Google’s “Aurora” Attack

Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.

The German government recommended people avoid using Internet Explorer until Microsoft Corp. provides a patch to fix a “critical” security flaw that allowed a cyber attack against Google Inc.

McAfee says references in the IE-related attack code it analyzed indicate that the attackers called the operation “Aurora” and that the attack was extremely sophisticated.

There is a lot of news coming out about the attack on Google and everyone involved is trying to figure out exactly what happened. Lot of the evidence has started pointing to the Chinese government as being behind it.

VeriSign confirms Chinese government was behind cyberattack on Google.

How were systems compromised?

When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?

Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

Microsoft says it best in their security blog:

“We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.”

Here is the posting from McAfee Blog –“aurora”-hit-google-others/

As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.

The Aurora Attack Vector

The attack vector is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly.

Download the Attack Vector Here