing to do with it.
if it wasn\’t already abundantly clear, it is now: Internet Explorer and Windows are grave security threats — they have always been full of holes, and show no sign of improving despite years of hand-waving. Corporations concerned with their intellectual property ought to drop Windows like an infected plague-rat.
If it wasn’t already clear, ignorant users like “mykle” will continue to live in fantasy-land that Linux and Firefox are more secure.
Grow to 80% market share (won’t probably ever happen) and then let’s recovene once the hackers start targeting your platform. Security by obscurity is not protection.
@Bill
Linux and Firefox are generally more secure, but it isn’t related to their market share. Sure the more widely used something is, the more it will be attacked, but there is something greater at play: the design of Unix and Unix-like systems is inherently more secure than earlier Windows client versions (I’m not sure about Win7). Why do I make such a bold claim? It’s simple… Unix is designed to be used by more than one person at the same time. Because of this, user permissions are more strictly applied, and this makes it more difficult for a user-level account to take over a machine. Sure malware can get access to what the user has access to, but they don’t compromise the machine.
(Now, I know that there are system-level exploits that can result in an escalation of privileges, but those are still more rare).
Now, the point that I disagree with the most was this statement:
. Actually, I agree with this statement completely… but I disagree with the way you used it. When talking about security, market-share does not dictate obscurity. Rather, it’s access to source code and algorithm design that dictates obscurity. So, in this realm Windows is security through obscurity (the number of institutions that have access to Windows source code is very few). Linux is open… so anyone can find a flaw in the code and fix it. Because of this systems can be probed much more thoroughly, resulting in a stronger defense.
Oh, Bill. Don’t you know that open source is magic. *hand wave*
Though it is true that sunlight is a disinfectant.
Linux has already been hacked. Many webservers are Linux, and they get owned all the time. Most, if not all, Google is Linux and BSD’s.
I’m amazed at the ignorance of some Open Source advocates, and I’m saying this as a Linux user since kernel 0.99pl5.
Sources don’t magically help when you have millions of lines of code that nobody reads. The fundamental problem is usage of unsafe programming languages. Firefox and IE are written in C++, where buffer overruns and integer overflows are possible, and consequently, both have frequent security problems.
That’s something Microsoft has understood, btw., they are working on moving everything to managed code (.NET). This will take another 5 years or decade to pull through, but at least they are on the way.
Sometimes, I feel as if UNIX advocates didn’t notice that the world around them changed. Back in Windows 3.11 days, Linux was indeed technically superior and a lot more secure. But those days are over.
Since China has a Windows sourcecode license it would seem plausible that they would have an easy time to research zero day exploits. Not much obscurity there.
Does anyone want to bet on whether a second shoe will drop? An example might be a disclosure that Microsoft was advised about this issue and chose not to fix it in a timely manner.
JJ and Marcus: it\’s a common misconception that running as non-administrator helps combat malware. It does not. People running as non-admins will still be infected by this and other malware.
One of the ONLY things that running as non-admin does for malware is, if the machine has more than one user, one user\’s infection cannot spread to others.
Malware like this can do anything the user can do, which is everything it needs to: it can hook IE to sniff financial passwords, it can see and search all of the user\’s data, it can send outbound traffic to access other systems on the network, it can persistently survive a reboot if it wants to.
Running as non-admin helps implement change control, to protect the OS from being damaged by its user.
OK, *nix does do at least one thing right that helps a little: it can apply ACLs to prevent a daemon from binding to a low server port to listen for inbound traffic. And Windows prevents non-admin users from installing services, creating new user accounts, may limit access to the hashes in the SAM file, etc. But none of this prevents malware from compromising this and other systems, stealing the data, sending outbound traffic, etc.
I would like to kindly ask everyone who has no clue about security to STFU. A rule of thumb: if you can’t remember a hard study to back your facts, or years of experience with patching and maintaining stuff, you’re just trolling.
If it wasn\\\’t already abundantly clear, it is now: your n idiot. If Linux was the big kid on the block, it would have millions of users running as admins and have millions of infections just like windows. Your a tool to think otherwise.
@Ray, do the servers get hacked themselves or is it the *applications* that run on them, which are developed by developers less familiar with secure coding?
Quite a big difference between the two.
@Andreas,
Don’t be daft, Microsoft isn’t moving it’s code to .NET.
if it wasn’t already abundantly clear, it is now: Your an idiot. If linux was the big kid on the block, millions of people would have admin rights and millions of people would have infections just like windows. Get the hell out of your fantasy world.
I see my post got truncated so I’ll try again.
You guys seem to be missing the point. Blame the platform, blame the application — it doesn’t matter. The bad guys are going to find a way in.
Instead of playing the “my os is better than yours” game, maybe I, we, you should be spending our efforts to identify strategies and tools to defeat THIS method of exploit?
Broken down, Aurora isn’t really doing anything new. Get a user to install badness on his or her system, find the host listening for a connection and enter through an unprotected perimiter.
Sounds a little old school to me.
How would it survive a reboot and run at startup if an administrator didn\’t install it? (forget about it using unpatched local privilege excalation exploits for this discussion, please.)
I know products like Google installs put themselves in the local profile where the end user does have write access. But it can\’t get to the RUN registry keys and the default permissions on the user\’s Startup folder require an admin to load anything there.
This, in conjunction with the resurgence of more complexe Trojans, will change the face of AV Security; and should pave the way for governing these processes through greater awareness.
Damn, we get told to lock up our house, car, etc when we go on vacation…
Simplest security of all, Close down the systems, or at least go offline during the vacation periods.
Would someone tell me WHY the bejeezus everyone needs to leave (Unattended) systems online during such times?
No-ones gonna read the email, respond to customer service calls, etc.
They still havent found a way to hack/crack/compromise a system thats not connected…
Try it yourself, leave your PC\’s offline, and try to access one from the other. Don\’t work does it?
Unbelievable. I didn\\\’t know some people were still using Internet Explorer in the 21st century.
The exploit has been released publicly, and upon testing works as described (see video in the post):
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Karl – You are correct. Most of what this particular adversary wants is what the *user* has access to. In pursuit of intellectual property, the attacker could care less if they have administrative rights to the workstation they just installed code on. If they now have the same (non-administrative) login rights as the senior VP of product development who just clicked on the link, just imagine what access they now have to the mapped share drive? Got that. How about every technical document related to the new stealth widget for the Air Force? Got that. How about VPN client config and login for the senior VP of product development? Got that. How about every email address of every engineer in the company? Got that. How about persistent access to the company\’s intranet? Got that. Gee, but if they only had admin rights, they might be able to install something that even runs when the user is *not* logged in, ahem…making it easier to detect.
Windows XP Pro, Vista Business/Enterprise, Windows 7 Pro/Enterprise
1. Least privilege (limited or standard user account)
2. Software restriction policy whitelisting with DLL protection (via gpedit.msc)
Executables can be run ONLY from folders C:\Windows and C:\Program Files. Limited and standard account users cannot write to either of these directories.
rundll32.exe can’t run a malicious DLL file downloaded by a limited or standard account user for the same reason. svchost.exe can’t run …
What will the political consequences be for the Chinese since their government appears to be responsible. Has the US done anything to foreign governments in the past when they did stuff like this?
Does it seem odd to anyone else the folks in the googleplex are apparently still running IE6 on WinXP for casual browsing?
…certainly for testing. But casual browsing?! In Google?!
@JJ
Don\’t fool yourself. They can\’t restrict all outbound access. What if someone wants to visit a web page on port 80? All the hackers need to do is make their receiving services listen on allowed ports. Extremely easy..
So hackers sent an email to these stupid fools that work for these companies and they clicked on it infecting themselves?
What lesson should they learn from this?
The fact is when trying to collect intellectual data from corporations, the hacker will definitly develop an attack that would compromise the systems the corporation is using. Unlucky, Microsoft has the biggest market share in this case and is alwasy to be attacked. Who would want to develop a worm, virus or any other trojan or malicious codes that runs on machines used by 2 % of the worldwide corporation. And if you read well the article the user has to download some kind of malware ion order for the hacker to take over your system. Does Microsoft has to educate people on their missusage of the system too? Just be LOGIC…
“…The world has changed…” A claim as untrue as one can be.
We see attacks against weak drivers, weak shareable run time libraries and servers and worst of all — shortcomings of architecture.
None of these were unknown in the eighties. It is not the quality but the number of attacks that is still rising.
Dave Cutler and his group built VMS at DEC and fought successfully against the above mentioned threats.
Why did Dave Cutler not succeed with Windows NT xxx at Microsoft? Why does the copy remain as does the re-impelemtation worse than the original?
Just wondering … Hans Adams
Can we have some common sense, please? Why in the world would a Chinese developer use the term “aurora” in any context on a file path?
It’s a term entirely unfamiliar to the Chinese public, and relatively difficult to spell even for native speakers. Aurora also has semantic meaning for speakers of Romantic-languages, as it means “dawn”.
I’m also extremely curious how you came to the conclusion that these initial attacks were “targeted”. If the extent of your forensic analysis shows an IE-based exploit, how do you verify the attack wasn’t broad-based/automated?
I hope this isn’t the extent of McAfee’s disclosure. You guys have stirred up a hornet’s nest. If nothing else, the academic community deserves a closer look at what exactly you’ve unveiled, so we can verify the more dubious aspects of your claims.
“Don’t fool yourself. They can’t restrict all outbound access. What if someone wants to visit a web page on port 80? All the hackers need to do is make their receiving services listen on allowed ports. Extremely easy..”
Maybe in our environment we can just put better tools and tighter procedures in place than other people. Our outbound proxies perform SSL termination so they can inspect outbound traffic. Five different anti-malware vendors inspect all inbound and outbound traffic. A unanimous “it’s OK” vote is needed for something to pass.
We disable user accounts outside of their normal working hours. People without a business need to access the Internet simply can’t. We rigorously enforce RFC standards on the proxies and firewalls so nothing other than standard HTTP can be tunneled through port 80 or 443. We block all outbound access to countries where we don’t do business, which includes all of APNIC, AFRNIC and LACNIC as well as Canada and parts of RIPE. And we run lots of IDS sensors on the internal networks.
Yes, we do have the luxury of not needing access inbound or outbound to most of the world. No, that doesn’t stop someone from using a US IP address to hit us. But it sure reduces our attack footprint.
And no one, not even IT or programmers, runs with more than Standard User rights for their normal daily work. All admin-level accounts are blocked from the Internet and if any of them tries to go to the Internet the alarm bells and sirens go off.
There are thousands of ways that malware can get into any network. Controlling whether they can exfiltrate the data, and actively monitoring for it, are key in my opinion.
@robotdog
The kernel, services, apps, if it’s software it has vulnerabilities. OS doesn’t matter neither. It’s a constant cat and mouse game and there is an abundance of mice.
Hey George: protecting democracy in China begins at home:
http://www.antiwindowscatalog.com/index.asp?mode=rant&id=66
While Windows 98 and Windows Millenium were designed for only one user, Windows XP is a protected-mode operating system, like the earlier Windows NT. If some Unix-derived operating systems are more secure than Windows, it would be for other reasons.
Personally, I\’m fond of systems like the System/360, which normally indicated the length of records by a character count rather than a terminating character. On such systems, programmers literally did not have to worry about buffer overflows.
CCT – You apparently are not aware how these targeted attacks work. If you get a document or link on a subject of mutual interest, from your friend\\\’s email address that you are actually *expecting*, why would you not open it? Do you look at the Internet headers of each email, and does your email domain have email authentication such as SPF and DKIM? Even if the latter, if you are the target, to get to you they just have to compromise one of your friend\\\’s accounts. Are all your friends and family that you email computer security experts that would readily identify as suspicious, even a well-engineered email with phrases in perfect English and idiomatic context? The attacker sends you an email or link from your friend that you are expecting, and bingo.
I would be really pleased if you could tell me how to remove the extremely aggravating advert for a product that is no longer avialable . It is driving me crazy as it comes up at the oddest and most inconvenient times.
\’Why in the world would a Chinese developer use the term “aurora” in any context on a file path?\’
Because he is well educated and sent us a hint.
\
lol @ ^^^
Everyones a techy arent they when it comes to things like this haha it makes me smile.
Everyone thinks they have the right answer when in fact no one does, not even me.
I just find it amusing that people try and convince others that they are speaking the truth and anyone else is wrong haha
Keep smiling people
BTW… why do people in Google still use IE? Should they not be using Chrome?
I hope McAfee brings us a conference paper with the forensics behind this attack. There are too many things don\\\’t quite make sense.
Just amazing. Here we are in 2010 and we are still quibbling over the virtues of which OS or browser technology is better. The problem here is not the technology but rather the people who develop and ultimately use it. There is a fundamental disconnect between the people who develop the coolest, latest new whiz-bang gizmo feature in software, those who use it and those who abuse it. Unfortunately most software development lifecycles either don’t include any security check points or leave security testing to the very end—well after all the flaws are baked in. Until developers start taking secure coding and testing seriously, and end-users remain complacent, we will continue down the path of serious security breaches perpetrated by those with the will, patience, and motivation to exploit software.
This zero-day is by no means the last. And there are plenty of zero-days baked into to all kinds of software other than Microsoft products, they just haven’t been found yet.
Secure your code people!!!
Does anyone know the content of the emails sent to corporate staff that caused that staff to click on the seemingly harmless links? Most people are not idiots, and will not click on obviously fradulent links, so these emails must have been relatively sophisticated.
@Dave: Hindsight 20/20 eh\’ Dave. I do chuckle at those who always point to not enough thinking. not enough development.
If it were so simple then I guess there would be perfect products all over the place. Perfect AV products, or Perfect OS\’s and App thus not requiring AV in the first place. And as soon as the programming perfection becomes a reality then we either start down a road to a single product or multiple perfect products and you just have to select your favorite flavor.
I hear it all the time. If you test on 5 machines and a bug is found you should have tested 10. If you tested 10 you should have tested 20, if you tested 20 you should have tested 50, and if you tested it so thoroughly it was near perfect it would take forever (paralysis by analysis) and once it came out it would be outdated because someone a little less perfect put theirs out first and you get blasted for taking up too much time developing/testing.
If only the real world was so black and white.
Pssst… It wasn\’t you guys that found the vulnerability.. This is not a new attack or family of malware. The world hasn\’t changed – you guys finally got wind of it.
All Aurora did was leverage the insecurity of the internet. This is another way to say security is looked at on a network level and sometimes at a virus check level but rarely at a user level.
Personal security is usually limited to a PIN or password access by a user. This is how PayPal became the most hacked payment system in the world.
What is needed is to use authenticated digital identities as access points to the internet. Instead of PINs or passwords create authenticated digital profiles that access via dynamic gateways.
A virus then cannot automatically send email or information out as it cannot be programmed to mimic the dynamic access.
For full disclosure, GenMobi has created and patented access through authenticated digital identities.
I hope McAfee brings us a conference paper with the forensics behind this attack. There are too many things don\\\\\\’t quite make sense
You said it, mykle!
I wish I didn’t have to use Windows-dependent software at work.
@Dave
It is really frustrating that security exploits of this sort are going on today, and ill-informed quibbling over blaming an OS or browser is distracting attention from the real problem: softwrae designers took a wrong turn well over a decade ago, making it their priority to add powerful features without enough consideration for teh security implications. I do agree that Unix-family operating systems were designed to be secure from the ground up, and were much, much better than MS Windows in general up until roughly Windows 7, after which you cannot make sweeping claims that one is better than the other. But for a long time the problem has been the insecurity of software (and humanware) using the operating systems, and the mindset behind the rush add bling and capabilities just waiting to be abused. The present discussion about Zero-day and other exploits, and IE vs Firefox security, is an echo of discussions mid-2007. Yet the most shocking thing (for the security community) is that steps to prevent many such problems were discussed (in virus-l and elsewhere) well over a decade ago. The only reasons I can think of for sensible security attitudes being ignored is a misguided commercial calculation and a \
false security is all that is happening. i been fighting the botnet longer than anyone. not only was it being built in my machines(and other hardware and servies), but i just learned that i am the command and control center of the botnet. i have info on the worm and hackers.
if you want to really make a secure full working detectory, you need the info i have. example. the worm loves decoys. conficters were made detectable on purpose. the main worm gets in by injecting radio packets into a stream that is picked up by chips on the motherboard and also a hardware exploit from your network connection.
the main work hijacks what it refers to as global.
the worm works in layers. they keep monitoring eachother. the hackers are not the main hackers. the original hackers attempted to remove the worm a week after april first after i succeeded in sending a message to a comunity site revealing the source. it backfired and used kid hackers(given info) to set authoritys away from them. parts of the main worm just started to get addressed in novemeber. the hacker did something to the worm nov 17 by altering display/lan/audio drivers and then the ports used changed to port 445 instead of the normal high ports(linked as commands using parsing injections).
I think we have to reengineer the way to look at operating systems now…
–
Rotundo Pierluigi
@Hindsight. Not sure anyone is expecting perfection. I run a dev org and at least we make an effort to run some reasonable security checks before we release. We also beleave in continuous improvement, not cutting corners. I will have to say that the focus/importance placed on security is really driven by the culture of the org. I can say from experience that security is more important in orgs that focus on customer satisfaction vs. org that focus on the next big sale.
Surely Windows is a flawed system, but I found that AVG is a good antivirus. It also has lots of free products, and it’s easy to use. Worth a try!
We need security indeed, but unfortunately we still need Windows more. I try switching to other OS but it always make me come back to Windows. Sadly isn\’t?
Hey folks,
Thanks a lot for sharing such a nice and informative article, i had gone through the article and also the comments posts and i agree with the views of KARL. he had mentioned a very good views.
By the way for more information on Security Courses check this link: http://www.eccouncil.org/certification.aspx
Ok we know the problem right? And we seem to know some of the fixes, correct? Now I want to know, as do most business-minded folks, how do we profit from this threat? Seems as though “decoys” can be valuable, as is unmined gold ore. But I wonder if they (decoys)can be used to reverse-infect the Chinese or any other origin? This may not be a cure. But it sure would be fun to know we scrambled their eggs for once, and we burned down their kitchens to do it! lol
[...] Europe, Google // '); })(); //]]> ShareRecent reports from McAfee’s disclosure of an IE 0-day vulnerability this week clearifies the main reasons behind the hack and stealing of data from Google, Adobe and [...]
I love how all the “leading” security firms such as the one this site promots has to scramble but my “firewall” has been able to block this exploit since 2006.
I d like to hear more about antihacker101s comments. Can he provide better facts to support his conclusions, of being part of a botnet? What tools are helping his fight? What technical advice can he pass along to detect worms that arent the decoys, botnets and more. While I have often suspected some compromize of hardware firmware or motherboard chips is occuring, what evidence does he have to support this? How can we recognize this kind of infection? Whats the fix, flashing the bios? What about deep hard disk sector infections that seemingly survive reformats? Seen any of that?
[...] many of the common IT security and protection strategies are now proving to be insufficient. The Aurora Operation, as it was named, targeted an unknown vulnerability in Microsoft’s Internet Explorer and siphoned [...]