informa
News

Botnets Serving Project Aurora Likely Built By "Amateurs," Researcher Says

Rumors of sophistication in China's botnet attacks were exaggerated, Damballa expert says
SAN FRANCISCO -- RSA Conference 2010 -- The botnets that carried the Project Aurora attacks to Google and other companies last month were effective -- but not the sophisticated, next-generation vehicles that some reports have touted, a security researcher said here last week.

"If you're setting Project Aurora as the top level of sophistication in attacks based on what's been reported about it, then you're selling the attackers short," said Gunter Ollmann, vice president of research at Damballa, which makes tools for detecting and stopping botnets and other advanced persistent threats.

Ollmann called the developers of the botnets that carried Project Aurora malware "just another group of [botnet] operators." In fact, he said, the botnets underlying the attack "were not as sophisticated as many of the others we see out there right now."

In a report issued last week, Damballa researchers offered a detailed look at the botnets that served as the delivery mechanism for Project Aurora, which was reported to have been an attempt by Chinese nationals to penetrate as many as 100 major corporate targets. The report shows the genesis of the emergent botnets, from the registration of their domains in July 2009 through malware creation, testing, and a variety of "campaigns" in which malware or phishing messages were delivered. Ollmann said Damballa has identified three major families of malware used to create and control the botnets, and that there is a "sufficient difference in coding styles" to suggest they many have been created by different groups of attackers. As has been reported, the primary command and control (C&C) servers switched numerous times from region to region, but Ollmann said the secondary control channels stayed largely consistent, making the botnet easier to track.

The operators built the botnets using Dynamic Domain Name System (DDNS) -- "a method that has been out of vogue for at least five years" because of law enforcement's ability to track it, Ollmann said. "This is the sort of thing you see used by amateurs," he said.

The botnets showed phases where C&C servers shifted to different sources and locations, a pattern that is "consistent with monetizing" the networks, Ollmann said. It is likely the operators of the botnets did not have a political agenda, but delivered the Project Aurora malware -- the Trojan Hydraq -- for a fee, as most botnet operators do, he said. Damballa did see the botnets delivering other types of malware besides the Trojan, including scareware, he said.

While Ollmann's report on Project Aurora goes into some depth, the message is simple. "Whenever a company is penetrated, they like to characterize the attack as highly sophisticated, as if they couldn't have been penetrated by a simpler exploit," he says. "But in this case, the characterization of Project Aurora as a highly sophisticated attack was misleading. There wasn't an extraordinary amount of sophistication to it compared to other attacks we've seen."

Enterprises need to get past the notion that it takes a sophisticated attack to compromise their systems, Ollman says. Damballa estimated that as many as 5 to 7 percent of nodes in the average enterprise "are not only compromised, but are actively reaching out" to other nodes to increase the botnet's footprint.

"Over the years, the percent of compromised machines that we find in enterprises has remained remarkably consistent," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: