Feeds

IE6 exposed as Google China malware unpicked

Why search engine giant was using IE6 remains a mystery

5 things you didn’t know about cloud backup

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.

It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers.

Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions.

The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes McAfee researcher Guilherme Venere.

"This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website," he explains. "This way, the attackers were able to covertly gather all the information they wanted without being discovered."

The backdoor first sends information on registry keys on compromised systems along with the workgroup name of a machine and the version of Windows it is running before awaiting further instructions.

The attack - codenamed Operation Aurora - affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Google took the highly unusual step of going public on the attack a week ago, saying the assault on it targeted the webmail accounts of dissidents. In response, Google said it would operate an unfiltered version of its search engine in China and threatened to quit the country entirely.

A number of governments have advised businesses to consider using alternative browsers until Microsoft produces a patch against the vulnerability used in the Operation Aurora attacks. Australia (here) has joined France and Germany in pointing surfers towards either Firefox, Safari or Chrome as alternatives to IE, at least until Redmond issues a fix.

This sort of advice is rare but not unprecedented. CERT in the US advised surfers to use anything but IE in June 2004, as a response to a string of attacks involving the Download.Ject strain of malware, which caused widespread problems at the time.

Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software.

The Operation Aurora attack targeted systems running IE6, which begs the question of why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?