McAfee Says Cyber-attack Details Point to IE Security Vulnerability

By Brian Prince  |  Posted 2010-01-14

McAfee Says Cyber-attack Details Point to IE Security Vulnerability

The more details that leak out about the cyber-attack that hit Google, Adobe Systems and roughly 30 other companies, the more complex the picture gets.

According to a Jan. 14 analysis by McAfee, which has dubbed the situation "Operation Aurora," one of the malware samples involved in the attack exploited a new zero-day vulnerability in Microsoft Internet Explorer. McAfee revealed little about the flaw, stating only that its investigation showed IE is vulnerable on all of Microsoft's operating systems, including Windows 7.

"Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system," said McAfee CTO George Kurtz. "The attacker can now identify high-value targets and start to siphon off valuable data from the company."

Microsoft released some additional details about the vulnerability, which the company said is an invalid pointer reference within IE. According to Microsoft, the vulnerability affects IE versions 6, 7 and 8. The attacks the company has seen are reported to be targeting IE 6.

Talk of an IE vulnerability follows reports from other vendors that the attackers launched a spear-phishing campaign using Adobe Reader attachments. McAfee said it has not uncovered any evidence that a Reader vulnerability was exploited in the attacks.

However, according to VeriSign's iDefense Labs, malicious PDFs were involved, and Google followed the attack code back to the drop servers and determined that the attack hit an additional 33 companies.

"According to sources familiar with the present attack, attackers delivered malicious code used against Google and others using PDFs as e-mail attachments; those same sources also claim that the files have similar characteristics to those distributed during the July attacks," iDefense said in a Jan. 12 report. "In both attacks, the malicious files drop a backdoor Trojan in the form of a Windows DLL."

iDefense also noted similarities to a July 2009 attack in which hackers launched targeted e-mail campaigns against 100 IT-focused companies via a zero-day vulnerability in Reader.

"The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication," the iDefense report continued. "The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a U.S.-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other.

"Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July," the report concluded.

McAfee Says Cyber-attack Details Point to IE Security Vulnerability

title=What This Means for U.S. Policy Makers, Enterprises}

Adam Vincent, CTO for the public sector team at Layer 7 Technologies, said the incident proves the industry must continually scrutinize public cloud security procedures as well as those for its own internal network.

"People are already concerned about cyber-security; however, incidents like this one, from a purported government entity, bring a whole new dimension to cyber-security-one where corporations must not only protect themselves from malicious adversaries on the Internet but from well-organized and funded government organizations," Vincent said.

The Chinese government has been at the center of numerous allegations of cyber-attacks and spying targeting the United States.

One of the most well-known examples from 2009 is the infamous GhostNet, which was believed to have infiltrated political, economic and media organizations in more than 100 countries before it was discovered in March. There were also allegations last year that the Chinese government was involved in attempts to hack the U.S. electric grid as well as the Pentagon's $300 billion Joint Strike Force. China denied involvement in both attacks.

All this raises the question of how U.S. government and business officials should respond.

"From a policy standpoint, the United States should drive new standards in e-mail protocols that do not allow for such attacks to exist," said Sean Sullivan, security advisor for North American Labs at F-Secure. "The system has long been considered flawed, but the investment to fix it is considerable. Businesses with sensitive information to protect should consider the costs of allowing any attachments through their e-mail gateways. There are other alternatives."

People should not be surprised any government is spying on another, but what is unique about this incident is its scale, said Eli Jellenc, head of international cyber-intelligence at VeriSign's iDefense Labs.

"It has always been our presumption that attacks would reach this scale and level of sophistication at some point, but many of us did not believe it would be this soon or this brazen ... The basic method of the attacks [is] well known to us and common for Chinese corporate and strategic spies, but the level of organization and planning necessary to execute a concerted attack campaign of this complexity marks a major increase from what we've seen in the past," Jellenc said.

Editor's Note: This story was updated with new information from Microsoft.

Rocket Fuel