Feeds

IE6 exposed as Google China malware unpicked

Why search engine giant was using IE6 remains a mystery

Next gen security for virtualised datacentres

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.

It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers.

Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions.

The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes McAfee researcher Guilherme Venere.

"This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website," he explains. "This way, the attackers were able to covertly gather all the information they wanted without being discovered."

The backdoor first sends information on registry keys on compromised systems along with the workgroup name of a machine and the version of Windows it is running before awaiting further instructions.

The attack - codenamed Operation Aurora - affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Google took the highly unusual step of going public on the attack a week ago, saying the assault on it targeted the webmail accounts of dissidents. In response, Google said it would operate an unfiltered version of its search engine in China and threatened to quit the country entirely.

A number of governments have advised businesses to consider using alternative browsers until Microsoft produces a patch against the vulnerability used in the Operation Aurora attacks. Australia (here) has joined France and Germany in pointing surfers towards either Firefox, Safari or Chrome as alternatives to IE, at least until Redmond issues a fix.

This sort of advice is rare but not unprecedented. CERT in the US advised surfers to use anything but IE in June 2004, as a response to a string of attacks involving the Download.Ject strain of malware, which caused widespread problems at the time.

Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software.

The Operation Aurora attack targeted systems running IE6, which begs the question of why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.