chakraviewBlog

Update:

I simulated the exploit in my virtual pentest lab against different target systems including Windows XP, Windows 2003 R2 and Windows 7. I have written a separate post on EvilFinger blog on steps to reproduce the attack and basic analysis of exploit code.

Last week, Google Inc publicly disclosed about being attacked by Chinese and reported Theft of intellectual property. This attack was also carried against 30 other companies under the name “Operation Aurora”. After this attack, Google has decided to take new approach to China. Now the question arises, Why name Aurora?”

According to McAfee,

“Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation.

Attackers have used zero day vulnerability in Microsoft Internet Explorer (DOM Operation Memory Corruption) and used social engineering tricks to gain access to victim systems. Microsoft has published a security advisory confirming the deadly and not so publicly known vulnerability on Thursday.

As of now there is no patch available for the mitigation of vulnerability. The recent public disclosure of exploit code has already increased the frequent attack possibilities. Latest svn checkout of metasploit contains an exploit module for Operation Aurora which targets IE 6.

Protected Mode in IE 7 on Windows Vista, later significantly reduces the ability of an attacker to impact data on a user’s machine. Microsoft is advising to enable Data Execution Prevention (DEP) which helps to mitigate such online attacks.

Metasploit has published a blog post on Reproducing “Aurora” IE Exploit. When major the antivirus failed to detect exploit code, my Avast Antivirus free home edition is able to block the attack against vulnerable IE 6. Following is the screenshot showing Avast blocking malicious URL.

Download the packet captures of ie_aurora exploit module.

References:

• Microsoft Advisory for IE Aurora vulnerability
• Reproduce IE zero day using Metasploit
• IE Aurora Exploit sample analysis

Tags: DEP, Evil fingers, IE zero day, ie_aurora, Operation Aurora, zero day

This entry was posted on Tuesday, January 19th, 2010 at 1:16 am and is filed under Information Security, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.