The Google vs. China Megamatch: The sordid details behind Aurora and Internet Explorer exploit.

January 22, 2010 - By Ivan A. Vazquez

Note: Following is the first of what Geek Shui Living hopes will be many posts by a network security guru, known ominously as The Reaper. We warmly welcome him to the team!

What is the Current Aurora Exploit Situation?

A computer code that exploits a serious Internet Explorer vulnerability (now patched under MS10-002) used in Operation Aurora to attack Google and others in December has now been published on the Internet. Many people are taking the matter seriously. The German government, for example, has recommended that its citizens stop using Internet Explorer and use alternative browsers instead. Microsoft released a patch for the vulnerability on January 21, 2010.

How did Operation “Aurora” Come to be?

Some may wonder about the origin of the name “Aurora.” Did McAfee make it up on its own? Did it just sound cool as it rolls clumsily off the tongue? Based on analysis, “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries that were confirmed to be associated with the attack. The filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine. The name was the internal name the attacker(s) gave to this operation. While Google itself has said that the attacks “originated in China,” experts have been quick to point out that attackers commonly route their communications through faraway computers, and that the real attackers may be located anywhere in the world. New clues, though, about the origins of the malicious software that was used to exploit the newly-patched Internet Explorer vulnerability suggest that the exploit was in fact assembled by Chinese programmers.

How Were Systems Compromised?

When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, a JavaScript code was executed that checked for vulnerability, within the system, and, upon positive identification, injected a package to exploit the vulnerability, which specifically related to the Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability. Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.

What was the Payload of the Exploit?

Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline (but will surely pop up again elsewhere). That executable installed a remote access Trojan to load at startup. This Trojan also contacted a remote server. This allowed remote attackers to view, create, and modify information on the compromised system. These highly customized attacks known as Advanced Persistent Threats (APT) were, previously, primarily seen by governments (indicating that someone wanted in really badly for more than just credit card numbers). The mere mention of APTs will surely strike fear in even the most veteran of cyberwarriors. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload, and once discovered, its already too late.

How Serious and Widespread is the Vulnerability?

In this instance, Aurora appears to have been a very concentrated attack on specific targets. It is not believed to be widespread at this time. The Microsoft Internet Explorer vulnerability leveraged in this attack does allow for remote code execution but still requires user intervention, such as following a hyperlink to a website, or opening an email attachment, etc). Furthermore, the single exploit known to exist can be thwarted, except in Internet Explorer 6, by ensuring Data Execution Prevention (DEP) is enabled. This is done by default in Internet Explorer 8 and optionally in Internet Explorer 7. Among the long list of affected browser/OS combinations listed by Microsoft are Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. While the patch may be available, it will not be effective if its not actually installed. Though the Google vs. China occurrence may be winding down, you can be certain that this exploit will reappear, with a different payload and probably aimed at building an evil robot army (are there any other kinds of robot armies?)

For a complete listing of the affected browsers/OS combinations and detailed information on MS10-002: Microsoft Security Bulletin MS10-002 – http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Important Note: Home users should have Automatic Updates enabled by default, so the patching should be at least semi-automated. As always, though, System and Network Administrators should test this (and any other) patch on a non-production computer or server, to ensure it doesn’t break something critical that is unique to their network and get them fired.

Ivan Vazquez, AKA The Reaper, is a CompTIA Security+ certified professional with more than 15 years of experience in the Information Technology universe, who specializes in network intrusion prevention, incident identification and analysis, content management, and vulnerability scanning and analysis. His past experience includes tenures with nationally and internationally-known technology companies. Have feedback or questions? Don’t be afraid to send them to The Reaper.