Google, China and the Anatomy of the Aurora Attack

by Brian Prince

The vulnerability leveraged in this attack is a memory corruption issue that can be exploited to allow an attacker to remotely execute code. The attackers in Aurora focused their efforts on IE 6, though proof-of-concept code was developed by a security company that worked on later versions. The exploit code has been hosted on malicious sites, as seen here.

The Hydraq is a backdoor Trojan that was the main piece of malware used in the Aurora attack. When it’s installed, Hydraq makes contact with command and control servers in order to receive instructions and upload any data it has stolen. Though the IE vulnerability was the primary vector for infecting users in Aurora, the Trojan has also been associated with exploits targeting Adobe Reader, Acrobat and Flash Player.

One of the notable capabilities of Hydraq is it can give the attacker a live view of the infected machine’s desktop using VNC (virtual network computing) technology.

Social Networks Involved as Surveillance?McAfee CTO George Kurtz has said the attackers conducted surveillance on their targets and their targets’ friends via social networking sites. Such tactics are becoming a greater worry in security circles. For example, officials at security firm Netragard told eWEEK they used Facebook during a penetration test to trick employees at an energy company into “friending” them and giving up their employee credentials.

On Jan. 12, Google announced it had been attacked in December. The company also said it had detected repeated attempts to access the Gmail accounts of Chinese human rights activists. As a result, the company declared it would no longer censor search results in China and would consider closing its operations in the country.

Although China quickly became the subject of accusations, evidence of Chinese attackers being behind Aurora remained relatively scant, as systems in both the United States and China were used in the attack. One researcher uncovered evidence of a cyclic redundancy algorithm in Hydraq that originated in China.

Secretary of State Hillary Clinton says the United States will seek a thorough and transparent investigation of the incident by the Chinese government. However, officials with the Chinese government deny involvement in the cyber-attacks and tell Google the company needs to follow the law if they expect to operate in China.

Google CEO Eric Schmidt told attendees at the World Economic Forum Jan. 29 the company hoped to “apply some negotiation or pressure to make things better for the Chinese people.” He added that Google has made a strong commitment to staying in China and would like to continue its operations there.

Microsoft has released a patch to cover the vulnerability used in Aurora. The attack could also have been mitigated by using the most current version of Internet Explorer, as IE 6 was the attacker’s target. The situation underscores the importance of keeping software up-to-date.