Attacks/Breaches
2/10/2010
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others

The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.

Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.

"The attack called Operation Aurora is larger than just [the attacks acknowledged at the] 30 companies. That attack is still in operation and is much larger," says Greg Hoglund, founder and CEO of HBGary, which today published a report on Operation Aurora that recaps where things stand with the investigation.

He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.

HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.

Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."

The Aurora "knock-off" malware based on the publicly released Aurora IE exploit and Metasploit's Aurora exploit wouldn't carry these markers, he says, so investigators would be able to identify whether it was from the same attacker or attackers that hit Google, Adobe, and others.

"We're really just getting started in tracing him," Hoglund says.

Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."

Mandiant, which has been in the business of investigating these targeted, persistent attacks -- also known as advanced persistent threats (APTs) -- has seen the handiwork of these groups of attackers before. "The groups behind these [Aurora] attacks have hacked hundreds of companies" in previous targeted attacks, Mandia says. "At one time we saw over 200 victim [organizations hit by targeted attacks]," he says.

He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."

Meanwhile, HBGary today released a free tool for downloading that scans and removes the Aurora malware from Windows machines. Hoglund calls it an "inoculation shot."

Still, Hoglund and other security experts note that the attackers didn't use only the Internet Explorer 6 exploit. One source with knowledge of the attacks says the attackers aren't using just phishing emails to deliver their exploits, either. "I know they are not" relying on just the IE exploit via email, the source says.

About 80 percent of APT attacks use custom malware, Mandia says. "We recently took over 1,800 programs we've collected since 2008 that are all part of APT ... and ran it through AV, and only 24 percent of the malware triggered antivirus," he says. "Over a year ago, none of it was triggering AV."

Mandia says that while some Aurora and other APT victims continue to be hammered by attackers sending new malware variants to the already-infected machines, these types of targeted attacks aren't letting up. "There's just another patch of victims somewhere else now," Mandia says.

"Aurora is a wake-up call," says Peter Schlampp, vice president of marketing and product management for forensics firm Solera Networks. "Companies are waking up to the fact that they've under-invested in the area of security around surveillance and monitoring and forensics to get to the bottom of what happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.