Comments on: More Details on "Operation Aurora" http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora Tue, 29 Nov 2011 07:51:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: G.E. Pelletier http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26143 G.E. Pelletier Wed, 20 Jan 2010 13:41:05 +0000 http://www.labs.com/research/blog/?p=3622#comment-26143 Hi Rahul, Yesterday's tests on UDS Version III were sucessful. The false positive rate is very low. Only two were detected out of about 50 million requests to about 140,000 unique domain names on the Internet. These appear to be caused by the same script, with slight customisations for each site: http://ce2.gcion.net/scripts/GDSRScripts.js The VirusTotal analysis of the file: http://www.virustotal.com/analisis/fb876196bf52422ca21091610e3a1d396cadf2156f4f378ce34e896150236696-1263990391 http://www.rgj.com/scripts/GDSRScripts.js VirusTotal Report: http://www.virustotal.com/analisis/d34174e1bb395530e9fd2de036bb48a4580250942acb310eaccc65a039758353-1263991051 These have been updated in our IntruShield SR. Sincerely, G.E. Pelletier Hi Rahul,

Yesterday’s tests on UDS Version III were sucessful. The false positive rate is very low. Only two were detected out of about 50 million requests to about 140,000 unique domain names on the Internet. These appear to be caused by the same script, with slight customisations for each site:

http://ce2.gcion.net/scripts/GDSRScripts.js

The VirusTotal analysis of the file:
http://www.virustotal.com/analisis/fb876196bf52422ca21091610e3a1d396cadf2156f4f378ce34e896150236696-1263990391

http://www.rgj.com/scripts/GDSRScripts.js

VirusTotal Report:
http://www.virustotal.com/analisis/d34174e1bb395530e9fd2de036bb48a4580250942acb310eaccc65a039758353-1263991051

These have been updated in our IntruShield SR.

Sincerely,

G.E. Pelletier

]]> By: G.E. Pelletier http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26142 G.E. Pelletier Tue, 19 Jan 2010 12:27:06 +0000 http://www.labs.com/research/blog/?p=3622#comment-26142 Hi Rahul, Thank you for the information about signature 0×4022f900. This will help us. The exploit was fully tested on three systems with HIPs installed. It was effective on all three (IE 6 disappeared and the calculator popped up). Paradoxically, the HIPs logs also show the attack as being prevented. We will follow up with McAfee. An SR was opened with McAfee with respect to the IntruShield false positives on the UDS Version II. I have advised the technician that the signature was updated to correct the false positives. I will be testing the UDS Version III update this morning. Again, your help is greatly appreciated. Sincerely, G.E. Pelletier Hi Rahul,

Thank you for the information about signature 0×4022f900. This will help us.

The exploit was fully tested on three systems with HIPs installed. It was effective on all three (IE 6 disappeared and the calculator popped up). Paradoxically, the HIPs logs also show the attack as being prevented. We will follow up with McAfee.

An SR was opened with McAfee with respect to the IntruShield false positives on the UDS Version II. I have advised the technician that the signature was updated to correct the false positives.

I will be testing the UDS Version III update this morning.

Again, your help is greatly appreciated.

Sincerely,

G.E. Pelletier

]]> By: Rahul Kashyap http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26141 Rahul Kashyap Tue, 19 Jan 2010 01:43:31 +0000 http://www.labs.com/research/blog/?p=3622#comment-26141 Hello Pelletier, Regarding the HIPS protection, we've successfully verified that HIPS blocks the exploit out of the box. While verifying such exploits you'll need to ensure that the exploit is successful on the victim machine. If you have further questions on this, please contact your SE/McAfee representative so that we can resolve the issues you're encountering. Regards Hello Pelletier,
Regarding the HIPS protection, we’ve successfully verified that HIPS blocks the exploit out of the box. While verifying such exploits you’ll need to ensure that the exploit is successful on the victim machine. If you have further questions on this, please contact your SE/McAfee representative so that we can resolve the issues you’re encountering.

Regards

]]> By: Rahul Kashyap http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26140 Rahul Kashyap Tue, 19 Jan 2010 01:24:29 +0000 http://www.labs.com/research/blog/?p=3622#comment-26140 Hello Pelletier, This exploit is detect by IntruShield out of the box with generic JavaScript Shellcode signatures (no need to update to block this exploit) 'HTTP: Possible attempt to create javascript shellcode:1' :0x4022f900 Regarding the False Positives, we've isolated the issue and updated the UDS and it'll be out today. Hello Pelletier,

This exploit is detect by IntruShield out of the box with generic JavaScript Shellcode signatures (no need to update to block this exploit)
‘HTTP: Possible attempt to create javascript shellcode:1′ :0x4022f900

Regarding the False Positives, we’ve isolated the issue and updated the UDS and it’ll be out today.

]]> By: G.E. Pelletier http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26139 G.E. Pelletier Mon, 18 Jan 2010 18:58:35 +0000 http://www.labs.com/research/blog/?p=3622#comment-26139 VSE, BOP, IntruShield UDS, and HIPS do not protect against the following exploit code: http://ahmed.obied.net/software/code/exploits/ie_aurora.py The above exploit code is very effective with IE 6. The IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption dated 14 Jan 2010 fails to detect this. The updated (version II) IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption II dated 16 Jan 2010. Generates massive numbers of false postives (over 100 in 20 minutes). The exploit code was originally found in the comments of the ISC SANS story: http://isc.sans.org/diary.html?storyid=8002 VSE, BOP, IntruShield UDS, and HIPS do not protect against the following exploit code:

http://ahmed.obied.net/software/code/exploits/ie_aurora.py

The above exploit code is very effective with IE 6.

The IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption dated 14 Jan 2010 fails to detect this.

The updated (version II) IntruShield UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption II dated 16 Jan 2010. Generates massive numbers of false postives (over 100 in 20 minutes).

The exploit code was originally found in the comments of the ISC SANS story:
http://isc.sans.org/diary.html?storyid=8002

]]> By: John http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26135 John Fri, 15 Jan 2010 23:49:53 +0000 http://www.labs.com/research/blog/?p=3622#comment-26135 Craig, great to hear that. Truly a great product that we hope to see and hear more about in the future. Thanks for setting me straight. Craig, great to hear that. Truly a great product that we hope to see and hear more about in the future. Thanks for setting me straight.

]]> By: Craig Schmugar http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26133 Craig Schmugar Fri, 15 Jan 2010 19:21:06 +0000 http://www.labs.com/research/blog/?p=3622#comment-26133 John, no languishing going on here, I updated the blog to note the McAfee Web Gateway (formerly Webwasher) and TrustedSource coverage information. John, no languishing going on here, I updated the blog to note the McAfee Web Gateway (formerly Webwasher) and TrustedSource coverage information.

]]> By: John http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora/comment-page-1#comment-26132 John Fri, 15 Jan 2010 01:15:47 +0000 http://www.labs.com/research/blog/?p=3622#comment-26132 Why wouldn't McAfee release some type of protection for the recently acquired Secure Computing Web Gateway (Webwasher) or Firewall (Sidewinder)? It's sad when companies acquire smaller better companies and then let the products languish for various reasons. Why wouldn’t McAfee release some type of protection for the recently acquired Secure Computing Web Gateway (Webwasher) or Firewall (Sidewinder)? It’s sad when companies acquire smaller better companies and then let the products languish for various reasons.

]]>