Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others

Feb 10, 2010 | 02:27 PM

By Kelly Jackson Higgins
DarkReading

The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.

Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.

"The attack called Operation Aurora is larger than just [the attacks acknowledged at the] 30 companies. That attack is still in operation and is much larger," says Greg Hoglund, founder and CEO of HBGary, which today published a report on Operation Aurora that recaps where things stand with the investigation.

He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.

HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.

Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."

The Aurora "knock-off" malware based on the publicly released Aurora IE exploit and Metasploit's Aurora exploit wouldn't carry these markers, he says, so investigators would be able to identify whether it was from the same attacker or attackers that hit Google, Adobe, and others.

"We're really just getting started in tracing him," Hoglund says.

Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."

Mandiant, which has been in the business of investigating these targeted, persistent attacks -- also known as advanced persistent threats (APTs) -- has seen the handiwork of these groups of attackers before. "The groups behind these [Aurora] attacks have hacked hundreds of companies" in previous targeted attacks, Mandia says. "At one time we saw over 200 victim [organizations hit by targeted attacks]," he says.

He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."

Meanwhile, HBGary today released a free tool for downloading that scans and removes the Aurora malware from Windows machines. Hoglund calls it an "inoculation shot."

Still, Hoglund and other security experts note that the attackers didn't use only the Internet Explorer 6 exploit. One source with knowledge of the attacks says the attackers aren't using just phishing emails to deliver their exploits, either. "I know they are not" relying on just the IE exploit via email, the source says.

About 80 percent of APT attacks use custom malware, Mandia says. "We recently took over 1,800 programs we've collected since 2008 that are all part of APT ... and ran it through AV, and only 24 percent of the malware triggered antivirus," he says. "Over a year ago, none of it was triggering AV."

Mandia says that while some Aurora and other APT victims continue to be hammered by attackers sending new malware variants to the already-infected machines, these types of targeted attacks aren't letting up. "There's just another patch of victims somewhere else now," Mandia says.

"Aurora is a wake-up call," says Peter Schlampp, vice president of marketing and product management for forensics firm Solera Networks. "Companies are waking up to the fact that they've under-invested in the area of security around surveillance and monitoring and forensics to get to the bottom of what happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Comments Quick View Full View 1 Comments

-- Most recent comment --

Could NAC have stopped Operation Aurora?

Comment by SecurityPR Aug 17, 2010, 11:07 AM EDT

Could NAC have stopped Operation Aurora attacks on Google? Traditional network security solutions, which are designed to protect against external attack, have become insufficient. Perhaps an integrated security appliance which includes network access control, network threat protection and endpoint security enforcement? - More here - http://cot.ag/7TmIjE

Reply To Comment Permalink


logon-to-comment
Subscribe to RSS



Vulnerability Management Reports

report 3 Strategies to Protect Endpoints from Risky Applications
Most organizations have invested considerable time and effort in improving their endpoint risk management processes, but many are ill-equipped to handle myriad third-party applications that increasingly introduce the most risk into today’s IT environment. As IT has reduced the risk profile of PC and server operating systems, cyber-criminals have started to look for greener pastures. Learn three strategies to effectively take control of organizational endpoints and mitigate the rising risk from third-party applications.

report Applications Security: Eliminating Vulnerabilities in Enterprise Software
Most of the hacks that compromise enterprise security today are those that exploit flaws in applications. How can organizations find and fix these vulnerabilities—before they lead to a breach? Better yet, how can software developers identify flaws in their applications before the new software is ever deployed? In this special retrospective of recent news coverage, Dark Reading offers a look at some tips and tricks for software development and vulnerability assessment, as well as some advice on how to eliminate security flaws in the enterprise.

report In a Fix? Try a Vulnerability Remediation Life Cycle
There are plenty of ways to detect vulnerabilities. But assigning priorities and determining the best way to fix them is another matter. Which vulnerabilities need to be dealt with immediately, and which can wait? What should you do when a simple patch won’t suffice? How do you ensure that the problems won’t recur? In this Dark Reading Tech Center report, we explain how to implement a vulnerability remediation process that improves security for the long haul.

Other reports from the Vulnerability Management Tech Center:

Related Content

Four Steps to Cure Your Patch Management Headache
The need to speed up patch deployment across today’s highly complex and distributed IT environment has never been more important. The heat is on to proactively safeguard your systems and endpoints from the newest exploits as the time it takes hackers to exploit a known vulnerability shrinks.

Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks
Government systems are getting hit on a daily basis by new and ingenious external attacks. Federal, state and municipal agencies must find a way to adjust to this evolving threat landscape to prevent these threats from wreaking havoc. Government organizations must get back to the basics of security and lay a strong security foundation to weather these attacks by proactively addressing their root causes.

Why Free Patch Management Tools Could Cost You More
Although point patching products may look more attractive on the surface, closer inspection often reveals hidden costs and missing capabilities. The result: fragmented patch management and weaker security posture while also being a more costly and cumbersome option to maintain.

Integrate Desktop Power Savings with Patch Management
Organizations can save significant money by managing the power consumption of their IT systems, but if they aren't careful, they could save their way right into a security and operational nightmare. Conscientiously consider your tools, strategies and policies around power management if you’re seeking to go green without compromising operational efficiency or security.