Security researchers are continuing to delve into the details of the malware that’s been used in the attacks against Google, Adobe and other large companies, and they’re finding a complex package of programs that use custom protocols and sophisticated infection techniques.
The attacks, which are being called Aurora, were expressly designed to retrieve valuable files from compromised machines, and the analysis of the various pieces of malware used in the attacks shows that the software was well-suited to the task. In a blog post describing a detailed analysis of the applications, Guilherme Venere of McAfee says that there are a number of interrelated pieces of malware, each of which served a specific purpose.
After the initialization of the malware DLL, a connection is made to
the command and control (C&C) server. The connection is made on
port 443 which is usually used by the HTTPS protocol, encrypted with
SSL. During analysis, we noticed that the employed protocol on this
port was not the standard SSL protocol, but a custom encrypted protocol.
The backdoor client initiates the protocol by issuing a packet which always has the same first 20 bytes:
[ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ]
After the initiator handshake, the protocol uses a 20 byte packet as
header for all communication that follows. All data sent from client to
server is encoded with a logical NOT, and all data received from server
is XOR encoded with 0xCC.
Once the malware is on the machine and this handshake is complete, it begins gathering information about the PC and attempting to send the data to a remote command-and-control server. The application records the machine’s OS version, name, service pack level and the registry key containing the description of the PC’s main processor. This gives the attackers a clear picture of what sort of machine the malware is running on.
“As you can see this attack involved very advanced methods with several
pieces of malware working in concert to give the attackers full control
of the infected system, at the same time it attempts to disguise itself
as a common connection to a secure website. This way the attackers were
able to covertly gather all the information they wanted without being
discovered,” Venere wrote.