US-CERT: United States Computer Emergency Readiness Team
Technical Cyber Security Alert TA10-055A
Malicious Activity Associated with "Aurora" Internet Explorer Exploit
Original release date: February 24, 2010Last revised: April 1, 2010
Source: US-CERT
Systems Affected
- Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
- Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2
Overview
Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.
I. Description
Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution.
Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities.
US-CERT is providing technical indicators that can be incorporated into an organization’s security posture to detect and mitigate any malicious activity.
In addition to the discovery of the IE exploit, the following malicious domains were identified as associated with this incident:
| Domain | IP Resolution as of 15 January | Notes |
|---|---|---|
| ftp2[dot]homeunix[dot]com | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file AppMgmt.dll |
| 360[dot]homeunix[dot]com | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status. Call-back domain discovered through analysis of malware file rasmon.dll |
| update[dot]ourhobby[dot]com | 127[dot]0[dot]0[dot]1 | Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file securmon.dll |
| demo1[dot]ftpaccess[dot]cc/demo/ad[dot]jpg | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status |
| 360[dot]homeunix[dot]com | ||
| ad01[dot]homelinux[dot]com | ||
| ads1[dot]homelinux[dot]org | ||
| ads1[dot]webhop[dot]org | ||
| Aep[dot]homelinux[dot]com | ||
| Aka[dot]homeunix[dot]net | ||
| alt1[dot]homelinux[dot]com | ||
| Amd[dot]homeunix[dot]com | ||
| amt1[dot]homelinux[dot]com | ||
| amt1[dot]homeunix[dot]org | ||
| aop01[dot]homeunix[dot]com | ||
| aop1[dot]homelinux[dot]com | ||
| app1[dot]homelinux[dot]com | ||
| asic1[dot]homeunix[dot]com | ||
| Bdc[dot]homeunix[dot]com | ||
| blog1[dot]servebeer[dot]com | ||
| Connectproxy[dot]3322[dot]org | ||
| Corel[dot]ftpaccess[dot]cc | ||
| Csport[dot]2288[dot]org | ||
| ddd1[dot]homelinux[dot]com | ||
| demo1[dot]ftpaccess[dot]cc | ||
| du1[dot]homeunix[dot]com | ||
| fl12[dot]ftpaccess[dot]cc | ||
| ftp1[dot]ftpaccess[dot]cc | ||
| ftp2[dot]homeunix[dot]com | ||
| Ftpaccess[dot]cc | ||
| hho1[dot]homeunix[dot]com | ||
| hp1[dot]homelinux[dot]org | ||
| i1024[dot]homelinux[dot]com | ||
| i1024[dot]homeunix[dot]org | ||
| Ice[dot]game-host[dot]org | ||
| il01[dot]homeunix[dot]com | ||
| il01[dot]servebbs[dot]com | ||
| il02[dot]servebbs[dot]com | ||
| il03[dot]servebbs[dot]com | ||
| Jlop[dot]homeunix[dot]com | ||
| lih001[dot]webhop[dot]net | ||
| lih002[dot]webhop[dot]net | ||
| lih003[dot]webhop[dot]net | ||
| list1[dot]homelinux[dot]org | ||
| live1[dot]webhop[dot]org | ||
| on1[dot]homeunix[dot]com | ||
| Patch[dot]homeunix[dot]org | ||
| patch1[dot]ath[dot]cx | ||
| patch1[dot]gotdns[dot]org | ||
| patch1[dot]homelinux[dot]org | ||
| ppp1[dot]ftpaccess[dot]cc | ||
| sc01[dot]webhop[dot]biz | ||
| sl1[dot]homelinux[dot]org | ||
| temp1[dot]homeunix[dot]com | ||
| Tor[dot]homeunix[dot]com | ||
| ttt1[dot]homelinux[dot]org | ||
| up01[dot]homelinux[dot]com | ||
| up1[dot]homelinux[dot]org | ||
| up1[dot]mine[dot]nu | ||
| up1[dot]serveftp[dot]net | ||
| up2[dot]mine[dot]nu | ||
| Update[dot]ourhobby[dot]com | ||
| update1[dot]homelinux[dot]org | ||
| update1[dot]merseine[dot]nu | ||
| vm01[dot]homeunix[dot]com | ||
| Vvpatch[dot]homelinux[dot]org | ||
| war1[dot]game-host[dot]org | ||
| Webswan[dot]33iqst[dot]com | ||
| Xil[dot]homeunix[dot]com | ||
| Yahoo[dot]8866[dot]org | ||
| Yahoo[dot]8866[dot]org |
McAfee provided several IP addresses involved in the incident:
69[dot]164[dot]192[dot]46 – Backup nameserver used by the malware
discovered in rasmon.dll.
69[dot]164[dot]192[dot]0/24
72[dot]32[dot]6[dot]235
203[dot]69[dot]40[dot]128/27
203[dot]69[dot]41[dot]0/26
203[dot]69[dot]41[dot]64/27
203[dot]69[dot]66[dot]0/27
203[dot]69[dot]68[dot]96/27
203[dot]69[dot]68[dot]128/25
168[dot]95[dot]1[dot]1
The table below contains the file characteristics of the malware analyzed:
| File Name | IPs/Domains | File Details | Description |
|---|---|---|---|
| uploaded_data | MD5: 1AEA206AA64EBEABB07237F1E2230D0F Byte Size: 17310 | ASCII text, with very long lines, with CRLF line terminators | |
| securmon.dll | call-back: update[dot]ourhobby[dot]com:443 | MD5: E3798C71D25816611A4CAB031AE3C27A Byte Size: 62464 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit |
| Rasmon.dll | call-backs: 360[dot]homeunix[dot]com:443, 168.95.1.1:DNS | MD5: 0F9C5408335833E72FE73E6166B5A01B Byte Size: 90112 | Path: C:Windows\system32\Rasmon.dll Type: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit Installs as service that begins with "UPS", followed by a random string. Example: Upskvk command-line: C:\WINDOWS\System32\svchost.exe -k SysIns |
| ad_1_.jpg | MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: 34816 | Appears to be packed executable. Significant portion of file is XOR'd 0x95 | |
| b.exe | MD5: 9F880AC607CBD7CDFFFA609C5883C708 Byte Size: 34816 | MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed Drops: Rasmon.dll | |
| cdef | MD5: 29F52213E171C3D4B4418939D9E466C3 Byte Size: 41984 | MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Drops: AppMgmt.dll | |
| AppMgmt.dll | call-backs: ftp2[dot]homeunix[dot]com:443 | MD5: 6A89FBE7B0D526E3D97B0DA8418BF851 Byte Size: 31744 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit. Installs as service "Application Management" |
| A0029670.dll | MD5: 3A33013A47C5DD8D1B92A4CFDCDA3765 Byte Size: 90112 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit | |
| VedioDriver.dll | MD5: 467EEF090DEB3517F05A48310FCFD4EE | ||
| acelpvc.dll | MD5: 4A47404FC21FFF4A1BC492F9CD23139C | ||
| a.exe | MD5: CD36A3071A315C3BE6AC3366D80BB59C |
The following signatures can be deployed to assist in detecting malicious activity associated with this incident:
Primary Malware Beacon
alert tcp any any -> any
any (msg:"Primary Beacon"; flow:to_server,established; dsize:20;
content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88
ff|"; depth:20; sid:7777777; rev:1;)
Secondary Malware Beacon
alert tcp any any <> any any
(msg:"Secondary Beacon"; content:"|38 0d ff 0a d7 ee 9d d7 ec 59
13 56|"; sid:99980060; rev:1;)
Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment.
II. Impact
By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.
III. Solution
The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002.
Other recommendations include:
- As a best practice, limit end-user permissions on systems by granting minimal administrative rights.
- Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or IE 7. IE 8 automatically enables DEP.
- Inspect network traffic history for communication with external systems associated with the attack.
- Examine computers for specific files or file attributes related to the attack.
IV. References
- How Can I Tell if I Was Infected By Aurora? - <http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf>
- How do I know if my organization has been infected? - <http://www.mcafee.com/us/threat_center/aurora_enterprise.html>
- McAfee Labs Tools Aurora Stinger 10.0.1.765 - <http://download.nai.com/products/mcafee-avert/aurora_stinger.exe>
- Operation Aurora Hit Google, Others - <http://siblog.mcafee.com/cto/operation-%25E2%2580%259Caurora%25E2%2580%259D-hit-google-others/>
- Vulnerability in Internet Explorer Could Allow Remote Code Execution - <http://www.microsoft.com/technet/security/advisory/979352.mspx>
- Microsoft Security Bulletin MS10-002 - <http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
Revision History
February 24, 2010: Initial release
March 23, 2010: Updated
April 1, 2010: Updated
