Operation Aurora. Blow on Google and others

Original author: George Kurtz
  • Transfer
McAfee Labs worked day and night, studying the attack, which we now call “Aurora” - the blow dealt to many organizations and hit the media on Tuesday thanks to Google. We work with affected organizations as well as government and legal entities. One of the stages of our investigation was the analysis of a certain amount of malicious code, which, as we saw, was used in attempts to penetrate the networks of attacked organizations.


Fresh Internet Explorer Vulnerability


In the course of the investigation, we found that one of the instances of the malicious code used for the attack exploits the unpublished vulnerability of MS Internet Explorer. We reported this vulnerability to Microsoft, and they posted clarifications and reported it on their blog on Tuesday.
As with most "targeted" (targeted) attacks, attackers gained access to a network of organizations by making targeted attacks on one or more selected users. We assume that users were selected based on their access to a particular intellectual property of the organization. These attacks looked as if they were carried out from a trusted source, which led to a decrease in attention and the launch of malicious code by link or opening a file. This is where the Microsoft Internet Explorer vulnerability is exploited.
Once the malicious code has been downloaded and installed, it opens a backdoor, allowing the attacker to gain full control over the compromised system. Now the attacker was inside the company’s network and could begin to “merge” the data important for the company.
Our investigation revealed that Internet Explorer contains vulnerabilities in all of its versions, including version 8 of Windows 7. However, attackers mainly targeted the sixth version of the browser. We want to thank Microsoft for cooperating with us during the investigation.
Although we identified Internet Explorer as the main focus of the attack in this incident, a fairly large part of the attacks were due to a mixture of zero-day vulnerabilities and high-quality social engineering scenarios. So the direction in which the attacks occurred can expand. In other words, in contrast to other reports, we did not find confirmation that Adobe Reader could be used for the attack.

Operation Aurora


I’m sure you want to know where the name “Aurora” came from. Judging by our analysis, the word “Aurora” was part of the file path on the attacker's computer and was included in two binary malicious files, which, as we saw, are associated with the attack. This file path is usually included by compilers as a pointer to where the source code and debugging symbols are stored on the developer's computer. It seems to us that by this word the attacker (s) called the operation between themselves.

Landscape change


Blaster, Code Red, and other broad-based worms are in the past. The current crop of malicious code is highly specialized, has its purpose and is designed to infect, covertly access, "drain" data or, even worse, discreetly change it.
These flexibly modified attacks, known as “advanced persistent threats” (APTs), were first committed by governments, and just mentioning them is enough to thrill any cyber warrior. In fact, they are equivalent to a drone on the battlefield. With jewelry precision, they deliver their dangerous cargo and are always too late to show up.
Operation Aurora changed the landscape around cyber threats. These attacks showed that companies in all areas are very profitable targets. Most are very vulnerable to these targeted attacks, which gives a very significant booty: intellectual property.
Similar to the 2009 ATM robbery, Operation Aurora looks like a coordinated attack on prominent companies and aimed at their intellectual property. Like an army of zombies pulling money from ATMs, this malicious code allowed attackers to steal company treasures while people were relaxing on their Christmas holidays. Definitely, an attack was carried out at this time to hide the traces.
All I can say is “Wow!” The world has changed. The universal vulnerability model now needs to be adapted to the new realities of these APTs. In addition to Eastern European cybercriminals trying to steal credit card databases, you need to take care of basic intellectual property, private non-financial customer information and other intangible assets.
We will continue to inform you as events unfold. As I wrote in a previous post, this is just the tip of the iceberg.

George Kurtz, Information Security Specialist, McAfee.

UPD: Video demonstrating the operation of the split:

The "Aurora" IE Exploit in Action from The Crew of Praetorian Prefect on Vimeo .

UPD2: The exploit itself is published. Link to the Praetorian Project.
Matrosov’s site splitter links www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb - Ruby for Metasploit
ahmed.obied.net/software/ code / exploits / ie_aurora.py - in Python.

Also popular now: