Although the first known attacks using the Aurora malware that compromised Google weren’t discovered until late last year, some parts of the malware codebase has been in existence in China for nearly four years, raising questions about how many other attacks it might have been used in during that time frame.
Researcher Joe Stewart of SecureWorks in Atlanta analyzed the Aurora codebase in great detail and found that several components of the malware were written in mid-2006, more than three years before the attacks on Google, Adobe and others were first discovered. The Aurora codebase comprises several discrete modules that each perform separate tasks during the exploitation, installation and remote-control process. Stewart said that although the Aurora malware itself isn’t necessarily the most advanced attack tool, the authors, as well as the attackers who used it, knew what they were doing.
“I’d say it’s of average sophistication for this kind of Trojan backdoor these days. It’s not of any staggering technical complexity,” Stewart said in an interview. “But the attackers did some things right. They used the code sparingly in highly targeted attacks, they didn’t just use something off the shelf and they didn’t pack and encrypt the binaries, because that looks suspicious. Using custom code was a smart move.”
Stewart also looked closely at one of the algorithms used in the binary of the Aurora Trojan, known as Hydraq. He found that the cyclic redundancy check (CRC) algorithm that the binary uses was unique in several ways. After digging through it and looking for references to the CRC algorithm on Google, Stewart found that essentially every site that referenced the algorithm was in Chinese. Also, the original reference source code for the CRC algorithm was written in Chinese.
“That’s a strong piece of evidence to me that this thing originated in China,” he said. “Nothing is conclusive, but the algorithm isn’t easily faked, either. Someone in another country could’ve gotten sources that were unique to China and then used them. That’s within the realm of possibility, but it doesn’t seem like the most likely scenario. Some of the Aurora code was cribbed from other sources, but not most of it.”
Google officials said that they first discovered the Aurora attack in December, and other companies have said that they discovered similar intrusions in roughly the same time period. But, as Stewart’s research shows, the attackers–or others with access to the same codebase–may well have been using the malware for other operations much earlier than that.
Stewart also said that he believes some of the companies compromised in this set of attacks may have been hit with exploits other than the Internet Explorer zero day that Microsoft is planning to fix with an emergency patch on Thursday.
“It does surprise me that there are still so many people running IE 6. That’s one of the things that leads me to believe there might have been some PDF exploits used in this, too,” he said. “They might be far more effective on a wider variety of systems. Anyone running IE 6 almost has to willfully be ignoring upgrades.”
And while the attacks on Google, Adobe and the others had some shock value, they shouldn’t be surprising, Stewart said.
“We’re going to continue to see targeted attacks like this and espionage, without question,” Stewart said. “Someone has decided this is the way it’s going to be done because it’s very cheap and it provides results. It’s clear that the scope of the attacks and who they’re targeting is expanding, as well.”