Chinese Cyber-Attacks Came Through New IE Flaw

The cyber-attack that made Google reconsider its policy of co-operating with the Chinese government may have used a flaw in Microsoft’s Internet Explorer, according to one security vendor’s analysis, while others suggest PDFs were used to attack Adobe Reader.

A report from McAfee, which dubs the situation “Operation Aurora,” one of the malware samples involved in the attack exploited a new zero-day vulnerability in Microsoft Internet Explorer. McAfee revealed little about the flaw, stating only that its investigation showed IE is vulnerable on all of Microsoft’s operating systems, including Windows 7.

“Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system,” said McAfee CTO George Kurtz in a blog post. “The attacker can now identify high-value targets and start to siphon off valuable data from the company.”

Microsoft released some additional details about the vulnerability, which the company said is an invalid pointer reference within IE. According to Microsoft, the vulnerability affects IE versions 6, 7 and 8. The attacks the company has seen are reported to be targeting IE 6.

Talk of an IE vulnerability follows reports from other vendors that the attackers launched a spear-phishing campaign using Adobe Reader attachments. McAfee said it has not uncovered any evidence that a Reader vulnerability was exploited in the attacks.

However, according to VeriSign’s iDefense Labs, malicious PDFs were involved, and Google followed the attack code back to the drop servers and determined that the attack hit an additional 33 companies.

“According to sources familiar with the present attack, attackers delivered malicious code used against Google and others using PDFs as e-mail attachments; those same sources also claim that the files have similar characteristics to those distributed during the July attacks,” iDefense said in a report. “In both attacks, the malicious files drop a backdoor Trojan in the form of a Windows DLL.”

iDefense also noted similarities to a July 2009 attack in which hackers launched targeted e-mail campaigns against 100 IT-focused companies via a zero-day vulnerability in Reader.

“The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication,” the iDefense report continued. “The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other.

“Considering this proximity, it is possible that the two attacks are one and the same, and that the organisations targeted in the Silicon Valley attacks have been compromised since July,” the report concluded.