Sunday, January 31, 2010

Google Inc. Zero Day Exploit Information

Written By: Boris Vaynberg & Avi Bashan

On January 12, 2010, Google announced that its systems were hit by a sophisticated attack that most likely originated in China (http://googleblog.blogspot.com/2010/01/new-approach-to-china.html). This attack was a combination of known attack vectors, known as an Advanced Persistent Threat (APT) – which is an attack based on large resources, and coordinated elements of customized malicious code that is capable of targeting a wide range of security software. This blog post noted that this was not an isolated incident, but rather a deliberate attack that was launched on over 30 leading companies, including: Adobe, Juniper, and other leading international technology, media, finance, and security companies (http://unsafebits.com/2010/01/15/china-related-cyber-attacks-on-major-firms-day-3/).

An internal investigation by Google revealed that the attackers used a previously unknown weakness (also known as a Zero Day Exploit) of the Internet Explorer browser (which affects all current versions from version 6.0 onward) and Adobe Acrobat Reader (which affects all versions prior to 8.0), in order to implant a Trojan horse. This Trojan horse used encrypted channel 443 to transmit information (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249).

A little over a week ago (last Thursday), Microsoft released a critical security patch for this security breach (MS10-002) (http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx), and it was publicized that the malicious code was leaked to the Internet, and is currently available to the general public. Adobe also released a security update (APSB10-02) for Acrobat Reader.

Upon analysis of the attack files, McAfee discovered that the code was compiled from a folder named Aurora, and therefore it is assumed that this is the name that was given to this operation by the attackers (http://www.mcafee.com/us/threat_center/operation_aurora.html).

The Aurora attack was divided into two separate vectors which are not necessarily dependent on each other.

The first is the weakness vector which enables the malicious code to be run on any target system; the second is the malicious component installed on the system, in this case the Trojan horse, which provides malicious access to the information stored within the target system.

The first vector exploits two different weaknesses within the target computer which enables the installation of the Trojan. The first weakness is via the exploitation of an existing vulnerability in the IE browser, as previously mentioned. The additional vector exploits a weakness in the popular file reader, Adobe Acrobat PDF Reader.

Many companies have treated this series of events quite seriously and have deemed them significant, not because they represent a technological breakthrough in the field of information security (the discovery of these types of previously unknown weaknesses are prevalent with common and widely-used software such as IE, Adobe PDF Reader, and others); but rather due to the fact that the widespread launching of this attack technique against commercial companies on such a large scale is something that had not yet been witnessed before. In addition, there is place for concern that it is considerably likely that information that was stolen as a result of these attacks, is sensitive and valuable intellectual property belonging to the companies involved.

These recent events require us to reevaluate the map of threats we help our clients deal with on a daily basis, and raise important questions, such as:

-What is the level of effectiveness of current systems against these types of attack (Zero Day Exploits)?
- How can we know what is running within our networks at any given time, where and how does internal company information exit our internal networks?


Resources:

Is this attack relevant to me, and how can I defend myself against it?


Defense against this attack is no different than the various attacks carried out on the Internet on a daily basis.

Defense against this attack is divided into two main elements, which address each of the vectors used in this attack.

1. Defense Against Weaknesses – The latest software security patches for all products in use should be installed regularly by your company.
• The IE security update can be downloaded by following this link:
www.microsoft.com/technet/security/bulletin/ms10-002.mspx
• If Adobe Acrobat Reader is used in your organization, version 8.0 of the product should be installed. This installation can be found at the following link: http://get.adobe.com/reader.

2. Defense against Trojan horses or any other malware that has infiltrated your company network can be performed in the following manner:
• Update antivirus signatures installed on organizational computers.
• Manually remove the Hydraq Trojan from client computers.
• Monitoring the data exit points from the organization's network to prevent data leakage.

For more information contact: info@comsecglobal.com