Feeds

IE6 exposed as Google China malware unpicked

Why search engine giant was using IE6 remains a mystery

SANS - Survey on application security programs

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.

It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers.

Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions.

The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes McAfee researcher Guilherme Venere.

"This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website," he explains. "This way, the attackers were able to covertly gather all the information they wanted without being discovered."

The backdoor first sends information on registry keys on compromised systems along with the workgroup name of a machine and the version of Windows it is running before awaiting further instructions.

The attack - codenamed Operation Aurora - affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Google took the highly unusual step of going public on the attack a week ago, saying the assault on it targeted the webmail accounts of dissidents. In response, Google said it would operate an unfiltered version of its search engine in China and threatened to quit the country entirely.

A number of governments have advised businesses to consider using alternative browsers until Microsoft produces a patch against the vulnerability used in the Operation Aurora attacks. Australia (here) has joined France and Germany in pointing surfers towards either Firefox, Safari or Chrome as alternatives to IE, at least until Redmond issues a fix.

This sort of advice is rare but not unprecedented. CERT in the US advised surfers to use anything but IE in June 2004, as a response to a string of attacks involving the Download.Ject strain of malware, which caused widespread problems at the time.

Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software.

The Operation Aurora attack targeted systems running IE6, which begs the question of why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.