Cyber Espionage is a critical issue. Over 80% of intellectual property is stored online digitally. The computing
infrastructure in a typical Enterprise is more vulnerable to attack than ever before. Current security solutions are
proving ineffective at stopping cyber espionage. Malware is the single greatest problem in computer security today.
Yet, malware represents only the tip of the spear. The true threat is the human being who is operating the malware.
This human and the organization represented is the true threat that is targeting information for the purposes of
fi nancial gain, theft of state secrets, and theft of intellectual property. True threat intelligence requires reaching beyond
malware infections to identify the individuals, country of origin, and intent of the attacker.
# AURORA
### February 10, 2010
-----
2 HB GARY THREAT REPORT: OPERATION AURORA
**The Aurora malware operation was identifi ed recently and made public by Google and McAfee. This malware operation has been**
**associated with intellectual property theft including source code and technical diagrams (CAD, oil exploration bid-data, etc).**
**Companies hit have been publically speculated, including Google, Adobe, Yahoo, Symantec, Juniper Networks, Rackspace,**
**Northrop Grumman, and Dow Chemical. The malware package used with Aurora is mature and been in development since at**
**least 2006.**
**The Aurora operation is characterized by a remotely operated backdoor program that persists on a Windows computer. This**
**backdoor program has several capabilities that are outlined below.**
**KEY FINDINGS**
**The Aurora malware operation was identifi ed recently and made public by Google and McAfee. This malware operation has been**
**associated with intellectual property theft including source code and technical diagrams (CAD, oil exploration bid-data, etc).**
**Companies hit have been publically speculated, including Google, Adobe, Yahoo, Symantec, Juniper Networks, Rackspace,**
**Northrop Grumman, and Dow Chemical. The malware package used with Aurora is mature and been in development since at**
**least 2006.**
**The Aurora operation is characterized by a remotely operated backdoor program that persists on a Windows computer. This**
**backdoor program has several capabilities that are outlined below.**
Evidence collected around the malware operation suggest
that Operation Aurora is simply an example of highly effective
malware penetration. There is not signifi cant evidence to
attribute the operation directly to the Chinese Government.
However, key actors have been identifi ed in association
with malware operations that utilize Chinese systems and
native language malware. This has lead to a great deal of
speculation about Chinese-State involvement. It must be
noted that a large and thriving underground economy exists
to both build and disseminate malware worldwide, and that
most of this malware is capable of intellectual property
theft. The malicious hacking underculture is strong in China,
as in Eastern Europe and elsewhere, and clearly enmeshed
into a global criminal economy of data theft. While diffi cult
to conclude that these activities receive any form of state
sponsorship or direction, the malware operation remains a
funded and signifi cant risk to intellectual property in the
enterprise.
|ASPECT|DESCRIPTION|
|---|---|
|Operators|Operators of the malware appear to use certain domains for C&C control. Dynamic DNS is a key feature of the operation, with many known C&C servers operating from domains registered through Peng Yong’s 3322.org service.|
|Intent|The primary intent is the theft of intellectual property.|
|Coms|Communication is encrypted over HTTP, port 443, obfuscated with a weak encryption scheme. The C&C servers tend to operate from domains hosted on dynamic DNS.|
**ATTRIBUTION**
At this time, there is very little available in terms of
attribution. A CRC algorithm tends to indicate the malware
package is of Chinese origin, and many attacks are sourced
out of a service called 3322.org — a small company operating
out of Changzhou. The owner is Peng Yong, a Mandarin speaker
who may have some programming background with such
algorithms. His dynamic DNS service hosts over 1 million
domain names. Over the last year, HBGary has analyzed
thousands of distinct malware samples that communicate with
3322.org. While Peng Yong is clearly tolerant of cyber crime
operating through his domain services, this does not indicate
he has any direct involvement with Aurora.
**TOOLMARK** **DESCRIPTION**
Embedded Resource Language Code United States
Embedded systems/
CRC Algorithm Table of Constants
Chinese publication[iii]
DNS registration services Peng Yong others
|ASPECT|DESCRIPTION|
|---|---|
|Target|The operation is targeting intellectual property with no specif ic industry focus. This is an example of “not knowing what they are looking for until they f ind it”.|
|Origin|It is highly probable that the malware was developed in native Chinese language, and the operation control system is designed for Chinese users, indicating the entire operation is Chinese. This does not, however, mean the Chinese Government is using the system.|
**Developers**
Forensic tool-marks in the CRC algorithm can be
traced to Chinese origin. That, combined with domain
registration information, leads to at least one potential
actor, Peng Yong[ii]. The malware has been in development
since at least 2006. It has been updated several times.
|TOOLMARK|DESCRIPTION|
|---|---|
|Embedded Resource Language Code|United States|
|CRC Algorithm Table of Constants|Embedded systems/ Chinese publicationiii|
-----
This section of the report details how you can detect
Operation Aurora in your Enterprise. The exploit and payload
vehicle consists of the following components:
- JavaScript based exploit vector, known to exploit IE 6
- Shellcode component, embedded in the JavaScript
- Secondary payload server that delivers a dropper
- The dropper itself, which only used once and then deleted
- The backdoor program which is decompressed from
the dropper
February 10, 2010 3
**JAVASCRIPT AND SHELLCODE**
The JavaScript based attack vector associated with
Operation Aurora was published in the public domain in early
January 2010. Microsoft details the vulnerability in Security
Bulletin MS10-002. Internet Explorer 5.01, Internet Explorer
6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and
Internet Explorer 8 (except Internet Explorer 6 for supported
editions of Windows Server 2003) are affected. Exploit code
analyzed by HBGary reveals that only Internet Explorer 6
was targeted during Operation Aurora. This vulnerability can
be leveraged by attackers of varying skill levels due to the
**JAVASCRIPT EXPLOIT CODE**
/html
-----
4 HB GARY THREAT REPORT: OPERATION AURORA
public availability of the Metasploit module “ie_aurora.rb”.
The exploit code used by the original attackers was quickly
improved and added to Metasploit thus greatly expanding the
potential number of attackers and reliability of code.
The JavaScript performs a heap spray attack and injects
the embedded shellcode described below. The JavaScript
exploits the vulnerability in Internet Explorer by copying,
releasing, and then referencing a Document Object Model
(DOM) element.
**JAVASCRIPT ARTIFACTS** **PATTERN**
Initial encrypted dropper download. C:\%appdata%\a.exe
Deleted fi le.
Decrypted dropper. Deleted fi le. C:\%appdata\b.exe
JavaScript present in Internet Explorer
memory space.
Download URL present in internet http://demo1.ftpaccess.cc/
history during memory analysis. demo/ad.jpg
Other domains associated sl1.homelinux.org
with Aurora. 360.homeunix.com
ftp2.homeunix.com
update.ourhobby.com
blog1.servebeer.com
The shellcode exists as a Unicode escaped variable (sc)
in the malicious JavaScript listed below. Upon successful
exploitation of Internet Explorer, the shellcode will download
an obfuscated second stage executable from http://demo1.
_ftpaccess.cc/demo/ad.jpg which is the dropper. Note: these_
**fi les are specifi c to the sample we analyzed at HBGary, Inc.**
The attackers must use a second stage download mechanism
to achieve full system access due to memory constraints. It
is unlikely that the fi nal payload could be delivered through
the original exploit given these conditions. The dropper
is XOR encrypted with a 0x95 key. The shellcode copies
this encrypted binary to the user’s AppData directory as
“a.exe”. The shellcode then decrypts “a.exe” and moves it
to “b.exe” in the same directory. Then “b.exe” is executed.
The following actionable intelligence can be used to identify
exploit remnants in the heap space of Internet Explorer post
exploitation attempt. These patterns can be searched for
when doing memory analysis
of a victim system.
The following SNORT rules have been released by the Emerging
Threats project to detected the fi nal payload command and
control communications.
**Network Detection Signatures**
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”ET TROJAN
Aurora Backdoor (C&C) client connection to CnC”; fl ow:established,to_
server; content:”|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|”;
depth:20; fl owbits:set,ET.aurora.init; classtype:trojan-activity;
reference:url,www.trustedsource.org/blog/373/An-Insight-into-theAurora-Communication-Protocol; reference:url,doc.emergingthreats.
net/2010695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.
cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010695; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:”ET TROJAN
Aurora Backdoor (C&C) connection CnC response”; fl owbits:isset,ET.
aurora.init; fl ow:established,from_server; content:”|cc cc cc cc cd
cc cc cc cd cc cc cc cc cc cc cc|”; depth:16; classtype:trojan-activity;
reference:url,www.trustedsource.org/blog/373/An-Insight-into-theAurora-Communication-Protocol; reference:url,doc.emergingthreats.
net/2010696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.
cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010696; rev:2;)
**DROPPER**
The initial dropper is merely a detonation package that
decompresses an embedded DLL into the Windows system32
directory and loads it as a service. The initial dropper is likely
to be packed (UPX, etc). The dropper has an embedded DLL
that is decompressed to the windows system32 directory. This
DLL will be named to resemble existing services (rasmon.
**dll, etc). In order to evade forensics, the fi le-time of the**
dropped DLL will be modifi ed to match that of an existing
system DLL (user32.dll, etc). The dropped DLL is loaded into
its own svchost.exe process. Several registry keys are created
and then deleted as part of this process. Finally, the dropper
deletes itself from the system by using a dissolving batch fi le
(DFS.BAT, etc).
**ACTIONABLE INTELLIGENCE** **PATTERN**
Service Key & Value SOFTWARE\Microsoft\Windows NT\
Note: deleted after drop CurrentVersion\SvcHost\
**Value: SysIns**
**Data: Ups??? (??? are three random**
chars)
Path to backdoor SYSTEM\CurrentControlSet\Services\
Note: deleted after stage 1 Ups???\Parameters\
**Value: ServiceDLL**
**Data: (full path to the backdoor)**
Path to backdoor SYSTEM\CurrentControlSet\Services\
Note: persistent RaS???\Parameters\
**Value: ServiceDLL**
**Data: (full path to the backdoor)**
|JAVASCRIPT ARTIFACTS|PATTERN|
|---|---|
|Initial encrypted dropper download. Deleted f ile.|C:\%appdata%\a.exe|
|Decrypted dropper. Deleted f ile.|C:\%appdata\b.exe|
|JavaScript present in Internet Explorer memory space.||
|Download URL present in internet history during memory analysis.|http://demo1.ftpaccess.cc/ demo/ad.jpg|
|Other domains associated with Aurora.|sl1.homelinux.org 360.homeunix.com ftp2.homeunix.com update.ourhobby.com blog1.servebeer.com|
|ACTIONABLE INTELLIGENCE|PATTERN|
|---|---|
|Service Key & Value Note: deleted after drop|SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SvcHost\ Value: SysIns Data: Ups??? (??? are three random chars)|
|Path to backdoor Note: deleted after stage 1|SYSTEM\CurrentControlSet\Services\ Ups???\Parameters\ Value: ServiceDLL Data: (full path to the backdoor)|
|SHELLCODE ARTIFACTS|PATTERN|
|---|---|
|Self-decrypting code using a constant XOR value.|80 34 0B D8 80 34 0B D8|
Kernel32.dll
64 A1 30 00 00 00 8B 40 0C 8B 70 1C
searching code.
-----
|ACTIONABLE INTELLIGENCE|PATTERN|
|---|---|
|Potential variation|SYSTEM\CurrentControlSet\Services\ RaS???\Parameters\ Value: ServiceDLL Data: %temp%\c_####.nls (where #### is a number)|
|Potential variation|SYSTEM\CurrentControlSet\Services\ RaS???\Parameters\ Value: ServiceDLL Data: %temp%\c_1758.nls|
**PAYLOAD**
The payload uses
two-stage installation. **GLANCE UNDER THE HOOD**
During stage one, the **buffer after phase one XOR:**
mJ2bhcPExs7excLThcjExqurnauYq
dropper will install the
**buffer after base64 decoding:**
payload as a service
ÃÄÆÎÞÅÂÓ…ÈÄÆ«« «˜«Ÿ«“«†«š«š«ž«š«œ
running under the
name Ups??? (where
??? are three random characters). Once executing, the
payload will immediately delete the fi rst service and enter
stage-two. During stage-two, the payload will register a new,
second service under the name RaS??? (where ??? are three
random characters). This new service will point to the same
backdoor DLL, no new fi les are involved. Note: the three
**character prefi xes Ups and RaS can easily be modifi ed by**
**the attacker.**
Once the new service is registered, the payload will access
an embedded resource that is encrypted. The decryption goes
through several phases. The encrypted data block contains
the DNS name for the command and control server (homeunix.
com, etc). This data block is confi gurable before the malware
**is deployed. The data block length is hard-coded (0x150 or**
336 bytes). During phase one, this data block is fed through
a simple XOR (0x99), resulting in an ASCII-string. Next, the
resulting ASCII-string is fed into a base64 decoding function,
producing a binary string. Finally, the resulting base64
decoded binary string is fed through another XOR (0xAB),
resulting in clear-text. The three primary encryption loops are
colored and marked in Figure 1. The resulting clear-text buffer
contains several fi elds in both ASCII and UNICODE, including
the C&C server address.
February 10, 2010 5
**Figure 1. Base64 and XOR Encryption Scheme**
-----
6 HB GARY THREAT REPORT: OPERATION AURORA
**COMMAND AND CONTROL**
**ACTIONABLE INTELLIGENCE** **PATTERN**
The payload communicates with its command and control
C&C Server DNS - .homeunix.com server over port 443. The source port is randomly selected.
(where * is any subdomain) While outbound traffi c appears to be HTTPS, the actual traffi c
- .homelinux.com uses a weak custom encryption scheme. The command and
- .ourhobby.com control packets have a very specifi c format.[iv]
- .3322.org
command parms 0x00000001 payload len CRC KEY payload
- .2288.org
- .8866.org
- .ath.cx The payload section is encrypted with a key selected by
- .33iqst.com using GetTickCount. This means each infected node has its own
key. The key is embedded in the header of the packet, and is
- .dyndns.org
easily recovered.
- .linode.com
- .ftpaccess.cc
- .fi loups.info
- .blogsite.org
**HOW THE MALWARE WORKS**
|command|parms|0x00000001|payload len|CRC|KEY|payload|
|---|---|---|---|---|---|---|
|ACTIONABLE INTELLIGENCE|PATTERN|
|---|---|
|C&C Server DNS|* .homeunix.com (where * is any subdomain) * .homelinux.com * .ourhobby.com * .3322.org * .2288.org * .8866.org * .ath.cx * .33iqst.com * .dyndns.org * .linode.com * .ftpaccess.cc * .f iloups.info * .blogsite.org|
The payload will create additional registry keys.
**ACTIONABLE INTELLIGENCE** **PATTERN**
Additional Key HKLM\Software\Sun\1.1.2\IsoTp
Additional Key
Other potential dropped fi les, as reported by McAfee:
The primary control logic can be found in the module
registered under the service key (rasmon.dll, etc.). This
module has been written in c and includes several specifi c
methods and encodings that provide forensic track-ability.
The above screenshot illustrates a REcon™ trace on the
malware dropper and subsequent service creation. Location
A. represents the dropper program, which unpacks itself
and decompresses a fi le to the system32 directory. Point B.
represents the initial svchost.exe startup, which is loading the
malware payload. Location C. is the actual execution of the
malware service, which remains persistent. At points E. and F.
you can see the malware checking in with the command and
control server. Finally, location D. represents the dissolvable
batch fi le which deletes the initial dropper and then itself.
**CAPABILITY**
The malware has generic and fl exible capabilities. There are
distinct command handlers in the malware that allow fi les to
be stolen and remote commands to be executed. The command
handler is illustrated in Figure 2. At location A. the command
number is checked. At locations marked B. are each individual
command handler as controlled by the C&C server and command
|ACTIONABLE INTELLIGENCE|PATTERN|
|---|---|
|Additional Key|HKLM\Software\Sun\1.1.2\IsoTp|
|Additional Key|HKLM\Software\Sun\1.1.2\AppleTlk|
|ACTIONABLE INTELLIGENCE|PATTERN|
|---|---|
|Additional File|securmon.dll|
|Additional File|AppMgmt.dll|
|Additional File|A0029670.dll (A00#####.dll)|
|Additional File|msconf ig32.sys|
|Additional File|VedioDriver.dll|
|Additional File|acelpvc.dll|
|Additional File|wuauclt.exe|
|Additional File|jucheck.exe|
|Additional File|AdobeUpdateManager.exe|
|Additional File|zf32.dll|
-----
number in the C&C packet. Location C. is where the result of
each command is sent back to the C&C server.
**Figure 2. C&C Command Parser**
**COPYCATS AND VARIANTS**
With the release of MS10-002, and the subsequent
integration with Metasploit, the exploit vector used with
Aurora has been adopted laterally within the malware
development economy. Therefore, the use of MS10-002
should not be construed as an Aurora infection without
further analysis of the dropped payload. Forensic toolmarks
and link analysis have revealed several different threat
groups who are employing common IE exploit vectors.
HBGary is currently tracking several groups who operate
malware systems of this nature.
HBGary is using forensic toolmarks to trace the source
code origins of binary malware samples dropped in
conjunction with the MS10-002 exploit vector. For example,
in Figure 3, link analysis is being used to track the identity
of a threat actor in conjunction with his known Digital
DNA™. HBGary’s Digital DNA™ database not only codifi es the
behavior of software, but also the coding idioms, algorithms,
and methods of individual developers. In this way, individual
threat actors can be tracked with Digital DNA™.
In the example, link analysis is provided by Palantir™. The
screenshot illustrates only a subset of the data being tracked
by HBGary and sensitive information has been redacted
February 10, 2010 7
At location 1. is a dropper obtained from an exploit server
directly accessed from the extracted shellcode from a MS10002 JavaScript vector. Location 2. represents a forensic
toolmark within the dropped executable. This toolmark
was obtained using physical memory assessment of the live
executable, after it was allowed to unpack itself in a virtual
machine. This assessment was performed with HBGary
Responder™. At location 3., the recovered toolmark(s) were
researched against published source code artifacts on the
Internet. From this, a single posting was discovered with
this exact toolmark, and this posting exists only in one place
and is of Chinese origin. From this, the author of the source
code was determined to be XXXXXXXX. At location 4., all
social cyberspaces used by XXXXXXX were then enumerated.
From this, postings in Traditional and Simplifi ed Chinese
were discovered that confi rm that XXXXXX is the author
and supplier of a malware package known as ‘NB’ or ‘Netbot
Attacker’. Within the social space around ‘Netbot Attacker’
are individuals who are testing and/or asking for technical
support regarding the malware package operation. These
individuals have been grouped within Palantir™ as ‘technical
support for bot’ at location 5.
**Figure 3. Link Analysis of Malware Actors using Palantir™**
The above process, when carried further, produces many
more social links. Attribution such as this allows resolution
and visibility into the intent of individual threat groups.
-----
8 HB GARY THREAT REPORT: OPERATION AURORA
**DIGITAL DNA INOCULATION SHOT**
Several Enterprise products have the capability to scan
for and potentially remove the Aurora malware. Detection of
the malware is covered in detail, from multiple aspects, in
the Detect section above. When using a Digital DNA™ capable
platform such as McAfee ePO, you can search the Enterprise
for the following Digital DNA sequence (recommend a tight
match, 90% or higher).
**DIGITAL DNA SEQUENCE FOR AURORA MALWARE**
01 B4 EE 00 AE DA 00 8C 16 00 89 22 00 46 73 00 C6 49 00 0B AE 01 E7 9F
04 05 81 01 0E DF 01 79 D8 00 25 6A 00 15 49 00 47 22 00 4B 67 0F 2D CC
01 29 67 01 35 99
To thwart command and control and prevent data loss,
known C&C domains should be blocked at the egress fi rewall.
The domains listed in the Detect section represent a
signifi cant set of those currently known to be operating. IDS
signatures similar to the one illustrated in the Detect section
should be used to detect inbound exploit attempts, and
machines accepting this data should be scanned for potential
infections. Many A/V products now contain signatures for the
Aurora exploit and will be effective in detection and removal.
However, the attackers that represent the threat will not be
deterred, and variants of the attack are nearly assured.
HBGary has prepared an inoculation shot for this malware.
The inoculation shot is a small, signed binary that will allow
you to scan for, and optionally remove, this malware from
your Enterprise network. The aurora innoculation shot can be
downloaded from www.hbgary.com.
When the aurora innoculation shot is executed it will query
the user for authentication credentials. Optionally the user
can just hit “cancel” to use the currently logged on USER’s
authentication token. Some sample usages are listed below.
**To scan a single machine:**
AuroraInnoculation.exe -scan 192.168.0.1
AuroraInnoculation.exe -scan MYBOXNAME
**To scan multiple machines:**
AuroraInnoculation.exe -range 192.168.0.1 192.168.0.254
**To automatically attempt a clean operation:**
AuroraInnoculation.exe -range 192.168.0.1 192.168.0.254 -clean
**To scan a list of machines in a .txt fi le:**
AuroraInnoculation.exe -list targets.txt
**DETECTION OF AURORA THREATS WITH DIGITAL DNA FOR EPO**
Customers of McAfee ePolicy Orchastrator, integrated
with Digital DNA, can detect emerging advanced persistent
threats. To detect Aurora, users should perform a Digital
DNA Sequence search with the above mentioned sequence
for Aurora, and set a fuzzy match of 90% or greater. Once
machines are detected, the user is encouraged to use the
freely available inoculation shot to remove the infection.
|FACTORS|DESCRIPTION|
|---|---|
|C&C protocol|If a variant is developed, it will very likely use the same C&C protocol, but may change the header of the packet and the constants used for connection setup. This will evade IDS / Firewall rules designed to detect the current scheme. It is unlikely the attackers will change the encryption setup, however.|
|Installation and Deployment|The method used to install the service is highly effective. Although the f ilenames will likely change, the actual method will likely remain.|
-----
## MORE INFORMATION
**ABOUT HBGARY, INC**
HBGary, Inc is the leading provider of solutions to detect,
diagnose and respond to advance malware threats in a
thorough and forensically sound manner. We provide the
active intelligence that is critical to understanding the intent
of the threat, the traits associated with the malware and
information that will help make your existing investment in
your security infrastructure more valuable.
Web:
www.hbgary.com
Corporate Address:
3604 Fair Oaks Blvd Suite 250
Sacramento, CA 95762
Phone: 916-459-4727
Fax 916-481-1460
Sales@hbgary.com
## REFERENCES
i _http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-_
_hit-google-others/_
ii _http://www.thetechherald.com/article.php/201004/_
_5151/Was-Operation-Aurora-nothing-more-than-a-conventional-attack_
iii _http://www.fjbmcu.com/chengxu/crcsuan.htm_
_(via: http://www.secureworks.com/research/blog/index.php/2010/01/20/_
_operation-aurora-clues-in-the-code/)_
iv _http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-_
_insight-into-the-aurora-_
_communication-protocol/_
v _http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-_
_aurora-0-day-exploit_
-----
**CORPORATE OFFICE**
3604 Fair Oaks Blvd. Ste. 250
Sacramento, CA 95864
916.459.4727 Phone
**CONTACT INFORMATION**
info[@]hbgary.com
support[@]hbgary.com
**www.hbgary.com**
-----