Comments on: An Insight into the Aurora Communication Protocol

By: Vivek Rajan

Vivek Rajan — Wed, 26 Jan 2011 14:07:22 +0000

Nice writeup. It is indeed surprising that no effort was made to use the SSL protocol and that the IDS did not trip. Pulling in full blown SSL could increase malware size.

By: Larry

Larry — Fri, 17 Sep 2010 19:30:32 +0000

This attack did not hit oracle databases where the sensitive data lives 99.99percent of the time, but it could have!

By: Scented rocks

Scented rocks — Fri, 03 Sep 2010 23:04:43 +0000

This is a great info about Aurora Communication Protocol. Its going to be hard finding how organized these attacks are, just like everything else no charges are made.

By: Rolf Rolles

Rolf Rolles — Fri, 22 Jan 2010 03:26:58 +0000

… “highly obfuscated”? There’s nops between each legitimate instruction, and branches.

By: Sandro SÃ¼ffert

Sandro SÃ¼ffert — Wed, 20 Jan 2010 03:02:17 +0000

“Joe Stewart, a malware specialist with SecureWorks, a computer security company based in Atlanta, said he determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites” – ref: http://www.nytimes.com/2010/01/20/technology/20cyber.html

S.S.

By: MariJewel

MariJewel — Tue, 19 Jan 2010 21:31:25 +0000

Nice insight. Makes me informed about an effective computer security research.

By: Matthew Wollenweber

Matthew Wollenweber — Tue, 19 Jan 2010 19:24:12 +0000

First nice write up. I appreciate the detail rather than speculation seen most places.

I’m with the other commenters in that I don’t understand why they would not use SSL. Even if they want to enable some level of encryption/encoding in addition to SSL it would make more sense to use it. I think this is odd for several reasons:

1. having written software for pen tests, I know backdoors are sometimes blocked by firewalls/proxies. I prefer to inject into IE for it’s authorized outbound connectivity and for the nicely wrapped windows functions. Using SSL is fairly easy using MS’s libraries.

2. Not being SSL stands out. Random data is hard to distinguish between encrypted data but it stuck out enough to be noticed here.

3. This reminds me of another piece of malware (I think Conficker) did something similar where the encoding key was sent in the initial packets. Have you looked for that relationship and any possibility similarities to whatever piece of malware that might be. Sorry for not being able to identify the code I’m thinking of off hand.

By: Mr Mark

Mr Mark — Tue, 19 Jan 2010 17:16:46 +0000

Could it be possible for this second malware to stipulate a server:port combination within the targeted organisation, thus centralising the collection of data/information, a sort of staging area before using a single system to export the data out of the organisation? thoughts?

By: mph

mph — Tue, 19 Jan 2010 14:53:07 +0000

@alex2308, because most strong crypto code is easy to spot, relatively heavy on CPU resources, and it’s just as useless if poorly implemented. There’s a good chance it will be implemented incorrectly because of the complexity, not just of the code itself but the associated protocols (key management, etc.). The code and protocol here is lightweight and not seen before, real advantages in this situation.

By: Sandro SÃ¼ffert

Sandro SÃ¼ffert — Tue, 19 Jan 2010 12:59:44 +0000

WTG, Venere. Nice detailed and important analysis my friend.

Congrats,

Sandro SÃ¼ffert