05:16 PM
Connect Directly

'Fog of War' Led To Operation Aurora Malware Mistake

McAfee says some malware disclosed as part of Google attacks was actually a separate infection and unrelated to targeted attacks out of China

Turns out some pieces of malware included in McAfee's initial analysis of the code used in the wave of targeted attacks that hit Google, Adobe, Intel, and other U.S. companies had nothing to do with the now-infamous Operation Aurora attacks after all.

McAfee now says four pieces of malware that it originally identified in its research were present in Aurora-infected machines by coincidence, and instead are part of another attack currently underway that builds a botnet for hactivist attacks in Vietnam.

Just how the malware -- identified as the four files jucheck.exe, zf32.dll, AdobeUpdateManager.exe, and msconfig32.sys. -- went from being labeled as from Chinese attackers to ones in Vietnam has much to do with the frantic and high-profile race to uncover the attack code and perpetrators behind the Aurora attacks, and the chaos that often ensues in the wake of this type of forensics investigation.

"At the time, we were in the fog of war investigating this operation," says Dmitrie Alperovitch, vice president of threat research at McAfee, which worked on the aftermath of investigating and cleaning up machines in over a dozen companies hit in the Aurora attacks.

"Initially we were dealing with a number of machines and our goal then was to identify infections in those companies, and we thought it was beneficial to publish as much information out there as possible on those machines," he says. "But after the fact, when we had more time to do the research, we realized [this malware] was part of a completely different attack."

While Aurora was all about stealing intellectual property from its victims, the other malware was "less sophisticated" and more about building a botnet that could then be used to wage distributed denial of service (DDoS) attacks, he says.

But not everyone is sold on McAfee's new conclusion: Gunter Ollmann, vice president of research for Damballa, says based on his firm's analysis of the command-and-control infrastructure used in the attacks, Damballa can't confirm that the Vietnamese attacks were from different attackers: "Based upon our analysis of the C&C's McAfee are now associating with this Vietnamese malware, I don't think that such a conclusion can be confirmed by Damballa. In our report earlier, one of the botnet operators runs multiple campaigns that make extensive use of those same C&C domains and server infrastructure," Ollmann says.

Some C&C domains associated with Operation Aurora are currently being used in new campaigns, he says, including one of the new Fake Adobe Updater botnet building campaigns, Ollmann says.

Meanwhile, McAfee wasn't the only firm to publish information on the attacks and later correct its research. A few days after Google revealed that it had been attacked, along with Adobe and at least 20 other companies, iDefense retracted its initial report that infected PDFs sent via emails to the victims were used in the attacks.

Google's Neel Mehta, member of the security team, last night blogged that this malware had infected tens of thousands of computers that had downloaded Vietnamese keyboard language software "and possibly other software that was altered." The infected bots were used for spying on the victims as well as for executing DDoS attacks against blogs opposing bauxite mining efforts in Vietnam, an issue that has been in hot debate there.

McAfee's malware mix-up had a trickle effect, however, as other researchers under the assumption that the Vietnamese bot malware was part-and-parcel of Operation Aurora, also did their own analysis of it. Damballa Research, for example, published a report earlier this month that explores the botnet that was then considered part of Aurora, concluding it was "amateurish."

McAfee's Alperovitch says his company's confusion over the separate malware attacks it found in the Aurora victim machines didn't derail its forensics investigation and that McAfee didn't go public with its mistake until now because it "didn't have all of the facts on it."

"We regret that we [didn't] make it clear to other researchers that were working on it," however, he says.

Any advanced persistent threat (APT) attack investigation like Aurora is complicated, especially since the attacker is trying to remain under the radar: "And Aurora was unique in that there were a number of machines involved and there was so much activity" around it, he says.

In some cases, the Aurora malware had been in place before the Vietnamese-targeted malware had hit the machines. But there "was a small subset of Aurora machines that had this [other] malware," Alperovitch says.

And because the Aurora infections occurred over several months, it was difficult to determine how the malware had gotten into the machines, he says. "Our goal was to put as much information out. We had everyone calling us, telling us they that they had been hit by Aurora," he says.

Those Aurora-infected machines that also contained the Vietnamese bot malware had been targeted either because they had Vietnamese language ties or ethnic origins, he says. McAfee's blog post here provides more detail on the malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.