From Microsoft KB it’s been released an advisory related to a possible “0 day” for IExplorer 6,7 and 8. It’s an issue used for the recent attack against Google and others big companies through an Advanced Persistent Threat:
Why it’s been called Aurora ? (an old info)
http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm
Operation Aurora: Clues in the Code
http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/
'Aurora' code circulated for years on English sites
http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/
Report: Cyberattackers hit Google staff via friends
http://news.zdnet.co.uk/security/0,1000000189,40005860,00.htm?s_cid=248
Exploit related:
IE 0-Day on GOV.CN
http://research.zscaler.com/2010/01/ie-0-day-on-govcn.html
Internet Explorer 0-Day hosted GOV.CN domain
http://www.thetechherald.com/article.php/201004/5142/Internet-Explorer-0-Day-hosted-GOV-CN-domain
Hex-Rays against Aurora
http://hexblog.com/2010/01/hexrays_against_aurora.html
Python proof of concept:
http://packetstormsecurity.org/1001-exploits/ie_aurora.py.txt
Metasploit module / ie_aurora.rb
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb
praetorianprefect - Demonstration of exploiting the flaw using the new module from Metasploit:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Additional information about DEP and the Internet Explorer 0day vulnerability
http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx
Bypassing Browser Memory Protections - Dep and others - (PDF document)
http://taossa.com/archive/bh08sotirovdowd.pdf
CVE-2010-0249 DEP/ASLR bypassed:
http://twitter.com/dinodaizovi
Another memory protection bypass reference:
http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
DEP and ASLR bypass
http://blog.trendmicro.com/new-exploit-bypasses-aslr-and-dep/
Detection Rules:
Sourcefire VRT Rules Update - 2010-01-15
http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html/
Mitigation strategies:
Microsoft January Out of Band Patch
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx
Note: this out of cycle patch cover also the followings CVEs:
CVE-2009-4074
CVE-2010-0027
CVE-2009-0244
CVE-2009-0245
CVE-2009-0246
CVE-2009-0247
CVE-2009-0248
CVE-2009-0249
Security Advisory 979352 – Going out of Band (Microsoft out of band patch)
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
Code to mitigate exploit:
http://www.securityfocus.com/archive/1/508961
Green is good Red is bad (client side):
http://www.mywot.com
Malware related:
Aurora PCAP file
https://www.evilfingers.com/projects/pcaps_beta.php
The Trojan.Hydraq Incident
http://www.symantec.com/connect/blogs/trojanhydraq-incident
An Insight into the Aurora Communication Protocol
http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/
Trojan.Hydraq Exposed
http://blog.threatexpert.com/2010_01_01_archive.html
Trojan.Hydraq Exposed part II
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html
Roarur.dr
http://vil.nai.com/vil/content/v_253415.htm
Exploit-Comele
http://vil.nai.com/vil/content/v_253210.htm
News and old news about:
MS knew of Aurora exploit four months before Google attacks
http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/
Security Intelligence: Attacking the Kill Chain
https://blogs.sans.org/computer-forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/
Google-China cyber espionage saga – FAQ
http://blogs.zdnet.com/security/?p=5259&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29&utm_content=Twitter
Cyber Espionage: Death by 1000 Cuts
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119
France joins Germany warning against Internet Explorer
http://news.bbc.co.uk/2/hi/technology/8465038.stm
*Personal note: Firefox it’s exposed to several issues of this kind for more info Mozilla bugzilla repository it’s a good starting point.
Attacks Continuing Against IE Flaw as Microsoft Preps Patch
http://threatpost.com/en_us/blogs/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810
More on the IE zero day
http://www.sophos.com/blogs/sophoslabs/?p=8227
IBM ISS Threat Level elevated to AlertCon 2
https://webapp.iss.net/gtoc/index.html
Security expert: Chinese authorities supported cyber attacks
http://blogs.zdnet.com/BTL/?p=29667
Incidents.org said “Exploit code available for CVE-2010-0249”
http://isc.sans.org/diary.html?storyid=8002
Microsoft confirms IE zero-day behind Google attack
http://www.networkworld.com/news/2010/011510-microsoft-confirms-ie-zero-day-behind.html
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/979352.mspx
More Details on “Operation Aurora”
http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/
Operation “Aurora” Hit Google, Others
http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/
0day vulnerability in Internet Explorer 6, 7 and 8
http://isc.sans.org/diary.html?storyid=7993
IE zero-day used in Chinese cyber assault on 34 firms
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
Google Hack Attack Was Ultra Sophisticated
http://www.wired.com/threatlevel/2010/01/operation-aurora
Shellcode related:
wepawet
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
A screen shot of shellcode (md5 124722b0369b4a3dd42c6be6ecac425e) that I have analyzed using the wepawet shell code hex dump and using http://sandsprite.com/shellcode_2_exe.php for build it. The following shown the point of code where it’s used the urlmon.dll method to download the binary “ad.jpg” :
 |
Virustotal detection for the extracted shellcode above: (comele exploit detected):
http://www.virustotal.com/analisis/d6507cef78269e631e7b6dc746fae49551962a11d80efbfd2ed13f21e00f6eb2-1263694821
Anubis detection for the extracted shellcode above:
http://anubis.iseclab.org/?action=result&task_id=1936ee7010fa1ae340d09531cafb64d66&format=
Analysis of Trojan.Hydraq , aka "Aurora," against Internet Explorer
http://www.wilderssecurity.com/showthread.php?p=1608756
Hydraq / Aurora network stuff related:
Aurora files:
http://www.security.nl/files/aurorafiles.txt
from pastebin (http://pastebin.com/maad7ac3):
203.69.41.0/26
203.69.41.64/27
203.69.66.0/27
203.69.68.96/27
203.69.68.128/25
72.32.6.235
360.homeunix.com and others (at this time are parked)
http://www.symantec.com/security_response/writeup.jsp?docid=2010-
011114-1830-99&tabid=2
yahooo.8866.org (AS4766 KT-NET KORnet)
 |
sl1.homelinux.org
360.homeunix.com
ftp2.homeunix.com
update.ourhobby.com
blog1.servebeer.com
This post is under update.
Thanks for the nice blog. This is very useful and interesting.I read this and my self very appreciate with this blog.
ReplyDeleteevilfinger url is a 404.
ReplyDeletethe right one is https://www.evilfingers.com/repository/pcaps.php