Remember Aurora--and Other Botnets

By Gunter Ollmann, Damballa

Last night my attention was drawn to a couple of blog entries relating to Google and the attacks they fell victim to earlier this year. These attacks were eventually labeled as “Operation Aurora” by McAfee (based upon the presence of the “aurora” keyword embedded within some of the malware).

First off, Google blogged about analysis of a new botnet that broadly targets Vietnamese computer users around the world. The intent of the botnet appears similar to the one that apparently involved surveillance of email accounts belonging to Chinese human rights activists – spying upon their victims and attempting to squelch opposition to bauxite mining efforts in Vietnam.

This post apparently prompted a follow up blog from McAfee detailing how their identification and analysis of this particular Vietnamese-speaker targeted botnet harkened back to their “Operation Aurora” analysis in mid-January. McAfee states that their original “Operation Aurora” analysis was incorrect and that this particular botnet (and the malware associated with it) shouldn’t have been bundled as part of their earlier threat report about the attacks that breached  Google and 20+ other organizations last December . McAfee stated that this Vietnamese-targeted botnet did not use sophisticated malware, which may have fueled general confusion as to whether the “Operation Aurora” attack (as a whole) was sophisticated or not.

“Aurora Lite”

As a close knit community, security researchers and investigators share a lot of threat intelligence and information about attacks. Since McAfee named the attack “Operation Aurora”, security researchers have been using McAfee’s definition of what was likely part of it (or not) as the seed for further research and criminal pursuit. McAfee have subsequently redefined what they call “Operation Aurora” and focused upon the most sophisticated attack of the formerly disclosed collection of attacks that targeted (and breached) many large, well known, US businesses. This is obviously going to cause a lot of confusion – especially in light of all the different analysis reports floating around that have been published over the last couple of months covering the “Google attacks” and “Operation Aurora”. While I’m sure McAfee would prefer that the industry adopt a new definition of “Operation Aurora”, given the massive amounts of research already published to-date I’m afraid that train left the station a while ago and, to save on future confusion, I’m going to refer to this revised definition of “Operation Aurora” as “Aurora Lite”.

This morning I reached out to McAfee to get a better understanding of how they differentiate between “Operation Aurora” and “Aurora Lite”. Apparently everything except one particular malware family (which is VNC centric and contains the “aurora” variable), has been dropped, along with all the other Command-and-Control (CnC) domains – leaving just the one CnC linked to [obscured].ftpaccess.cc, which is a dynamic DNS provider-provisioned service. According to the McAfee folks I spoke with (who said they’re OK with me sharing this with you), the attack that I am now terming “Aurora Lite”,is attributed to the targeted compromise of approximately two-dozen companies, with a total footprint of four or five dozen compromised hosts. It consisted of a rapid, in-and-out attack rather than a long-running or persistent campaign – which sounds more like a standard criminal hack.

McAfee also shared that they are updating their “How can you tell” document to reflect the aspects of “Aurora Lite” (the version I just checked is dated 1st March and lists all of the CnC domains – not the reduced list).

Botnets – They’re Still Out There

Before I get started about the particular aspects of “Aurora Lite”, let’s get a few things straight though. All the badness that was disclosed earlier this year hasn’t magically gone away – it still happened. All those various analysis reports covering the multiple aspects of “Operation Aurora” and how the botnet campaigns and attacks were orchestrated, controlled and successfully breached that long list of corporate victims (and the China angle) are still correct. What’s changed is that “Aurora Lite” analysis now is focused upon just one of the attacks that breached those 30+ organizations (as disclosed by Google in January). McAfee is now honing in on apparently the most sophisticated one (in a relative context).
I’ve seen the term “Advanced Persistent Threat” (APT) being thrown about, along with “state-sponsored” attacks and, based upon our analysis of “Operation Aurora”, this level of sophistication was not evident. In fact the opposite appears to be true. The attackers behind several of the botnet campaigns that breached their targeted victims did not use advanced malware techniques nor did they invest in robust CnC infrastructures – and are clearly not in the same ballpark as the professional criminal botnet operators Damballa tracks day-in and day-out focused upon breaking in to enterprise networks.

Interestingly enough, before McAfee released their “Operation Aurora” analysis, Damballa was already tracking these botnets and botnet building campaigns. At the time, we had attributed the botnets to four separate criminal entities (these are Damballa assigned names used for tracking purposes) based upon their shared CnC domains and infrastructure, as well as their malware and historical delivery techniques:

• YellowWarlockBoys
• CrazyTreeSaints
• NaiveGloveTroop
• OneAlienAvengers

Based upon the original “Operation Aurora” definition from McAfee, we subsequently chose to cluster these four different criminal operators together as a single criminal consortium (customers wanted to refer to “Operation Aurora” within the management consoles of our deployed solution). Now that McAfee has described “Aurora Lite,” we can break them back up again in to the four different criminal groups, since the only “linking” factor between them is the data McAfee originally released, which they now say was incorrect. And yes, as you’ve probably already guessed, only one of these criminal botnet groups relied upon the [obscured].ftpaccess.cc for CnC.

Observations & Analysis

One of the features of the Damballa FailSafe solution is the interception of new malware and suspicious binaries traversing enterprise networks. As such, Damballa managed to obtain many malware samples related to each of the botnet campaigns encapsulated in “Operation Aurora.” We then clustered the samples based upon their specific CnC management requirements. From our perspective, it didn’t matter that zero-day exploits in Internet Explorer were used to infect the victim – just as it didn’t matter that other campaigns made use of social engineering, spear phishing emails or fake antivirus packages. We capture and identify the malware components as they cross the network to the victim system. Consequently, regardless of the limited number of victims attributed to “Aurora Lite” and the implication that serial variant versions of the malware were distributed to each victim computer, Damballa manages to obtain the malware samples used in the attacks targeting our customers.

So, is “Aurora Lite” the sophisticated attack that McAfee and Google originally meant to portray? Going by the redefined scope of “Aurora Lite” that now focuses in on just one of the previously discussed attacks, it’s probably one of the more sophisticated (and smallest) campaigns of the “Operation Aurora” bunch. But frankly I’m going have to hold out for more evidence to be provided if I’m to be expected to support some of the sophistication claims that have been made in recent months. Unfortunately I see this kind of stuff every day, and based upon our analysis of the [obscured].ftpaccess.cc usage for CnC, I’d need more convincing. The malware used by professional cyber criminals today is generally more feature rich and sophisticated than things such as Trojan.Hydraq and the malware that McAfee have stated as being part of “Aurora Lite” – but at the end of the day it’s just a tool for those criminals, and typically a disposable tool at that. Making use of dynamic DNS provisioning of CnC is a popular tactic for some clusters of learner/amateur botnet operators, and as a way of hackers trying to disguise the true source of their attacks.

Obviously, Damballa is focused upon detecting and mitigating the CnC channels employed by botnets, APTs, targeted attacks and insider threats, and have great visibility in to the infrastructure built by criminal operators to perpetuate and support their attacks. However, we’re not focused on the per-host forensic examination of individual victim machines. To recycle a visual metaphor I’ve used before, Damballa tracks and identifies the criminal’s getaway van along with its driver. What happened inside the bank (who fired the first shot, they type of gun they used, what was stolen, etc.) isn’t something we focus upon. But if you want to know the make and model of the getaway van, the route they drove to get to the target and where they drove off to afterwards, well, that we can do as a matter of course.

That isn’t to say that we aren’t aware of what happens though. Most of the research team have extensive experience conducting these kind of forensic analysis – along with conducting penetration attacks just like “Aurora Lite” (in the guise of professional security services and ethical hacking).

Learn & Adapt

Finally, I think it’s valuable to point out that Damballa researchers have been in constant communication with customers that have been (and continue to be) targeted by the “Operation Aurora” criminal campaigns, and we’re providing our expertise to several of the victims that also fell prey to the newly redefined “Aurora Lite” attacks. Our experience with CnC discovery and how dynamic DNS is abused for CnC management, combined with the historical information necessary for building attack timelines, has proven very useful for tracking down the criminal operators behind the threat. Oh, and as security professionals in the field we share this information with the folks working deep inside the “Aurora Lite” victim organizations doing the forensic examination of the breached networks and systems.

A goal for both my team and myself is to further educate people about the true state of the threat. The arsenal of tools, techniques and malware that professional criminal operators can employ in their attacks, and the way in which they can rapidly grow and manage take-down resistant hierarchical CnC infrastructures, is pretty amazing – if not daunting – and it’s accelerating. Despite this redefinition of “Operation Aurora” let’s not forget about all the plain-old-vanilla botnet breaches that occurred earlier this year (and continue) and learn from them. If average or amateurish criminal botnet building campaigns can be so successful against these large organizations, it should be little surprise that the professionals have got such an easy ride nowadays.

This essay first appeared on Damballa's Day Before Zero blog. Gunter Ollmann is the VP of Research at Damballa.

Commenting on this Article is closed.