Hackers used IE zero-day, not PDF, in China-Google attacks

McAfee blames unpatched IE bug; Microsoft to release security advisory later today

Hackers exploited an unpatched vulnerability in Microsoft's Internet Explorer (IE) browser to break into some of the firms targeted in a widespread attack that compromised Google's and Adobe's corporate networks, McAfee said today.

According to Dmitri Alperovitch, vice president of threat research at McAfee, the unpatched vulnerability in IE was the only exploit used to hack into several of the companies attacked in December and early January. McAfee did not collaborate with all victims of the attacks -- researchers from VeriSign iDefense have put the total at 33 -- but in all its cases the evidence was the same.

"There could be other forms of attacks," Alperovitch said, "but in all we investigated, it was the same kind of attack, and the same exploit of IE, which was the only exploit we have found in all the malware we have examined."

Alperovitch said that Microsoft would release additional information about the IE vulnerability in a later security advisory. Other sources, who asked to remain anonymous because they were not officially allowed to comment, said that Microsoft would release its advisory today.

A Microsoft spokesman declined to confirm that the company would issue an advisory Thursday, saying only that "Microsoft is investigating these reports and will provide more information when it is available."

The nuts and bolts of the attacks have been of interest because of Google's announcement Tuesday that attacks last month made off with intellectual property from its corporate network, and also tried to access the Gmail accounts of Chinese human rights activists. Google said it had proof that the attacks originated in China. As a result, Google said it was reevaluating its business in the country, and might pull out of the market.

That same day, Adobe admitted that its company's computers had also been hacked, and said that the attack that hit it Jan. 2 was related to the Google attack.

Computerworld reported earlier this week that Google and Adobe, the only two companies to have stepped forward thus far to acknowledge the attacks, were hacked using malicious PDF files that exploited a zero-day vulnerability in Adobe's popular Reader software.

According to Mikko Hypponen, the chief technology officer of F-Secure, the exploited flaw was the one of eight that Adobe patched Tuesday. That bug had been public knowledge since mid-December, and had been exploited in targeted attacks -- the very kind that broke into Google, Adobe and others -- since sometime in November.

Alperovitch, however, rejected the idea that a rogue PDF was at the root of the attacks. "We have not seen, in all the organizations we've worked with on this, and there were multiple, any PDF files associated with the attack," he said.

In all the instances that McAfee investigated, the attacks began with a standard social engineering twist that duped a user -- in these cases, workers at the targeted companies -- to click on a link. "We don't know how that link arrived, maybe in a message in his inbox," said Alperovitch, "but at some point the user visited a malicious site."

That's when bad things began to happen.

If the user was running IE -- which is the dominant browser in enterprises -- simply visiting the site triggered the exploit. The exploit then dropped a piece of malware on the now-compromised machine, "phoned home" to a command-and-control server, and downloaded additional second-stage malware. The malware arrived encrypted, said Alperovitch, was decrypted by the exploit code, then opened yet another backdoor channel to a different server.

With its tentacles around the compromised PC, the malware scoured the company's network, gathering usernames, passwords, confidential information and other data. "This is very sophisticated on a number of levels," said Alperovitch. "It's very well done. We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."

According to McAfee's research, time stamps in the malware's command-and-control log files indicated that the attacks began in mid-December and ended Jan. 4, when the hackers' servers were shut down.

"The attacks went on all through the holidays," said Alperovitch, who pointed out that that was a perfect time for a massive, coordinated strike against Western enterprises because of the holidays and resulting short staffing of security departments.

McAfee's investigators pinned the name "Aurora" on the attacks, citing a file path that was included in the code of two of the malware binaries it examined. File paths are often inserted by code compiler to note where debug symbols and source code is located on the developer's machine. "We believe the name was the internal name the attacker(s) gave to this operation," said George Kurtz, the chief technology officer of McAfee, in a blog posted today.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies