本贴为纯技术讨论贴,仅供讨论或转载纯技术分析内容,其他内容请移步点亮或白板
先转一篇
微软承认IE漏洞导致Google被攻击
来自Microsoft Technet Blogs
http://blogs.technet.com/msrc/ar ... dvisory-979352.aspx
Thursday, January 14, 2010 1:31 PM by MSRCTEAM
Security Advisory 979352 Released
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.
Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.
We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
-Mike Reavey
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Filed under: Security Advisory, Internet Explorer (IE), Workarounds, Defense-in-depth, Exploitability, Zero-Day ExploitAnonymous comments are disabled
-------
“Aurora” Exploit In Google Attack Now Public
McAfee CTO 发布blog说被命名为“极光”的攻击Google的恶意代码已经公开,微软已经采取措施
原文:http://siblog.mcafee.com/cto/“aurora”-exploit-in-google-attack-now-public/
Computer code that exploits the yet-to-be-patched Internet Explorer vulnerability used in Operation Aurora to attack Google and others in December has now been published on the Internet.
McAfee Labs researchers have seen references to the code on mailing lists and confirmed on Friday that the code was published on at least one Web site. The exploit code is the same code that McAfee Labs had been investigating and shared with Microsoft earlier this week, resulting in a security advisory from Microsoft that was published on Thursday.
The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability. The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems. Popular penetration testing tools are already being updated to include this exploit. This attack is especially deadly on older systems that are running XP and Internet Explorer 6.
As reported on Thursday by McAfee and confirmed by Microsoft, the security vulnerability affects Internet Explorer on all recent versions of Windows. An attacker could gain complete control over a vulnerable system by tricking a user to visit a rigged Web page. New versions of Windows make this exploitation harder, but not impossible.
McAfee Labs has been working around the clock, diving deep into the attack we are calling “Operation Aurora” that hit multiple companies and was publicly disclosed by Google on Tuesday. In our investigation of the attack we discovered that one of the malware samples involved in this broad attack exploits a new, previously unknown vulnerability in Microsoft Internet Explorer.
Many people are taking the matter seriously. The German government, for example, has recommended that its citizens stop using Internet Explorer and use alternative browsers instead.
One of the areas I continue to get questions on is how to stop zero day attacks. One technology is white listing, such as products from our Solidcore family (application control) help to protect against 0-day attacks without signatures and without applying a patch. This is especially important in cases like this, where patches have yet to be released.
McAfee continues to work closely with Microsoft, the government and others to investigate the attacks. Stay tuned to my blog and my Twitter account for more details.
--------
更多细节披露,来自著名的《连线》杂志
原文:http://www.wired.com/threatlevel/2010/01/operation-aurora/ (可能需要番羽土啬)
Google Hack Attack Was Ultra Sophisticated, New Details Show
By Kim Zetter January 14, 2010 | 8:01 pm | Categories: Breaches, Cybersecurity, Hacks and Cracks
Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by the anti-virus firm McAfee.
“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”
Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.
The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch.
“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.”
The hack attacks, which are said to have targeted at least 34 companies in the technology, financial and defense sectors, have been dubbed “Operation Aurora” by McAfee due to the belief that this is the name the hackers used for their mission.
The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.
Minutes after Google announced its intrusion, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had also been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”
Neither Google nor Adobe provided details about how the hacks occurred.
In the wake of Threat Level’s Thursday story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft published an advisory about the flaw that it already had in the works.
McAfee has added protection to its products to detect the malware used in the attacks.
Although the initial attack occurred when company employees visited a malicious website, Alperovitch said researchers are still trying to determine if this occurred through a URL sent to employees by e-mail or instant messaging or through some other method, such as Facebook or other social networking sites.
Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.
“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.
McAfee obtained copies of malware used in the attack, and quietly added protection to its products a number of days ago, Alperovitch said, after its researchers were first brought in by hacked companies to help investigate the breaches.
Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.
iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.
Alperovitch said that none of the companies he examined were breached with a malicious PDF, but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.
Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan. Alperovitch wouldn’t identify the systems in the United States that were involved in the attack, though reports indicate that Rackspace, a hosting firm in Texas, was used by the hackers. Rackspace disclosed on its blog this week that it inadvertently played “a very small part” in the hack.
The company wrote that “a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”
Alperovitch wouldn’t say what the attackers might have found once they were on company networks, other than to indicate that the high-value targets that were hit “were places of important intellectual property.”
iDefense, however, told Threat Level that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases.
Alperovitch says the attacks appeared to have begun Dec. 15, but may have started earlier. They appear to have ceased on Jan. 4, when command-and-control servers that were being used to communicate with the malware and siphon data shut down.
“We don’t know if the attackers shut them down, or if some other organizations were able to shut them down,” he said. “But the attacks stopped from that point.”
Google announced Tuesday that it had discovered in mid-December that it had been breached. Adobe disclosed that it discovered its breach on Jan. 2.
Aperovitch says the attack was well-timed to occur during the holiday season when company operation centers and response teams would be thinly staffed.
The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.
“Cyber criminals are good … but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.
Alperovitch said that McAfee has more information about the hacks that it’s not prepared to disclose at present but hopes to be able to discuss them in the future. Their primary goal, he said, was to get as much information public now to allow people to protect themselves.
He said the company has been working with law enforcement and has been talking with “all levels of the government” about the issue, particularly in the executive branch. He couldn’t say whether there were plans by Congress to hold hearings on the matter
------------
前面一些信息的汇总翻译 来自CSDN
【滚动更新】Google受攻击技术细节曝光
原文地址:http://news.csdn.net/a/20100115/216509.html
【1月17日更新】
McAfee CTO George Kurtz在发表了新的博客文章,称之前提到的极光行动中使用的针对IE漏洞的恶意代码已经在网上发布,但他没有说明是哪个网站。
稍早前媒体报道,Yahoo应该在Google受攻击之前就遭到了攻击,但它没有公开,只是自己加强了安全防范。
【1月16日7:30重要更新】
《连线》杂志文章给出了大量攻击细节,非常值得一读。
文章引述McAfee公司的话,说(攻击Google的)黑客使用了前所未有的战术,组合了加密、隐秘编程技术和IE中的未知漏洞,意图是窃取Google、Adobe和许多其他大公司的源代码。
该公司威胁研究副总裁Dmitri Alperovitch说:在国防工业之外,我们从未见过商业行业的公司遭受过如此复杂程度的攻击。
Alperovitch说,攻击者使用了十几种恶意代码和多层次的加密,深深地挖掘进了公司网络内部,并巧妙掩盖自己的活动。在掩饰攻击和防范常规侦测方法上,他们的加密非常成功。我们从未见过这种水平的加密。非常高超。
McAfee之所以将这种攻击命名为Auroro(极光),是因为他们发现,黑客在将恶意代码编译为可执行文件时,编译器将攻击者机器上的路径名插入代码中。
在IE漏洞被曝光后,微软很快发布了针对性的安全建议书。而McAfee也在其产品中增加了侦测这种攻击所用恶意代码的功能。
虽然最初的攻击始自公司雇员访问恶意网站,但是研究人员还在试图确定网站的URL是通过邮件、聊天程序还是其他方式,比如Facebook或者其他社会化网站。
当用户访问恶意网站的时候,他们的IE浏览器将被袭击,自动而且秘密地下载一系列恶意代码到计算机中。这些代码就像俄罗斯套娃那样,一个跟着一个地下载到系统中。
Alperovitch表示,最初的攻击代码是经过三次加密的shell code,用来激活漏洞挖掘程序。然后它执行从外部机器下载的程序,后者也是加密的,而且会从被攻击机器上删除第一个程序。这些加密的二进制文件将自己打包为几个也被加密的可执行文件。
其中一个恶意程序会打开一个远程后门,建立一个加密的秘密通道,伪装为一个SSL链接以避免被侦测到。这样攻击者就可以对被攻击机器进行访问,将它作为滩头阵地,继续进攻网络上的其他部分,搜索登录凭据、知识产权和其他要找的东西。
McAfee因参与攻击调查,从被攻击公司那里得到了攻击所用的一些恶意代码副本,并在几天前加强了自己的产品。
对于另一家安全企业iDefense之前所说的有些攻击使用了Trojan.Hydraq木马,Alperovitch表示,他发现的恶意代码此前任何反病毒厂商都不知道。
iDefense还说攻击者使用了恶意PDF附件和Adobe PDF程序的漏洞,而Alperovitch说,他调查的公司里没有发现这种情况。但他表示攻击不同公司的方法可能不同,不限于IE漏洞。
当黑客进入系统后,他们将数据发送给位于美国伊利诺依州和得克萨斯州以及中国台湾的指挥控制服务器。Alperovitch所没有识别到美国的系统牵涉到这次攻击,也没有提到攻击者的战果。但Rackspace报告他们无意中在攻击中发挥了少量作用。而iDefense则表示攻击者的目标是许多公司的源码库,而且很多情况下都成功得手。
Alperovitch说攻击看上去是从12月15日开始的,但也有可能更早。似乎结束于1月4日,那一天,用来与恶意代码传输数据的指挥控制服务器被关闭。
他说:我们不知道服务器是由攻击者关闭的,还是其他组织关闭的。但是从那时起,攻击停止了。
Aperovitch还指出,攻击的时机非常好,是在假日期间,公司的运营中心和安全响应团队人手很少。攻击的复杂程度令人印象深刻,是那种此前仅针对国防工业的攻击类型。一般对于商业部门,攻击只是为了获取财务方面的信息,通常是通过SQL注入攻击公司的网站,或者攻击公司不安全的无线网络。网络罪犯一般不会花大量的时间把攻击精雕细刻到如此程度,每个方面都采取混淆/加密防范。
McAfee还掌握了更多攻击细节,但目前不准备公布。他们已经与美国执法部门合作,并将这一问题告知美国各级[好人你好,好人再见]。
对于Google可能退出中国声明中提到的此前所受到的攻击,安全技术界给出了各种解释。
VeriSign公司的iDefens实验室的安全分析师发布了一份媒体公告,称黑客攻击了主要的源代码库。
VeriSign说超过30家技术公司遭到了一系列攻击,这有可能始于七月份的一种类型相近的攻击,这一攻击通过包含恶意PDF文件的电子邮件信息攻击了100个IT公司。金融和防御机构也有可能遭到了攻击。
VeriSign iDefense在其公告中称:据熟悉这种攻击的人员透漏,攻击者采取了传播针对Google的恶意代码的方式和使用PDF作为电邮附件的攻击方式;这些文件的特征和去年7月份一次攻击的特征很相似。这两起攻击中,恶意文件都在Windows DLL中安插了一个后门木马。
VeriSign说这两起攻击使用了相似的IP地址,并使用了相同的命令和控制结构。这些IP地址都属于Linode(一家美国的虚拟私有服务器主机供应商)所有。
VeriSign说:考虑到它们是如此接近,有可能这两种攻击就是同一种攻击。那些遭到硅谷攻击的组织自七月以来就一直处于威胁之中。
类似的分析在《MIT技术评论》的这篇文章中有比较全面的介绍。
而McAfee CTO George Kurtz(也是《黑客大曝光》一书的作者之一)则明确不同意这种观点,他在博客中称,Google所受攻击应该源于一种新的此前不大为人所知的IE漏洞。McAfee已经向微软通报了此漏洞,预计不久微软将提供相关建议。他表示,攻击主要针对某些能够访问重要知识产权的特定人员,攻击者向他们发送像是来自一个信任来源的链接或者附件,诱使目标点击,不知不觉中下载和安装恶意软件,为攻击者打开后门,进入所属公司的网络。
Kurtz将这种攻击命名为Aurora(极光)。他在文中还说到,安全威胁已经进入了一个新时代,类似的攻击只是冰山之一角。与之前常见的影响广泛的病毒如红色代码不同,这种攻击需要复杂而精巧的社交工程配合,一般目标极为明确,往往指向有利可图或者机密的知识产权。
【更新】
微软已经在自己的网站发布了一个关于Kurtz所述IE漏洞的安全建议,其中指出,漏洞是IE中的一个无效指针引用。在一些情况下,这个指针可能在对象删除之后仍然能够访问。在精心设计的攻击中,通过试图访问已被释放的对象,IE可以被用来允许远程代码的执行。
微软表示,该漏洞将影响Windows各版本上的IE 6到IE 8浏览器。只有较老的IE 5.01 SP4不受影响。如果怀疑自己的电脑已经受到这一漏洞的影响,可以访问https://consumersecuritysupport. ... spx?mkt=en-usscrx=1。
微软公司已经承诺尽快推出补丁。
McAfee的威胁研究副总裁Dmitri Alperovitch表示,这种攻击非常复杂,此前往往针对的是[好人你好,好人再见]和国防部门,应该不是业余者所为。McAfee之所以将这种攻击称为Aurora(极光),是因为该恶意代码的二进制文件路径名是这个单词。相信这是攻击者自己为这种攻击所起的名字。
另据IOActive公司渗透测试总监Dan Kaminsky说,Windows XP及以上版本的DEP(数据执行保护)功能有助于防范此类攻击。另外,虽然Google所受攻击用到的恶意代码只影响IE 6,但这个漏洞仍然可以用来攻击更高版本。不过,Windows Vista和Windows 7采用了ASLR(地址空间布局随机化,address space layout randomization)的保护技术,大大增加了攻击的难度。
【1月15日20:17更新】
《华尔街日报》文章说:据了解(对Google)攻击的知情人士透露,黑客试图通过六个台湾的网络地址来掩饰自己的身份,这是中国大陆黑客的惯常策略。
六个地址中,有五个为提供网络电视电影的年代数位媒体股份有限公司(Era Digital Media Co.)所有。该公司表示对攻击并不知情,并拒绝发表更多评论。第六个地址为金融软件提供商奇唯科技股份有限公司所有。奇唯表示,已于6月份弃用相关地址。
台湾内政部警政署科技犯罪防制中心主任李相臣表示,两家公司本身可能都是受害者。
【1月16日5:15更新】
读写网报道,在影响Google安全的IE漏洞曝光后,德国[好人你好,好人再见]呼吁不要使用微软的浏览器。因为其他黑客也会利用这一漏洞。
另有网友爆料,Google中国公司上海办公室有程序员涉嫌盗窃Gmail源代码。此消息未经Google公司证实。
纽约时报报道,Google受到的攻击可能牵涉到的其他著名公司又增加了国防工业的Northrop Grumman和知名安全厂商Symantec。
|
发表于 2010-1-18 00:11
发表于 2010-1-18 09:07
发表于 2010-1-18 19:42
关于我们