Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.
It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers.
Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions.
The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes McAfee researcher Guilherme Venere.
"This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website," he explains. "This way, the attackers were able to covertly gather all the information they wanted without being discovered."
The backdoor first sends information on registry keys on compromised systems along with the workgroup name of a machine and the version of Windows it is running before awaiting further instructions.
The attack - codenamed Operation Aurora - affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Google took the highly unusual step of going public on the attack a week ago, saying the assault on it targeted the webmail accounts of dissidents. In response, Google said it would operate an unfiltered version of its search engine in China and threatened to quit the country entirely.
A number of governments have advised businesses to consider using alternative browsers until Microsoft produces a patch against the vulnerability used in the Operation Aurora attacks. Australia (here) has joined France and Germany in pointing surfers towards either Firefox, Safari or Chrome as alternatives to IE, at least until Redmond issues a fix.
This sort of advice is rare but not unprecedented. CERT in the US advised surfers to use anything but IE in June 2004, as a response to a string of attacks involving the Download.Ject strain of malware, which caused widespread problems at the time.
Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software.
The Operation Aurora attack targeted systems running IE6, which begs the question of why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). ®