I came across a very interesting read about “operation aurora”. For those of you who are not aware of what this means, Operation Aurora is the codename used for a very successful malware attack that Google, Yahoo, Juniper, and several other corporations have admitted to being attacked by.
From the report:
”
”
There are technical details on the report itself:
http://www.hbgary.com/wp-content/themes/blackhat/images/hbgthreatreport_aurora.pdf
Most interestingly for network security admins, the second column on page 3 of the report contains the Snort IDS rules to stop the malware, describing two rules ; one for client initiated connections, the other for server (Command Centre) connections.
For those who dont use snort, other network vendors like SonicWALL have the ability to write firewall rules which can block traffic matching the pattern shown in the report. In SonicWALL products, the feature is called “Application Firewall”, other vendors probably have something similar. Most vendors will also probably include this signature in their IPS databases.