Thursday, January 14, 2010

"Aurora" doesn't sound very Chinese

McAfee dissects the exploit used against Google and other companies operating in China. Given the "social vector" used for initial penetration -- sending emails that appear to come from close associates -- there is an obvious motivation for these hackers to get access to gmail accounts. What's the evidence that this had anything to do with the Chinese government? The McAfee report is careful not to speculate.

If I were a Chinese hacker, wouldn't the filepaths on my development machine have non-English (unicode) characters? I'm sure some readers of this blog would know -- if you develop software in a Chinese language environment, do you use English words or Chinese characters for path and directory names?

Of course, it's possible the attackers just bought the malware from a black hat developer somewhere or have deliberately obfuscated the origin of their code. We need some more forensic information...

McAfee Security Insights Blog: ... the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company. ...

Operation “Aurora”

I am sure you are wondering about the name “Aurora.” Based on our analysis, “Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation. ...


Unknown said...

Steve, your blog seems flushed with lots of funny passion. Maybe you have had a brief glance on the internet discussion atmosphere in China.:) Debate is not a popular course neither in high school nor college, people are not quite good at communication, their noble words exhaust if it lasts little long.

I think the gov should better relax the censorship, at least for some stuff actually not quite sensitive. Or they should do the "work" better, I mean do some work to pick out what they really don't like and give innocent web users , like most on blogspot, a free way.

PS. I just find my google account was hijacked, possibly due to the trick I use to surmount GFW. Sounds like google is really just making fuss on "trivial" stuff:)

Unknown said...

Google vs. China: All the possible WHYs?
Written by Uln on January 14th, 2010

Unknown said...

Links that speak to Google's involvment (partnership) with the intelligence community.

Google has lots to do with intelligence (SF Chron)

Google's Girouard highlights cloud computing's future

Integrating 50 centimeter data from the National Geospatial Intelligence Agency

National Geospatial-Intelligence Agency

Ian Smith said...

You're wrong again Steve. "Aurora" is Chinese for Aloha.

Blog Archive