'Fog of War' Led To Operation Aurora Malware Mistake

Turns out some pieces of malware included in McAfee's initial analysis of the code used in the wave of targeted attacks that hit Google, Adobe, Intel, and other U.S. companies had nothing to do with the now-infamous Operation Aurora attacks after all.

McAfee now says four pieces of malware that it originally identified in its research were present in Aurora-infected machines by coincidence, and instead are part of another attack currently underway that builds a botnet for hactivist attacks in Vietnam.

Just how the malware -- identified as the four files jucheck.exe, zf32.dll, AdobeUpdateManager.exe, and msconfig32.sys. -- went from being labeled as from Chinese attackers to ones in Vietnam has much to do with the frantic and high-profile race to uncover the attack code and perpetrators behind the Aurora attacks, and the chaos that often ensues in the wake of this type of forensics investigation.

"At the time, we were in the fog of war investigating this operation," says Dmitrie Alperovitch, vice president of threat research at McAfee, which worked on the aftermath of investigating and cleaning up machines in over a dozen companies hit in the Aurora attacks.

"Initially we were dealing with a number of machines and our goal then was to identify infections in those companies, and we thought it was beneficial to publish as much information out there as possible on those machines," he says. "But after the fact, when we had more time to do the research, we realized [this malware] was part of a completely different attack."

While Aurora was all about stealing intellectual property from its victims, the other malware was "less sophisticated" and more about building a botnet that could then be used to wage distributed denial of service (DDoS) attacks, he says.

But not everyone is sold on McAfee's new conclusion: Gunter Ollmann, vice president of research for Damballa, says based on his firm's analysis of the command-and-control infrastructure used in the attacks, Damballa can't confirm that the Vietnamese attacks were from different attackers: "Based upon our analysis of the C&C's McAfee are now associating with this Vietnamese malware, I don't think that such a conclusion can be confirmed by Damballa. In our report earlier, one of the botnet operators runs multiple campaigns that make extensive use of those same C&C domains and server infrastructure," Ollmann says.

Some C&C domains associated with Operation Aurora are currently being used in new campaigns, he says, including one of the new Fake Adobe Updater botnet building campaigns, Ollmann says.

Meanwhile, McAfee wasn't the only firm to publish information on the attacks and later correct its research. A few days after Google revealed that it had been attacked, along with Adobe and at least 20 other companies, iDefense retracted its initial report that infected PDFs sent via emails to the victims were used in the attacks.

Google's Neel Mehta, member of the security team, last night blogged that this malware had infected tens of thousands of computers that had downloaded Vietnamese keyboard language software "and possibly other software that was altered." The infected bots were used for spying on the victims as well as for executing DDoS attacks against blogs opposing bauxite mining efforts in Vietnam, an issue that has been in hot debate there.

McAfee's malware mix-up had a trickle effect, however, as other researchers under the assumption that the Vietnamese bot malware was part-and-parcel of Operation Aurora, also did their own analysis of it. Damballa Research, for example, published a report earlier this month that explores the botnet that was then considered part of Aurora, concluding it was "amateurish."

McAfee's Alperovitch says his company's confusion over the separate malware attacks it found in the Aurora victim machines didn't derail its forensics investigation and that McAfee didn't go public with its mistake until now because it "didn't have all of the facts on it."

"We regret that we [didn't] make it clear to other researchers that were working on it," however, he says.

Any advanced persistent threat (APT) attack investigation like Aurora is complicated, especially since the attacker is trying to remain under the radar: "And Aurora was unique in that there were a number of machines involved and there was so much activity" around it, he says.

In some cases, the Aurora malware had been in place before the Vietnamese-targeted malware had hit the machines. But there "was a small subset of Aurora machines that had this [other] malware," Alperovitch says.

And because the Aurora infections occurred over several months, it was difficult to determine how the malware had gotten into the machines, he says. "Our goal was to put as much information out. We had everyone calling us, telling us they that they had been hit by Aurora," he says.

Those Aurora-infected machines that also contained the Vietnamese bot malware had been targeted either because they had Vietnamese language ties or ethnic origins, he says. McAfee's blog post here provides more detail on the malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.