Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2010
05:16 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Fog of War' Led To Operation Aurora Malware Mistake

McAfee says some malware disclosed as part of Google attacks was actually a separate infection and unrelated to targeted attacks out of China

Turns out some pieces of malware included in McAfee's initial analysis of the code used in the wave of targeted attacks that hit Google, Adobe, Intel, and other U.S. companies had nothing to do with the now-infamous Operation Aurora attacks after all.

McAfee now says four pieces of malware that it originally identified in its research were present in Aurora-infected machines by coincidence, and instead are part of another attack currently underway that builds a botnet for hactivist attacks in Vietnam.

Just how the malware -- identified as the four files jucheck.exe, zf32.dll, AdobeUpdateManager.exe, and msconfig32.sys. -- went from being labeled as from Chinese attackers to ones in Vietnam has much to do with the frantic and high-profile race to uncover the attack code and perpetrators behind the Aurora attacks, and the chaos that often ensues in the wake of this type of forensics investigation.

"At the time, we were in the fog of war investigating this operation," says Dmitrie Alperovitch, vice president of threat research at McAfee, which worked on the aftermath of investigating and cleaning up machines in over a dozen companies hit in the Aurora attacks.

"Initially we were dealing with a number of machines and our goal then was to identify infections in those companies, and we thought it was beneficial to publish as much information out there as possible on those machines," he says. "But after the fact, when we had more time to do the research, we realized [this malware] was part of a completely different attack."

While Aurora was all about stealing intellectual property from its victims, the other malware was "less sophisticated" and more about building a botnet that could then be used to wage distributed denial of service (DDoS) attacks, he says.

But not everyone is sold on McAfee's new conclusion: Gunter Ollmann, vice president of research for Damballa, says based on his firm's analysis of the command-and-control infrastructure used in the attacks, Damballa can't confirm that the Vietnamese attacks were from different attackers: "Based upon our analysis of the C&C's McAfee are now associating with this Vietnamese malware, I don't think that such a conclusion can be confirmed by Damballa. In our report earlier, one of the botnet operators runs multiple campaigns that make extensive use of those same C&C domains and server infrastructure," Ollmann says.

Some C&C domains associated with Operation Aurora are currently being used in new campaigns, he says, including one of the new Fake Adobe Updater botnet building campaigns, Ollmann says.

Meanwhile, McAfee wasn't the only firm to publish information on the attacks and later correct its research. A few days after Google revealed that it had been attacked, along with Adobe and at least 20 other companies, iDefense retracted its initial report that infected PDFs sent via emails to the victims were used in the attacks.

Google's Neel Mehta, member of the security team, last night blogged that this malware had infected tens of thousands of computers that had downloaded Vietnamese keyboard language software "and possibly other software that was altered." The infected bots were used for spying on the victims as well as for executing DDoS attacks against blogs opposing bauxite mining efforts in Vietnam, an issue that has been in hot debate there.

McAfee's malware mix-up had a trickle effect, however, as other researchers under the assumption that the Vietnamese bot malware was part-and-parcel of Operation Aurora, also did their own analysis of it. Damballa Research, for example, published a report earlier this month that explores the botnet that was then considered part of Aurora, concluding it was "amateurish."

McAfee's Alperovitch says his company's confusion over the separate malware attacks it found in the Aurora victim machines didn't derail its forensics investigation and that McAfee didn't go public with its mistake until now because it "didn't have all of the facts on it."

"We regret that we [didn't] make it clear to other researchers that were working on it," however, he says.

Any advanced persistent threat (APT) attack investigation like Aurora is complicated, especially since the attacker is trying to remain under the radar: "And Aurora was unique in that there were a number of machines involved and there was so much activity" around it, he says.

In some cases, the Aurora malware had been in place before the Vietnamese-targeted malware had hit the machines. But there "was a small subset of Aurora machines that had this [other] malware," Alperovitch says.

And because the Aurora infections occurred over several months, it was difficult to determine how the malware had gotten into the machines, he says. "Our goal was to put as much information out. We had everyone calling us, telling us they that they had been hit by Aurora," he says.

Those Aurora-infected machines that also contained the Vietnamese bot malware had been targeted either because they had Vietnamese language ties or ethnic origins, he says. McAfee's blog post here provides more detail on the malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...