About Me

George Kurtz

George Kurtz
Worldwide CTO

Chief Technology Officer & Executive Vice President Former CEO of Foundstone, and current worldwide ...

Read More

Feeds & Podcasts

Corporate Blogs

Meet the Bloggers



#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

Operation “Aurora” Hit Google, Others

Thursday, January 14, 2010 at 3:34pm by George Kurtz
George Kurtz

McAfee Labs has been working around the clock, diving deep into the attack we are now calling Aurora that hit multiple companies and was publicly disclosed by Google on Tuesday.  

We are working with multiple organizations that were impacted by this attack as well as the government and law enforcement. As part of our investigation, we analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations.

New Internet Explorer Zero Day
In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft published an advisory and a blog post on the matter on Thursday afternoon.

As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

Operation “Aurora”
I am sure you are wondering about the name “Aurora.”  Based on our analysis, “Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation. 

Changing The Threat Landscape
Blaster, Code Red and other high profile worms are definitely a thing of the past. The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection.

These highly customized attacks known as “advanced persistent threats” (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered – it is too late.

Operation Aurora is changing the cyberthreat landscape once again. These attacks have demonstrated that companies of all sectors are very lucrative targets. Many are highly vulnerable to these targeted attacks that offer loot that is extremely valuable: intellectual property.

Similar to the ATM heist of 2009, Operation Aurora looks to be a coordinated attack on many high profile companies targeting their intellectual property. Like an army of mules withdrawing funds from an ATM, this malware enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays.  Without question this attack was perpetrated during a period of time that would minimize detection. 

All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. 

We will continue to provide updates on this event as it continues to unfold.  As I said in my last post, this is only the tip of the iceberg.

(To  get real time updates on this story follow George on Twitter at http://www.twitter.com/george_kurtzCTO)

(Update: Added detail on IE 6 being a primary attack vector at 1.55 PM PT on 01/14/10)
(Update 2: Added link to Microsoft advisory and blog at 6.47 PM PT on 01/14)

Bookmark and Share

Tags: , ,

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (58)

  • Incidentresponder October 13, 2011 6:19AM

    It’s no wonder things don’t ever get fixed. We can’t even get the correct info! As “ARealIncidentResponder” stated below the actual folks who found this aren’t even mentioned (for good reason actually) point is that until info within the security field is shared more openly atleast WITHIN the field then these things will continue to happen, propagate cause a whole host of problems. It doesn’t help when alot of supposed security news sources have alot of way wrong info whether intentionally of not!

  • Flavio Blanco June 29, 2010 10:30AM

    I d like to hear more about antihacker101s comments. Can he provide better facts to support his conclusions, of being part of a botnet? What tools are helping his fight? What technical advice can he pass along to detect worms that arent the decoys, botnets and more. While I have often suspected some compromize of hardware firmware or motherboard chips is occuring, what evidence does he have to support this? How can we recognize this kind of infection? Whats the fix, flashing the bios? What about deep hard disk sector infections that seemingly survive reformats? Seen any of that?

  • Mike June 21, 2010 3:17PM

    I love how all the “leading” security firms such as the one this site promots has to scramble but my “firewall” has been able to block this exploit since 2006.

  • pander May 11, 2010 11:51AM

    Ok we know the problem right? And we seem to know some of the fixes, correct? Now I want to know, as do most business-minded folks, how do we profit from this threat? Seems as though “decoys” can be valuable, as is unmined gold ore. But I wonder if they (decoys)can be used to reverse-infect the Chinese or any other origin? This may not be a cure. But it sure would be fun to know we scrambled their eggs for once, and we burned down their kitchens to do it! lol

  • smith April 28, 2010 2:14AM

    Hey folks,
    Thanks a lot for sharing such a nice and informative article, i had gone through the article and also the comments posts and i agree with the views of KARL. he had mentioned a very good views.

    By the way for more information on Security Courses check this link: http://www.eccouncil.org/certification.aspx

  • Open Source GPL WordPress Themes April 8, 2010 10:16AM

    We need security indeed, but unfortunately we still need Windows more. I try switching to other OS but it always make me come back to Windows. Sadly isn\’t?

  • webcertain March 18, 2010 7:13AM

    Surely Windows is a flawed system, but I found that AVG is a good antivirus. It also has lots of free products, and it’s easy to use. Worth a try!

  • SimonR February 18, 2010 11:44AM

    @Hindsight. Not sure anyone is expecting perfection. I run a dev org and at least we make an effort to run some reasonable security checks before we release. We also beleave in continuous improvement, not cutting corners. I will have to say that the focus/importance placed on security is really driven by the culture of the org. I can say from experience that security is more important in orgs that focus on customer satisfaction vs. org that focus on the next big sale.

  • Rotundo Pierluigi February 11, 2010 8:44AM

    I think we have to reengineer the way to look at operating systems now…

    Rotundo Pierluigi

  • antihacker101 February 3, 2010 3:35AM

    false security is all that is happening. i been fighting the botnet longer than anyone. not only was it being built in my machines(and other hardware and servies), but i just learned that i am the command and control center of the botnet. i have info on the worm and hackers.
    if you want to really make a secure full working detectory, you need the info i have. example. the worm loves decoys. conficters were made detectable on purpose. the main worm gets in by injecting radio packets into a stream that is picked up by chips on the motherboard and also a hardware exploit from your network connection.

    the main work hijacks what it refers to as global.
    the worm works in layers. they keep monitoring eachother. the hackers are not the main hackers. the original hackers attempted to remove the worm a week after april first after i succeeded in sending a message to a comunity site revealing the source. it backfired and used kid hackers(given info) to set authoritys away from them. parts of the main worm just started to get addressed in novemeber. the hacker did something to the worm nov 17 by altering display/lan/audio drivers and then the ports used changed to port 445 instead of the normal high ports(linked as commands using parsing injections).

  • Mark Aitchison January 31, 2010 6:20PM

    It is really frustrating that security exploits of this sort are going on today, and ill-informed quibbling over blaming an OS or browser is distracting attention from the real problem: softwrae designers took a wrong turn well over a decade ago, making it their priority to add powerful features without enough consideration for teh security implications. I do agree that Unix-family operating systems were designed to be secure from the ground up, and were much, much better than MS Windows in general up until roughly Windows 7, after which you cannot make sweeping claims that one is better than the other. But for a long time the problem has been the insecurity of software (and humanware) using the operating systems, and the mindset behind the rush add bling and capabilities just waiting to be abused. The present discussion about Zero-day and other exploits, and IE vs Firefox security, is an echo of discussions mid-2007. Yet the most shocking thing (for the security community) is that steps to prevent many such problems were discussed (in virus-l and elsewhere) well over a decade ago. The only reasons I can think of for sensible security attitudes being ignored is a misguided commercial calculation and a \

  • Ken Jackson January 24, 2010 11:30AM

    Internet Explorer and Windows are grave security threats… Corporations concerned with their intellectual property ought to drop Windows like an infected plague-rat.

    You said it, mykle!

    I wish I didn’t have to use Windows-dependent software at work.

  • next123 January 23, 2010 12:21PM

    I hope McAfee brings us a conference paper with the forensics behind this attack. There are too many things don\\\\\\’t quite make sense

  • Michael J. Schultz January 22, 2010 2:06PM

    All Aurora did was leverage the insecurity of the internet. This is another way to say security is looked at on a network level and sometimes at a virus check level but rarely at a user level.
    Personal security is usually limited to a PIN or password access by a user. This is how PayPal became the most hacked payment system in the world.
    What is needed is to use authenticated digital identities as access points to the internet. Instead of PINs or passwords create authenticated digital profiles that access via dynamic gateways.
    A virus then cannot automatically send email or information out as it cannot be programmed to mimic the dynamic access.
    For full disclosure, GenMobi has created and patented access through authenticated digital identities.

  • ARealIncidentResponder January 20, 2010 7:25PM

    Pssst… It wasn\’t you guys that found the vulnerability.. This is not a new attack or family of malware. The world hasn\’t changed – you guys finally got wind of it.

  • Hindsight 20/20 January 20, 2010 11:52AM

    @Dave: Hindsight 20/20 eh\’ Dave. I do chuckle at those who always point to not enough thinking. not enough development.

    If it were so simple then I guess there would be perfect products all over the place. Perfect AV products, or Perfect OS\’s and App thus not requiring AV in the first place. And as soon as the programming perfection becomes a reality then we either start down a road to a single product or multiple perfect products and you just have to select your favorite flavor.

    I hear it all the time. If you test on 5 machines and a bug is found you should have tested 10. If you tested 10 you should have tested 20, if you tested 20 you should have tested 50, and if you tested it so thoroughly it was near perfect it would take forever (paralysis by analysis) and once it came out it would be outdated because someone a little less perfect put theirs out first and you get blasted for taking up too much time developing/testing.

    If only the real world was so black and white.

  • AnnieB January 19, 2010 11:59AM

    Does anyone know the content of the emails sent to corporate staff that caused that staff to click on the seemingly harmless links? Most people are not idiots, and will not click on obviously fradulent links, so these emails must have been relatively sophisticated.

  • Dave January 18, 2010 1:22PM

    Just amazing. Here we are in 2010 and we are still quibbling over the virtues of which OS or browser technology is better. The problem here is not the technology but rather the people who develop and ultimately use it. There is a fundamental disconnect between the people who develop the coolest, latest new whiz-bang gizmo feature in software, those who use it and those who abuse it. Unfortunately most software development lifecycles either don’t include any security check points or leave security testing to the very end—well after all the flaws are baked in. Until developers start taking secure coding and testing seriously, and end-users remain complacent, we will continue down the path of serious security breaches perpetrated by those with the will, patience, and motivation to exploit software.
    This zero-day is by no means the last. And there are plenty of zero-days baked into to all kinds of software other than Microsoft products, they just haven’t been found yet.
    Secure your code people!!!