Feeds

IE6 exposed as Google China malware unpicked

Why search engine giant was using IE6 remains a mystery

The Essential Guide to IT Transformation

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.

It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers.

Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions.

The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes McAfee researcher Guilherme Venere.

"This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website," he explains. "This way, the attackers were able to covertly gather all the information they wanted without being discovered."

The backdoor first sends information on registry keys on compromised systems along with the workgroup name of a machine and the version of Windows it is running before awaiting further instructions.

The attack - codenamed Operation Aurora - affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Google took the highly unusual step of going public on the attack a week ago, saying the assault on it targeted the webmail accounts of dissidents. In response, Google said it would operate an unfiltered version of its search engine in China and threatened to quit the country entirely.

A number of governments have advised businesses to consider using alternative browsers until Microsoft produces a patch against the vulnerability used in the Operation Aurora attacks. Australia (here) has joined France and Germany in pointing surfers towards either Firefox, Safari or Chrome as alternatives to IE, at least until Redmond issues a fix.

This sort of advice is rare but not unprecedented. CERT in the US advised surfers to use anything but IE in June 2004, as a response to a string of attacks involving the Download.Ject strain of malware, which caused widespread problems at the time.

Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software.

The Operation Aurora attack targeted systems running IE6, which begs the question of why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.