An update on Operation Aurora

The attack (Operation Aurora) on around 20 companies in the US, including Google, Adobe, Juniper Networks and others using the zero-day exploit of Internet Explorer is partly linked to social engineering — as the carefully crafted emails were plausibly created and structured, users bought into it. Once the machine was owned after the payload was released, the affected machine would contact a Command and Control (C&C) server that would send back specific instructions based on Workgroup name and machine environment (OS etc), accepting and transmitting data via a home-made encryption based piggy-backed onto the 443 port — typically reserved for the HTTP SSL transfer of data.Over at Avert Labs, there a good write-up describing the structure and interaction of multiple software cogs that each contributed to the machine ownership, written in highly obfuscated ways.

After the initialization of the malware DLL, a connection is made to the command and control (C&C) server. The connection is made on port 443 which is usually used by the HTTPS protocol, encrypted with SSL. During analysis, we noticed that the employed protocol on this port was not the standard SSL protocol, but a custom encrypted protocol.

The McAfee threat centre gave an overall summary:

“Operation Aurora” was a coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious Web page

More to follow…