On January 14, 2010 McAfee Labs identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for Operation Aurora to exploit Google and at least 20 other companies. Microsoft issued a security bulletin and patch immediately. Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated stealthily when targeted users accessed a malicious web page, ultimately connected those computer systems to a remote server. Now this connection was used to steal company intellectual property and additionally gain access to user accounts. Why did the users visit the malicious web page? Likely because they believed it to be reputable. This attack became particularly famous because of the level of sophistication and the obfuscation methods used.
What exactly happened?
Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown security hole in Internet Explorer. It was targeted at all the people who used Internet Explorer. Serves them right for still using Internet Explorer! But nevertheless, I am not condoning those attacks.
Google announced that it had been the target of a highly sophisticated and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. They said that the attack originated from China. The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the company networks and obscure their activity.
The encryption used by the attackers was highly successful in obfuscating the attack and avoiding common detection methods. The antivirus and security softwares usually employ a bunch of methods to detect the presence of such attacks. It is usually based on previous attacks and some intuition. But this was the first time anyone had ever used this kind of attack. The hack attacks have been dubbed Operation Aurora by McAfee due to the belief that this is the name the hackers used for their mission. The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.
How did they do it?
Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other. The encryption was such that the security software couldn’t detect any kind of malware or even any abnormal activity.
The initial piece of code was shellcode encrypted three times and that activated the exploit. A shellcode is a piece of code which starts from a command shell and helps the attacker control the user’s machine. It can spawn new shells and usually acts as a payload to help the attacker expose the vulnerability. This shellcode then executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This is another neat trick they used! I have discussed more about SSL encryption here. This allowed the attackers ongoing access to the computer and to use it as a beachhead into other parts of the network to search for login credentials, intellectual property and whatever else they were looking for.
The sophistication of the attack was remarkable and was something that researchers had seen before in attacks on the defense industry, but never in the commercial sector. Generally, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.
Cyber criminals use dynamic DNS
When the other Aurora-related domains were examined, the one pattern that sticks out is the use of Dynamic DNS services. A Domain Name Service helps in locating computer services and devices worldwide. It’s basically a translator which translates URLs into IP addresses. It is the first thing people use to track the origin of any computer related crime. It can be used to track laymen who get involved in petty crimes like illegal downloads, online blackmailing, fraud etc. Hence good hackers use Dynamic DNS. Dynamic DNS method updates IP addresses in real time. Hackers use it to avoid getting tracked. Coming back to our case, the hackers used Dynamic DNS very effectively during the Aurora incident. The IP addresses using the DNS services evaporated into thin air!
Cyber criminals use dynamic DNS services because they are affordable and fast. There is little effort needed to manage one, and if it is dropped, there is no real loss. In the past, attacks have been carried out using these types of services ranging from Spam to Phishing. Botnet owners use dynamic DNS for Command and Control operations and they can be used to hide as well.
The attackers here used various different tricks. The actual attack on Google and the others victims has had a lot of debate and coverage in the press. This coverage has gone from waiting for more information, to political debates and service pitches.