Operation Aurora

I came across a very interesting read about “operation aurora”. For those of you who are not aware of what this means, Operation Aurora is the codename used for a very successful malware attack that Google, Yahoo, Juniper, and several other corporations have admitted to being attacked by.

From the report:

The Aurora malware operation was identi ed recently and made public by Google and McAfee. This malware operation has been associated with intellectual property theft including source code and technical diagrams (CAD, oil exploration bid-data, etc). Companies  hit  have  been  publically  speculated,  including  Google,  Adobe,  Yahoo,  Symantec,  Juniper  Networks,  Rackspace, Northrop Grumman, and Dow Chemical. The malware package used with Aurora is mature and been in development since at least 2006.

There are technical details on the report itself:

http://www.hbgary.com/wp-content/themes/blackhat/images/hbgthreatreport_aurora.pdf

Most interestingly for network security admins, the second column on page 3 of the report contains the Snort IDS rules to stop the malware, describing two rules ; one for client initiated connections, the other for server (Command Centre) connections.

For those who dont use snort, other network vendors like SonicWALL have the ability to write firewall rules which can block traffic matching the pattern shown in the report. In SonicWALL products, the feature is called “Application Firewall”, other vendors probably have something similar. Most vendors will also probably include this signature in their IPS databases.