Researchers now say there's no evidence infected PDFs were used in the targeted attacks originating from China on Google and other companies, but investigations continue

Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google and other companies has been posted online -- and now the popular Metasploit hacking tool has released a working exploit of the attack, as well.

The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks against Google and other companies' networks, was used to go after IE 6 browsers in the massive attacks, which ultimately resulted in the theft of intellectual property from Google and other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far that say they were hit by the attacks, which first came to light this past week and were allegedly conducted by hackers in China.

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other organizations or users. And while Metasploit's new exploit is meant for researchers and penetration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool that can be deployed for nefarious purposes.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," George Kurtz, McAfee's CTO, blogged late yesterday. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

The IE flaw discovery has prompted the German government to recommend that its citizens no longer use IE and instead run alternative browser until Microsoft comes up with a patch, according to a post on Heise Security.

Researchers working on investigating the attacks say the IE malware was just one weapon used in the attacks.

In a related development, iDefense has retracted its claims that infected PDF files were used in the attacks on Google and others. Earlier last week iDefense had said that malicious PDF file attachments sent via email to the victims were likely the attack vector.

"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely 'malicious PDF file attachments delivered via email' and suggested that vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue," iDefense said in a statement late yesterday.

iDefense's statement and revelations by McAfee about its findings led other researchers to back down from their claims of infected PDFs, as well.

Meanwhile, Microsoft provided more details on the actual vulnerability. It's basically a memory-corruption problem that is triggered when an attacker using JavaScript places attack code in the memory.

Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack code is opened, but you can limit the attack to just crashing the browser by disabling JavaScript and disabling the code from executing in "freed memory," Microsoft suggests. DEP stops code from executing from pages of memory that aren't designated as executable, thus stopping the malware.

Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a backdoor into the victim's PC, which gives the attacker carte blanche to do whatever the user can do. "Once the backdoor is open to the user's PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do," Kennedy said in blog post late yesterday.

He also posted a video simulating the attack, using the new Metasploit exploit module. You can view it here.

Meanwhile, the U.S. State Department reportedly may take more formal measures against China over the alleged attacks. State Department officials want answers from China, but thus far have been unsuccessful in doing so in their initial meetings with Chinese officials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights