More Details on "Operation Aurora"

By on

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

8 comments on “More Details on "Operation Aurora"

  • G.E. Pelletier says:

    Hi Rahul,

    Yesterday’s tests on UDS Version III were sucessful. The false positive rate is very low. Only two were detected out of about 50 million requests to about 140,000 unique domain names on the Internet. These appear to be caused by the same script, with slight customisations for each site:

    http://ce2.gcion.net/scripts/GDSRScripts.js

    The VirusTotal analysis of the file:
    http://www.virustotal.com/analisis/fb876196bf52422ca21091610e3a1d396cadf2156f4f378ce34e896150236696-1263990391

    http://www.rgj.com/scripts/GDSRScripts.js

    VirusTotal Report:
    http://www.virustotal.com/analisis/d34174e1bb395530e9fd2de036bb48a4580250942acb310eaccc65a039758353-1263991051

    These have been updated in our IntruShield SR.

    Sincerely,

    G.E. Pelletier

    Reply
  • G.E. Pelletier says:

    Hi Rahul,

    Thank you for the information about signature 0×4022f900. This will help us.

    The exploit was fully tested on three systems with HIPs installed. It was effective on all three (IE 6 disappeared and the calculator popped up). Paradoxically, the HIPs logs also show the attack as being prevented. We will follow up with McAfee.

    An SR was opened with McAfee with respect to the IntruShield false positives on the UDS Version II. I have advised the technician that the signature was updated to correct the false positives.

    I will be testing the UDS Version III update this morning.

    Again, your help is greatly appreciated.

    Sincerely,

    G.E. Pelletier

    Reply
  • Hello Pelletier,
    Regarding the HIPS protection, we’ve successfully verified that HIPS blocks the exploit out of the box. While verifying such exploits you’ll need to ensure that the exploit is successful on the victim machine. If you have further questions on this, please contact your SE/McAfee representative so that we can resolve the issues you’re encountering.

    Regards

    Reply
  • Hello Pelletier,

    This exploit is detect by IntruShield out of the box with generic JavaScript Shellcode signatures (no need to update to block this exploit)
    ‘HTTP: Possible attempt to create javascript shellcode:1’ :0x4022f900

    Regarding the False Positives, we’ve isolated the issue and updated the UDS and it’ll be out today.

    Reply
  • G.E. Pelletier says:

    VSE, BOP, IntruShield UDS, and HIPS do not protect against the following exploit code:

    http://ahmed.obied.net/software/code/exploits/ie_aurora.py

    The above exploit code is very effective with IE 6.

    The IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption dated 14 Jan 2010 fails to detect this.

    The updated (version II) IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption II dated 16 Jan 2010. Generates massive numbers of false postives (over 100 in 20 minutes).

    The exploit code was originally found in the comments of the ISC SANS story:
    http://isc.sans.org/diary.html?storyid=8002

    Reply
  • Craig, great to hear that. Truly a great product that we hope to see and hear more about in the future. Thanks for setting me straight.

    Reply
  • Why wouldn’t McAfee release some type of protection for the recently acquired Secure Computing Web Gateway (Webwasher) or Firewall (Sidewinder)? It’s sad when companies acquire smaller better companies and then let the products languish for various reasons.

    Reply

Leave a Comment