Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/16/2010
11:02 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Google Hack Code Released, Metasploit Exploit Now Available

Researchers now say there's no evidence infected PDFs were used in the targeted attacks originating from China on Google and other companies, but investigations continue

Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google and other companies has been posted online -- and now the popular Metasploit hacking tool has released a working exploit of the attack, as well.

The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks against Google and other companies' networks, was used to go after IE 6 browsers in the massive attacks, which ultimately resulted in the theft of intellectual property from Google and other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far that say they were hit by the attacks, which first came to light this past week and were allegedly conducted by hackers in China.

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other organizations or users. And while Metasploit's new exploit is meant for researchers and penetration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool that can be deployed for nefarious purposes.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," George Kurtz, McAfee's CTO, blogged late yesterday. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

The IE flaw discovery has prompted the German government to recommend that its citizens no longer use IE and instead run alternative browser until Microsoft comes up with a patch, according to a post on Heise Security.

Researchers working on investigating the attacks say the IE malware was just one weapon used in the attacks.

In a related development, iDefense has retracted its claims that infected PDF files were used in the attacks on Google and others. Earlier last week iDefense had said that malicious PDF file attachments sent via email to the victims were likely the attack vector.

"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely 'malicious PDF file attachments delivered via email' and suggested that vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue," iDefense said in a statement late yesterday.

iDefense's statement and revelations by McAfee about its findings led other researchers to back down from their claims of infected PDFs, as well.

Meanwhile, Microsoft provided more details on the actual vulnerability. It's basically a memory-corruption problem that is triggered when an attacker using JavaScript places attack code in the memory.

Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack code is opened, but you can limit the attack to just crashing the browser by disabling JavaScript and disabling the code from executing in "freed memory," Microsoft suggests. DEP stops code from executing from pages of memory that aren't designated as executable, thus stopping the malware.

Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a backdoor into the victim's PC, which gives the attacker carte blanche to do whatever the user can do. "Once the backdoor is open to the user's PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do," Kennedy said in blog post late yesterday.

He also posted a video simulating the attack, using the new Metasploit exploit module. You can view it here.

Meanwhile, the U.S. State Department reportedly may take more formal measures against China over the alleged attacks. State Department officials want answers from China, but thus far have been unsuccessful in doing so in their initial meetings with Chinese officials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...