About:
Operation Aurora is the name given to the recent attacks against several organizations (including Google and Adobe) in order to steal intellectual property and gain access to customer data. Despite initial speculation that the attacks where using a vulnerability in Adobe Reader in order to infect machines, it was later revealed that the attacks were using a zero-day vulnerability in Microsoft Internet Explorer.
The malware installed in the Operation Aurora attacks was a remote access Trojan, designed to give the attackers remote access to infected machines, in order to access customer data or steal intellectual property. The variants of this malware seen used in the attacks are believed to be part of a well known family of Chinese remote access Trojans, known as 'PcClient'.
Troj/Spy-EY details: If an unsecured machine browses to a web page containing malicious code to exploit the zero\-day vulnerability, the shellcode embedded in the web page will download an encrypted binary, detected as Troj/Spy-EY. The file is decrypted and executed, and the file rasmon.dll is subsequently dropped in the system folder, also detected as Troj/Spy-EY.
The dropped DLL is installed as a service on the machine, where the service name is consists of the string 'RaS' followed by 4 random characters, for example RaS9CuC.
Registry keys for the installed service are added:
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC\Parameters
ServiceDll
<System>\rasmon.dll
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC
ErrorControl
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC
Type
0x00000020
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC
ImagePath
%SystemRoot%\System32\svchost.exe -k netsvcs
HKLM\SYSTEM\CurrentControlSet\Services\RaS9CuC
ObjectName
LocalSystem
The dropped DLL is also injected into the legitimate system SVCHOST.EXE process.
A batch script to delete the initial dropped file (within ) is also dropped to the Windows directory.
<Windows>\DFS.bat
Troj/Spy-EY attempts to connect to its command-and-control server, for example:
360.home[blocked].com
By doing this, the malware can accept remote commands that provide typical remote access Trojan functionality to the attackers. This includes (but is not limited to):
- Escalate privileges
- Shutdown/restart system
- Download and execute another file
- View, create and modify Registry keys
- Upload victim information (IP, computer name, OS version, CPU, RAM)
- Self-update
Additionally, one of the components used by Troj/Spy-EY can provide a remote feed from the infected desktop in a similar manner to the VNC remote access tools.
Note: The details above are for a specific variant of Troj/Spy-EY. Multiple other variants exist that exhibit broadly similar characteristics, with the ultimate purpose being to provide the attacker with remote access to an infected machine. However, specific details such as registry key names, file names, command-and-control servers etc may change between variants.
Protection: There are several ways in which Sophos protect customers from Operation Aurora (and copycat) attacks.
- Generic protection against buffer overflows is provided in the endpoint product (BOPs).
- The Sophos Web Appliance blocks access to known malicious sites hosting malicious code to exploit the vulnerability.
- The malicious scripts being used to exploit the vulnerability are being detected as Troj/ExpJS-N (and Mal/JSShell-B).
- The payloads being installed are being detected as Troj/Spy-EY and Mal/PcClient-I.
Microsoft released an out-of-band patch for this vulnerability, which was made available ahead of the regular monthly patch date.