Operation Aurora Update – Google, Adobe, and the 0 day flaw in IE

Picture from Benimoto's Flickr photostream

Being that we have been blogging as the story develops, I thought I would create a brief summary of where we stand. We are now approaching the one week point since Google announced it would stop filtering search results in China and would potentially pull out entirely as a result of a malware attack against their systems. From my point of view the summary is hype, misinformation, confusion, and lots of random speculation. Hopefully this post will help some of you sort the wheat from the chaff and make informed decisions on whether you need to react.

What Happened?

With information that has been made available by Google, Adobe, Microsoft, and Verisign iDefense it appears that a coordinated malware attack – dubbed “Operation Aurora” – was made against at least 31 organizations. There was speculation initially that the attack exploited a flaw in Adobe’s Reader software; however, as details have emerged, this has not been proven. It has been confirmed that a previously unknown vulnerability (known as a 0 day flaw) in Microsoft’s Internet Explorer was used to drop malicious payloads on the victim companies’ computers.

This malware was then used to remote control computers belonging to these organizations, attempt to steal intellectual property, and in the case of Google, attempt to gain access to customer data. Google has indicated that users of their services may also have been targeted in attempts to acquire passwords to their services in order to externally compromise their customers’ data. Until others come forward with details, that is all that is known as fact.

The attacks appear to have originated from China and were coordinated through command-and-control servers located in the United States. The servers were hosted by Linode, a virtual server provider, from which similar attacks were perpetrated in the summer of 2009 (and who I host my own web and email services through!). Google has stated they believe the attacks are state sponsored, but to date no evidence of this has been provided.

What can I do to protect myself?

Some have suggested that it is time to give up on Internet Explorer, as it’s simply too insecure to continue with as a default browser. This is a bit of an overreaction as all major browsers have flaws, and have been actively targeted with exploits. France and Germany have also advised users to at least temporarily switch browsers until Microsoft is able to release a fix, although some see this as a political message related to their continued battle over anti-trust with Microsoft.

Although Internet Explorer 6, 7 and 8 are all vulnerable to the flaw, the exploit as circulated only applies to Internet Explorer 6. So, first and foremost, if you haven’t updated to IE 8 yet, now would be an excellent time. Several other technologies in Windows and IE can also protect against this flaw, and others like it. As a best practice, be sure you are using the latest version of IE, enable Protected Mode, use Data Execution Prevention (DEP) and run as a non-privileged user. The malware payloads in this attack do not work properly without administrative privilege. Microsoft has posted an instructional video on how to best secure your IE installation.

Information for Sophos customers

HIPS configurationSophos customers who are using the Buffer Overflow Protection Service (BOPS) are protected against this exploit. It is not enabled by default, so be sure to uncheck “Alert only”.

We are currently detecting web pages that contain malicious code targeted towards this exploit as Troj/ExpJS-N and proactively detect similar malicious JavaScript as Mal/JSShell-B.

If exploitation is successful the attack will attempt to drop malware onto your system. The samples SophosLabs have seen are being detected as Troj/Spy-EY and others are proactively detected as Mal/PCClient-I.


Although exploitation of this vulnerability is not widespread at this time, it likely will be focused on by criminal deviants in a matter of days. Proof-of-concept exploits are circulating that may affect Internet Explorer 7, and a demonstration exploit has already been published for Metasploit. The malware mentioned above is only what we know to have been used, and new attacks could use any variety of malware.

This attack is only unique because of the publicity, and as always I strongly encourage everyone to enable suspicious file detection, buffer overflow protection, and host intrusion prevention to provide the best odds to block not only this attack, but the others we are not talking about and that may come throughout 2010.

Note: Michael Argast has posted a helpful guide on blocking IE6 using Sophos Endpoint Security and Control if you want to ensure all your users are using up to date browsers.

Creative Commons image courtesy of Benimoto’s Flickr photostream