December 2010

Operation Aurora Attacks

Modern Malware Exposed: The “Operation Aurora” Incident: A Case Study in Security Failure

By: Ashir Aziz, FireEye Inc.

On January 12th 2010, Google honorably disclosed to the world that it had been a victim of modern malware. It was soon discovered that Google one of more than 20 companies successfully targeted by a well organized and coordinated effort to gain access to sensitive systems and information. Companies targeted were within a range of industries, including the financial, technology, and chemical sectors. These attacks later became known as “Operation Aurora” and are a very useful example of what modern attacks and malware actually look like—and how commonly used security technologies completely fail in combating these attacks.

The attacks started to take place in December 2009, leveraging an unknown (zero-day) Internet Explorer 6.0 vulnerability, and, once a system was compromised, the attackers installed a Trojan. This Trojan malware would then communicate back to a criminal command and control server which had the ability to issue a variety of different commands, enabling attackers to gain additional access within compromised companies’ networks and systems.

The first stage of the Aurora attack was to lure users into clicking on a Web site link that would direct the user’s Web browser to the attacker’s Web server. This activity was not identified as suspicious by firewalls, IPS, antivirus, or Web gateways; it is behavior that happens constantly during the normal course of Web browsing. Once a victim’s Web browser loaded the malicious Web site, an unknown vulnerability within Internet Explorer was exploited in order to run malicious code. IPS products were not preventing this exploit as it targeted an unknown vulnerability, so these devices had no generic vulnerability signature. Likewise, because this attack was coming from a Web site that was not yet in any malicious Web site database, Web gateway technologies were not able to filter out these Web requests.

Once the Internet Explorer exploit was successful, the second stage was to download a Trojan malware component that would give attackers the access they needed to manipulate compromised systems. This malware was custom developed and therefore not yet known to the antivirus industry, so a signature had yet to be manually created. As a result, desktop antivirus software was just as blind to the attack as firewalls, IPS, and Web gateways. Antivirus companies later released signature detection updates, once the attacks had long passed, and called the Trojan component “Hydraq.”

The 20 companies victimized by Operation Aurora relied upon a range of common security technologies. At all levels, the technologies that these companies were relying upon failed them.

The antivirus industry was especially quick to tell the world that the exploit and malware was the most technically sophisticated attack they had ever seen. The coordination and logistics of targeting more than 20 companies successfully in a very short period of time is no doubt a testament to the high level of sophistication of the attackers. However, the antivirus industry decided to use statements that bordered on false in their efforts to ascribe their products’ failings to the sophistication of the attacks.

The reality is that while the scale of the attacks speaks to a highly organized effort, the specific vulnerability, exploit, and malware were no more sophisticated than those of many other modern malware attacks. In fact, Operation Aurora’s Trojan, its communication capabilities, and resiliency, were less sophisticated than those of many massively deployed botnets. Antivirus vendors also referred to Operation Aurora’s “triple encryption”, when in reality only simple substitution and encoding was being used. Rather than “masquerading as SSL” as vendors claimed, Operation Aurora’s perpetrators used a custom communication protocol and tunneled it right through the firewall over the standard SSL port, 443, in order to elude detection.

The bottom line is that antivirus, as well as IPS and other traditional security mechanisms failed to provide organizations with the necessary level of protection. These attacks clearly illustrate the shortcomings of today’s common security technologies in safeguarding against attacks that leverage unknown, therefore unpatchable, software vulnerabilities along with custom modern malware. Quite simply, reactive, signature-based approaches are unable to solve this dynamic and polymorphic problem.

The effects of these attacks were not felt just by the 20 plus organizations originally targeted. As soon as news came to light about the Aurora attacks, more information surfaced about the unpatched Internet Explorer vulnerability. Consequently, unrelated, malicious Web sites were soon popping up en mass to victimize any unsuspecting Internet user who had an older version of Internet Explorer and who visited the wrong Web site at the wrong time. In these cases, unrelated cyber criminals exploited this vulnerability, like so many others, to enslave computer systems to massive bot networks that could subsequently be used for information theft, DDoS attacks, and spam generation.

This is how zero-day attacks that target large enterprises have an eventual trickledown effect to both smaller businesses and consumers alike. Since the Internet Explorer zero-day vulnerability was still not yet well understood by an industry built on reactive signatures, the smaller businesses and consumers were offered no protection until much later. Without a doubt, this cycle must end and end quickly—the stakes of technology compromise only grow with each passing day.