| Experts getting close to uncovering Aurora's secrets |
|
Search
|
|
|
|
Vulnerabilities Alerts
|
|
|
IT Directory
|
| Wiseleap Solutions Inc. | |
|
Founded in 2005, Wiseleap Solutions Inc.'s mission consists in providing companies with the information necessary to make cri [...]
|
| IT Ration Consulting Inc. | |
|
IT-Ration Consulting inc has been a NetSuite Partner since 2005 and helps your enterprise grow by aligning your Information T [...]
|
| HumanWare | |
|
Empowering People
Focused on enhancing the lives of people with visual and learning disabilities, HumanWare provide [...]
|
|
|
|
By Hugo Jean, Heptacube Inc.
|
 |
|
2010-02-12 16:57:51
|
|
The cyber threat at the origin of attacks against Google and others is still at large, but security experts are slowly finding patterns that will reveal the identity of its creator.
|
Security firms have already pointed out that there was some evidence that the "Aurora" malware had been developed by Chinese hackers to perpetrate attacks on several high-profile companies' networks. These attacks aimed--and were succesful--at stealing intellectual property from those companies. DarkReading has now announced that investigations are going well and that experts at HBGary are finding increasing details about Aurora.
One important thing they point out in their report about Aurora is that they have linked many attacks to the dynamic DNS services offered by 3322.org. It also says that "the owner is Peng Yong, a Mandarin speaker who may have some programming background with such algorithms" as Aurora's CRC algorithm that has been found to have marks of Chinese origins. Moreover, "over the last year, HBGary has analyzed thousands of distinct malware samples that communicate with 3322.org." However, Greg Hoglund, founder and CEO of HBGary, said his company did not include these markers in their report "because [they] don't want [the attacker] to know what [they] know about his coding."
Worthy of note is that the exploit code for the Aurora vulnerability in Internet Explorer 6 was made public last month, so other attempts at creating malware have been made using the same code. But according to Hoglund, HBGary can seperate those from the original Aurora malware because "copies" would not carry the so-called markers.
Security firm Mandiant maintains that it can relate the attacks to China too, although it also puts Aurora in the same basket as other Advanced Persistant Threats (APT). "The groups behind these attacks have hacked hundreds of companies", according to its CEO Kevin Mandia. But while HBGary refers to technical evidence to point out Chinese implication, Mandiant links Aurora to China mainly because they are seeing some particular "patterns". They have a clear statement for describing those: "if you're doing merger and acquisition work in China, you're targeted."
In conclusion, it is important to remember that while it may be tempting to associate Aurora to the Chinese government, they may not necessarily be involved. Of course, there are clues that they might at least be secretly backing it, mainly when we consider their violent response to Google's announcement that they might close their China offices. But HBGary's report maintains that, despite the fact that "it is highly probable that the malware was developed in native Chinese language, and the operation control system is designed for Chinese users, indicating the entire operation is Chinese[,] this does not, however, mean the Chinese Government is using the system." This whole story is not over yet...
|
|
