Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:02 AM
Connect Directly

Google Hack Code Released, Metasploit Exploit Now Available

Researchers now say there's no evidence infected PDFs were used in the targeted attacks originating from China on Google and other companies, but investigations continue

Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google and other companies has been posted online -- and now the popular Metasploit hacking tool has released a working exploit of the attack, as well.

The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks against Google and other companies' networks, was used to go after IE 6 browsers in the massive attacks, which ultimately resulted in the theft of intellectual property from Google and other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far that say they were hit by the attacks, which first came to light this past week and were allegedly conducted by hackers in China.

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other organizations or users. And while Metasploit's new exploit is meant for researchers and penetration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool that can be deployed for nefarious purposes.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," George Kurtz, McAfee's CTO, blogged late yesterday. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

The IE flaw discovery has prompted the German government to recommend that its citizens no longer use IE and instead run alternative browser until Microsoft comes up with a patch, according to a post on Heise Security.

Researchers working on investigating the attacks say the IE malware was just one weapon used in the attacks.

In a related development, iDefense has retracted its claims that infected PDF files were used in the attacks on Google and others. Earlier last week iDefense had said that malicious PDF file attachments sent via email to the victims were likely the attack vector.

"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely 'malicious PDF file attachments delivered via email' and suggested that vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue," iDefense said in a statement late yesterday.

iDefense's statement and revelations by McAfee about its findings led other researchers to back down from their claims of infected PDFs, as well.

Meanwhile, Microsoft provided more details on the actual vulnerability. It's basically a memory-corruption problem that is triggered when an attacker using JavaScript places attack code in the memory.

Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack code is opened, but you can limit the attack to just crashing the browser by disabling JavaScript and disabling the code from executing in "freed memory," Microsoft suggests. DEP stops code from executing from pages of memory that aren't designated as executable, thus stopping the malware.

Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a backdoor into the victim's PC, which gives the attacker carte blanche to do whatever the user can do. "Once the backdoor is open to the user's PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do," Kennedy said in blog post late yesterday.

He also posted a video simulating the attack, using the new Metasploit exploit module. You can view it here.

Meanwhile, the U.S. State Department reportedly may take more formal measures against China over the alleged attacks. State Department officials want answers from China, but thus far have been unsuccessful in doing so in their initial meetings with Chinese officials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component