Wednesday, January 20, 2010

Aurora Attack Malware Components May Be Four Years Old

Dennis Fisher writes on Threatpost.com:

Although the first known attacks using the Aurora malware that compromised Google weren't discovered until late last year, some parts of the malware codebase has been in existence in China for nearly four years, raising questions about how many other attacks it might have been used in during that time frame.

Researcher Joe Stewart of SecureWorks in Atlanta analyzed the Aurora codebase in great detail and found that several components of the malware were written in mid-2006, more than three years before the attacks on Google, Adobe and others were first discovered. The Aurora codebase comprises several discrete modules that each perform separate tasks during the exploitation, installation and remote-control process. Stewart said that although the Aurora malware itself isn't necessarily the most advanced attack tool, the authors, as well as the attackers who used it, knew what they were doing.

"I'd say it's of average sophistication for this kind of Trojan backdoor these days. It's not of any staggering technical complexity," Stewart said in an interview. "But the attackers did some things right. They used the code sparingly in highly targeted attacks, they didn't just use something off the shelf and they didn't pack and encrypt the binaries, because that looks suspicious. Using custom code was a smart move."

More here.

1 Comments:

At Wed Feb 03, 06:07:00 PM PST, Anonymous Anonymous said...

The “Chinese code” fingered by Joe Stewart appears to be a 4-bt (nibble) CRC algorithm that’s been around for years in the embedded world:

http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

 

Post a Comment

<< Home