Wednesday, January 20, 2010

IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora

From Microsoft KB it’s been released an advisory related to a possible “0 day” for IExplorer 6,7 and 8.  It’s an issue used for the recent attack against Google and others big companies through an Advanced Persistent Threat:  

Why it’s been called Aurora ? (an old info)

Operation Aurora: Clues in the Code

'Aurora' code circulated for years on English sites

Report: Cyberattackers hit Google staff via friends,1000000189,40005860,00.htm?s_cid=248

Exploit related:
IE 0-Day on GOV.CN

Internet Explorer 0-Day hosted GOV.CN domain

Hex-Rays against Aurora

Python proof of concept:

Metasploit module / ie_aurora.rb

praetorianprefect - Demonstration of exploiting the flaw using the new module from Metasploit:

Additional information about DEP and the Internet Explorer 0day vulnerability

Bypassing Browser Memory Protections - Dep and others -  (PDF document)
CVE-2010-0249 DEP/ASLR bypassed:

Another memory protection bypass reference:

DEP and ASLR bypass

Detection Rules:

Sourcefire VRT Rules Update - 2010-01-15

Mitigation strategies:

Microsoft January Out of Band Patch

Note: this out of cycle patch cover also the followings CVEs:


Security Advisory 979352 – Going out of Band (Microsoft out of band patch)
Code to mitigate exploit:
Green is good Red is bad (client side):

Malware related:

Aurora PCAP file

The Trojan.Hydraq Incident
An Insight into the Aurora Communication Protocol

Trojan.Hydraq Exposed

Trojan.Hydraq Exposed  part II



News and old news about:

MS knew of Aurora exploit four months before Google attacks

Security Intelligence: Attacking the Kill Chain

Google-China cyber espionage saga – FAQ

Cyber Espionage: Death by 1000 Cuts

France joins Germany warning against Internet Explorer
*Personal note: Firefox it’s exposed to several issues of this kind for more info Mozilla bugzilla repository it’s a good starting point.

Attacks Continuing Against IE Flaw as Microsoft Preps Patch

More on the IE zero day

IBM ISS Threat Level elevated to AlertCon 2

Security expert: Chinese authorities supported cyber attacks said “Exploit code available for CVE-2010-0249”

Microsoft confirms IE zero-day behind Google attack

Vulnerability in Internet Explorer Could Allow Remote Code Execution

More Details on “Operation Aurora”

Operation “Aurora” Hit Google, Others

0day vulnerability in Internet Explorer 6, 7 and 8

IE zero-day used in Chinese cyber assault on 34 firms

Google Hack Attack Was Ultra Sophisticated

Shellcode related:

A screen shot of shellcode (md5 124722b0369b4a3dd42c6be6ecac425e)  that I have analyzed using the wepawet shell code hex dump and using for build it.  The following shown the point of code where it’s used the urlmon.dll method to download the binary “ad.jpg” :


Virustotal detection for the extracted shellcode above: (comele exploit detected):

Anubis detection for the extracted shellcode above:

Analysis of Trojan.Hydraq , aka "Aurora," against Internet Explorer

Hydraq / Aurora network stuff related:
Aurora files:
from pastebin ( and others (at this time are parked)
011114-1830-99&tabid=2 (AS4766 KT-NET KORnet)

This post is under update.


  1. Thanks for the nice blog. This is very useful and interesting.I read this and my self very appreciate with this blog.

  2. evilfinger url is a 404.
    the right one is