An analysis of the Aurora Internet Explorer Zero Day Attack (aka Google China Attack) and possible solutions for corporations.

1. AURORA ZERO DAY EXPLOIT OVERVIEW Providing Comprehensive Systems and Network Security http://www.locked.com (877) 744-3444 Mission Critical Systems, Inc. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

3. Aurora Internet Explorer Zero-Day Attack The Aurora attacks leveraged a combination of previously unknown vulnerabilities in Internet Explorer (IE6, IE7, and IE8) on Windows (XP, Vista, and 7) – as well as nearly a dozen pieces of malware and several levels of encryption to burrow deeply into company networks and obscure their activity. As early as December 2009, emails containing links to malicious websites which exploited this vulnerability were sent to Google, Adobe, and approximately 30 other companies in a spearphishing attack. When users clicked on the links, a piece of exploit code on the web site attacked the vulnerability and installed an initial infection of malware onto the users machine. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

4. Aurora Internet Explorer Zero-Day Attack Once the malware was installed on the machine, additional malicious code was downloaded. One of the malicious programs established an encrypted SSL connection to the hackers network. This remote backdoor allowed the hacker unfettered and undetectable access to the users machine. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network to search for login credentials, intellectual property and whatever else they were seeking. It is believed that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

5. Aurora Internet Explorer Zero-Day Attack The Aurora attach is an example of an Advanced Persistent Threat : • Advanced means the adversary can operate in the full spectrum of computer intrusion. • Persistent means the adversary is formally tasked to accomplish a mission. • Threat means the adversary is not a piece of mindless code. Since the code is now publicly available, we expect the number of attacks of this type will grow with time. It is also expected that the next wave of attacks to come from cybercriminals whose techniques are equally sophisticated, but whose motives are somewhat different. They will most certainly be hunting for data, but it will be for monetary gain rather than information gathering. Essentially, the attack is ongoing. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

6. Aurora Internet Explorer Risk by Platform DEP = Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

8. Video of the Exploit in Action www.locked.com 877-744-3444 © 2009 Mission Critical Systems. Courtesy McAfee : http://www.youtube.com/watch?v=53Yv-xAdstc

11. Exploit Packs Hackers are sharing code and tools. ‘Exploit packs’ suggest a new level of sophistication in attacks and drive-by malware downloads. These are basically packed exploits that intelligently chooses exploits based on the client’s browser, search for vulnerable applications, and then exploit them with the proper exploit. So now its not good enough to just update Internet Explorer. All you apps better be patched, or have alternative protection measures in place. The window to remediate is growing smaller and the bad guys are getting faster. Its getting tough out there.. Businesses have to adapt to these ever changing threats www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

12. Solutions.… Desktop Anti-Virus ( Symantec , McAfee ) – Host protection is an absolute must, but not necessarily a good FIRST line of defense. Anti-Virus products rely on anti-virus signatures to detect the PAYLOAD – not the exploit used to deliver the payload. You can have thousands of signatures over the course of the exploit. Vulnerability Scanners ( eEye , Symantec Enterprise Security Manager , McAfee Vulnerability Manager ) – useful for determining what machines are un-patched, but offers no real time protection. DLP ( Vontu , Websense , RSA ) – Data Loss Prevention could allow companies to prevent the theft and leakage of confidential data and code, but would not prevent the initial infection or owning of the machines. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

13. Solutions (continued).… IPS ( Tipping Point , Check Point , McAfee ) - Requires a signature update to detect the exploit, but these offer proactive protection against different varieties of payloads. IPS companies are usually given advanced notice of an exploit before announced to the public, making them a good line of defense. Host IPS ( McAfee , Symantec , eEye ) – Host IPS is an excellent tool for preventing unknown exploits from taking advantage of vulnerabilities, as they are looking for specific behaviors. HIPS complements traditional signature and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. Many Anti-Virus packages offer HIPS as an upgrade. Gateway HTTP and HTTPS Inspection ( Websense Security Gateway , McAfee WebWasher ) - Gateway Security products are one of the best ways to protect yourself, as they combine Anti-Virus, URL Filtering, and Exploit Protection in a single product. For example, Websense provided its customers of Web Security Gateway with zero day protection from this attack before it began in December (actually the protection mechanisms stopped it as of January 2009. By correlating spam (Phishing attacks) with malicious links, infected websites, payload delivery sites, as well as exploit/vulnerability protection and antivirus, they were able to determine the attack and block access. They provide inbound inspection for viruses, malicious code, as well as standard URL filtering for HTTP, HTTPS, and FTP. www.locked.com 877-744-3444 © 2009 Mission Critical Systems.

14. Questions? Providing Comprehensive System and Network Security http://www.locked.com Mission Critical Systems (877)744-3444 www.locked.com 877-744-3444 © 2009 Mission Critical Systems.