Remember Aurora–and Other Botnets

By Gunter Ollmann, DamballaLast night my attention was drawn to a couple of blog entries
relating to Google and the attacks they fell victim to earlier this
year. These attacks were eventually labeled as “Operation Aurora” by
McAfee (based upon the presence of the “aurora” keyword embedded within
some of the malware).

Last night my attention was drawn to a couple of blog entries
relating to Google and the attacks they fell victim to earlier this
year. These attacks were eventually labeled as “Operation Aurora” by
McAfee (based upon the presence of the “aurora” keyword embedded within
some of the malware).

First off, Google
blogged
about analysis of a new botnet that broadly targets
Vietnamese computer users around the world. The intent of the botnet
appears similar to the one that apparently involved surveillance of
email accounts belonging to Chinese human rights activists – spying upon
their victims and attempting to squelch opposition to bauxite mining
efforts in Vietnam.

This post apparently prompted a follow up blog
from McAfee detailing how their identification and analysis of this
particular Vietnamese-speaker targeted botnet harkened back to their
“Operation Aurora” analysis in mid-January. McAfee states that their
original “Operation Aurora” analysis was incorrect and that this
particular botnet (and the malware associated with it) shouldn’t have
been bundled as part of their earlier threat report about the attacks
that breached  Google
and 20+ other organizations last December
. McAfee stated that this
Vietnamese-targeted botnet did not use sophisticated malware, which may
have fueled general confusion as to whether the “Operation Aurora”
attack (as a whole) was sophisticated or not.

“Aurora Lite”

As a close knit community, security researchers and investigators
share a lot of threat intelligence and information about attacks. Since
McAfee named the attack “Operation Aurora”, security researchers have
been using McAfee’s definition of what was likely part of it (or not) as
the seed for further research and criminal pursuit. McAfee have
subsequently redefined what they call “Operation Aurora” and focused
upon the most sophisticated attack of the formerly disclosed collection
of attacks that targeted (and breached) many large, well known, US
businesses. This is obviously going to cause a lot of confusion –
especially in light of all the different analysis reports floating
around that have been published over the last couple of months covering
the “Google attacks” and “Operation Aurora”. While I’m sure McAfee would
prefer that the industry adopt a new definition of “Operation Aurora”,
given the massive amounts of research already published to-date I’m
afraid that train left the station a while ago and, to save on future
confusion, I’m going to refer to this revised definition of “Operation
Aurora” as “Aurora Lite”.

This morning I reached out to McAfee to get a better understanding of
how they differentiate between “Operation Aurora” and “Aurora Lite”.
Apparently everything except one particular malware family (which is VNC
centric and contains the “aurora” variable), has been dropped, along
with all the other Command-and-Control (CnC) domains – leaving just the
one CnC linked to [obscured].ftpaccess.cc, which is a dynamic DNS
provider-provisioned service. According to the McAfee folks I spoke with
(who said they’re OK with me sharing this with you), the attack that I
am now terming “Aurora Lite”,is attributed to the targeted compromise of
approximately two-dozen companies, with a total footprint of four or
five dozen compromised hosts. It consisted of a rapid, in-and-out attack
rather than a long-running or persistent campaign – which sounds more
like a standard criminal hack.

McAfee also shared that they are updating their “How
can you tell
” document to reflect the aspects of “Aurora Lite” (the
version I just checked is dated 1st March and lists all of the CnC
domains – not the reduced list).

Botnets – They’re Still Out There

Before I get started about the particular aspects of “Aurora Lite”,
let’s get a few things straight though. All the badness that was
disclosed earlier this year hasn’t magically gone away – it still
happened. All those various analysis reports covering the multiple
aspects of “Operation Aurora” and how the botnet campaigns and attacks
were orchestrated, controlled and successfully breached that long list
of corporate victims (and the China angle) are still correct. What’s
changed is that “Aurora Lite” analysis now is focused upon just one of
the attacks that breached those 30+ organizations (as disclosed by
Google in January). McAfee is now honing in on apparently the most
sophisticated one (in a relative context).
I’ve seen the term “Advanced Persistent Threat” (APT) being thrown
about, along with “state-sponsored” attacks and, based upon our analysis
of “Operation Aurora“,
this level of sophistication was not evident. In fact the opposite
appears to be true. The attackers behind several of the botnet campaigns
that breached their targeted victims did not use advanced malware
techniques nor did they invest in robust CnC infrastructures – and are
clearly not in the same ballpark as the professional criminal botnet
operators Damballa tracks day-in and day-out focused upon breaking in to
enterprise networks.

Interestingly enough, before McAfee released their “Operation Aurora”
analysis, Damballa was already tracking these botnets and botnet
building campaigns. At the time, we had attributed the botnets to four
separate criminal entities (these are Damballa assigned names used for
tracking purposes) based upon their shared CnC domains and
infrastructure, as well as their malware and historical delivery
techniques:

  • YellowWarlockBoys
  • CrazyTreeSaints
  • NaiveGloveTroop
  • OneAlienAvengers

Based upon the original “Operation Aurora” definition from McAfee, we
subsequently chose to cluster these four different criminal operators
together as a single criminal consortium (customers wanted to refer to
“Operation Aurora” within the management consoles of our deployed
solution). Now that McAfee has described “Aurora Lite,” we can break
them back up again in to the four different criminal groups, since the
only “linking” factor between them is the data McAfee originally
released, which they now say was incorrect. And yes, as you’ve probably
already guessed, only one of these criminal botnet groups relied upon
the [obscured].ftpaccess.cc for CnC.

Observations & Analysis

One of the features of the Damballa FailSafe solution is the
interception of new malware and suspicious binaries traversing
enterprise networks. As such, Damballa managed to obtain many malware
samples related to each of the botnet campaigns encapsulated in
“Operation Aurora.” We then clustered the samples based upon their
specific CnC management requirements. From our perspective, it didn’t
matter that zero-day exploits in Internet Explorer were used to infect
the victim – just as it didn’t matter that other campaigns made use of
social engineering, spear phishing emails or fake antivirus packages. We
capture and identify the malware components as they cross the network
to the victim system. Consequently, regardless of the limited number of
victims attributed to “Aurora Lite” and the implication that serial
variant
versions of the malware were distributed to each victim
computer, Damballa manages to obtain the malware samples used in the
attacks targeting our customers.

So, is “Aurora Lite” the sophisticated attack that McAfee and Google
originally meant to portray? Going by the redefined scope of “Aurora
Lite” that now focuses in on just one of the previously discussed
attacks, it’s probably one of the more sophisticated (and smallest)
campaigns of the “Operation Aurora” bunch. But frankly I’m going have to
hold out for more evidence to be provided if I’m to be expected to
support some of the sophistication claims that have been made in recent
months. Unfortunately I see this kind of stuff every day, and based upon
our analysis of the [obscured].ftpaccess.cc usage for CnC, I’d need
more convincing. The malware used by professional cyber criminals today
is generally more feature rich and sophisticated than things such as
Trojan.Hydraq and the malware that McAfee have stated as being part of
“Aurora Lite” – but at the end of the day it’s just a tool for those
criminals, and typically a disposable tool at that. Making use of
dynamic DNS provisioning of CnC is a popular tactic for some clusters of
learner/amateur botnet operators, and as a way of hackers trying to
disguise the true source of their attacks.

Obviously, Damballa is focused upon detecting and mitigating the CnC
channels employed by botnets, APTs, targeted attacks and insider
threats, and have great visibility in to the infrastructure built by
criminal operators to perpetuate and support their attacks. However,
we’re not focused on the per-host forensic examination of individual
victim machines. To recycle a visual metaphor I’ve used before, Damballa
tracks and identifies the criminal’s getaway van along with its driver.
What happened inside the bank (who fired the first shot, they type of
gun they used, what was stolen, etc.) isn’t something we focus upon. But
if you want to know the make and model of the getaway van, the route
they drove to get to the target and where they drove off to afterwards,
well, that we can do as a matter of course.

That isn’t to say that we aren’t aware of what happens though. Most
of the research team have extensive experience conducting these kind of
forensic analysis – along with conducting penetration attacks just like
“Aurora Lite” (in the guise of professional security services and
ethical hacking).

Learn & Adapt

Finally, I think it’s valuable to point out that Damballa researchers
have been in constant communication with customers that have been (and
continue to be) targeted by the “Operation Aurora” criminal campaigns,
and we’re providing our expertise to several of the victims that also
fell prey to the newly redefined “Aurora Lite” attacks. Our experience
with CnC discovery and how dynamic DNS is abused for CnC management,
combined with the historical information necessary for building attack
timelines, has proven very useful for tracking down the criminal
operators behind the threat. Oh, and as security professionals in the
field we share this information with the folks working deep inside the
“Aurora Lite” victim organizations doing the forensic examination of the
breached networks and systems.

A goal for both my team and myself is to further educate people about
the true state of the threat. The arsenal of tools, techniques and
malware that professional criminal operators can employ in their
attacks, and the way in which they can rapidly grow and manage take-down
resistant hierarchical CnC infrastructures, is pretty amazing – if not
daunting – and it’s accelerating. Despite this redefinition of
“Operation Aurora” let’s not forget about all the plain-old-vanilla
botnet breaches that occurred earlier this year (and continue) and learn
from them. If average or amateurish criminal botnet building campaigns
can be so successful against these large organizations, it should be
little surprise that the professionals have got such an easy ride
nowadays.

This essay first appeared on Damballa’s Day Before Zero blog. Gunter Ollmann is the VP of Research at Damballa.

Suggested articles