Operation Aurora malware investigated

Operation Aurora has become a name that is instantly recognized by everyone involved in cyber security. Speculation still abounds regarding the people and/or nation behind it, but what is certain is that the primary intent behind it is the theft of intellectual property.

According to a HBGary report, all these attacks on different companies have in common the means of execution: a flaw in the Internet Explorer browser was exploited to insert malware which drops a backdoor program in the targeted systems and networks.

There is a high probability of this malware having been developed in Chinese, and the control system seems designed for Chinese users, which suggests that the operation is Chinese. But, there is no hard evidence to suggest that the Chinese government is behind it.

Indeed, taking into consideration the thriving global underground economy that sprung up around malware and data theft, and the considerable money-hungry hacking subculture existing in China, it is likely that the ultimate goal was money. In Google’s case, it’s possible that the compromise of Gmail accounts belonging to Chinese dissidents served to throw the investigators off the scent of the real culprits.

According to the report, “forensic tool-marks in the CRC algorithm can be traced to Chinese origin. That, combined with domain registration information, leads to at least one potential actor, Peng Yongii.” Peng Yongii is the owner of a small company from whose 3322.org service many of the attacks originated. “While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora,” says in the report.

So how can you detect Operation Aurora in your enterprise? First, you have to be aware of how the attack is executed:

• The JavaScript exploits a vulnerability in Internet Explorer 6
• The shellcode embedded in the JavaScript downloads the dropper
• A secondary payload server delivers a dropper
• The backdoor program is decompressed from the dropper and an embedded DLL is inserted into the Windows system32 directory and loads it as a service. The DLL is then modified to avoid detection, and the dropper deletes itself from the system.

Secondly, you should know that even though at first glance it is difficult to detect it, this attack does leave some traces in the system.

There are some exploit remnants that can be searched for in the heap space of Internet Explorer post exploitation attempt. There are some patterns and paths through which you can detect the final payload command and control communications, some additional registry keys created by the payload, and other potential dropped files that can be detected. You can look up all of these in the report.

The malware allows commands to be executed and files to be stolen. With the public release of the MS10-002 vulnerability by Microsoft and the exploit code being added to Metasploit to form the module “ie_aurora.rb”, a lot of other attackers were able to mount the same attack. HBGary is at the moment identifying these group though their Digital DNA database and tracking their movements.

They also presented the highly useful digital DNA sequence for the Aurora malware:

This sequence can be detected by using a Digital DNA capable platform such as McAfee ePO. Also, many anti-virus products have signatures for detecting the exploit and allow for removal of the malware. Known “command and control” domains (also in the report) can be blocked by firewalls. Additionally, HBGary has made available on their website a signed binary that scans and removes the malware from the network.