The “Aurora” IE Exploit Used Against Google in Action

google_borealis

The big news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers initially gained access to the corporate networks of Google, et al. using this zero day attack.

Here It Is

The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.


The Vector

The attack scenario is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly yesterday.

aurora_vuln

Update

  • Ahmed Obied has published a clean python version of the exploit (opens your Windows Calculator) for testing also: ie_aurora.py.
  • CVE-2010-0249 has been opened for this issue.

Finally

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

This situation has the potential to change rapidly now that it appears the exploit has been found. Microsoft last patched a vulnerability off cycle in July of 2009, they could elect to pursue the same response here.

Or as McAfee correctly opines: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

Filed Under: featuredRemote Exploit

Tags: , , , , , , ,

Comments (77)

Trackback URL | Comments RSS Feed

  1. Bill Dudly says:

    You’re deluded if you think your video is a good presentation of something. No future in video production for you.

    • chucklingabit says:

      @BillDudly Thanks for adding to the conversation in such a productive proactive way.

  2. Prefect says:

    Dudlifier – Cute… Its not exactly our day job, we do have a few other things going on over here.

    That’s what an attack looks like though, a listener is running, a malicious site is setup, the user visits it, and malicious processes start running in the context of that user. That’s it, no loud noises, no explosions, no flashing red lights, no mustache stroking villains. You want that, you’ve come to the wrong outpost on the Intertubes.

    Although chances are if you don’t know what you’re looking at, you’re probably in the wrong place anyway. How did you end up on an information security blog?

    Thanks for the constructive comment though buddy boy. Come back anytime.

  3. Eno says:

    One thing I don’t understand : How is that possible ? I mean we’re talking about Google, all people interrested in security know that Google is well known for its high level of securtiy. This 0 day shows that Google is actually using IE6 for some Googler ? Unbelievable. Even if it works for IE6,7,8 I tought computers at GooglePlex, had a lot of protections for the stack, AV, firewall, IDS ect …

  4. Anon says:

    I would have figured that a company as organized as Google would mandate their own browser, Chrome, on every desktop. Or at least have policy in place to use anything, anything but IE6.

  5. [...] 2003, Vista, Server 2008, Windows 7 and Server 2008 R2. You can see the exploit in action over here. Microsoft has published a security advisory and is working on a patch. In the meantime, it is [...]

  6. JP says:

    Think about it: A software company needs to have a handle on how its products work in many environments. This means occasionally relinquishing control to the windy browsers of fate. C’est la vie…

  7. NotOnly says:

    According to McAfee CTO, IE6 wasn’t the only browser used as attack vector in these attacks. IE7 and 8 were also used in a different way which we still don’t know.

  8. [...] können, dass die Angriffe von der chinesischen Regierung kamen (McAfee spricht vom Projekt “Aurora“). Die Regierung täte gut daran, mit aufzuklären. Dass sie (die offiziell Zensur immer [...]

  9. [...] “After McAfee’s disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the [...]

  10. Here’s my take: It’s all about defense in depth. I have some thoughts on the attack on my blog (http://miwsecurity.blogspot.com/2010/01/2010-coming-out-of-defense-in-depth.html).

    The biggest issue as far as I can tell is that the present lip service given to internal systems MUST come to an end. Everyone seems to be spending their entire security budget on perimeter defenses and not enough on security training and internal controls. Seriously…spear phishing? That’s a complete falldown of security awareness training if you ask me.

    Has anyone attempted to run this code against a workstation with Cisco Security Agent or a similar HIPS application installed?

    Graham

  11. Does the MetaSploit or the in-the-wild attack leave any tangible evidence in system32? I’m currently handling an incident with some undetected malware which leaves around 5-12 files in system32. It look like maybe a variant of netsky, but then again some of the code could be shared. I doubt it’s the same, but it would be nice to have more details about what’s left behind.

  12. Chrome says:

    @MICHAEL STARKS: how can your sploit be undetectable if it leaves files? Also: if you have a directory called system32 then you’re probably hacked. Because you’re stupid. Instead of researching stupid Windows malware, why don’t you get to a safe platform? Too stupid to meet that challenge? Guess so.

    @GRAHAM THOMPSON: Close only counts in horseshoes. People are wasting money on Windows. Want me to take that again or are you of above average intelligent and got that first time around? And the Cisco guys are still running Windows stuff? You mean they’re stupid too? Gosh!

    @NOTONLY: No not in a different way. He did not say that. They were used in the same way.

    @JP: I have thought about it. It’s you who haven’t thought about it. They can sandbox Windows. Anyone who absolutely has to run Windows and doesn’t sandbox it is a fool.

    @PREFECT: way cool. FTW!

  13. TJ says:

    LOL @CHROME: Nobody likes a linux fan boy, they have less social skills than their OS! Linux is great for a server, but if you truly think it’s a better desktop OS than Windows, then you sir are the fool!

    You didn’t say Linux, but you’re not cool enough to own a Mac… I’m guessing Ubuntu!

  14. dwyatt says:

    Perhaps the arguments that open source, available to everyone to find and fix security flaws, make a little more sense, now. I’d guess that the Chinese have been diligently studying Windows source since MS handed it over to them in 2003. They probably have a whole portfolio of 0-day’s in a folder.

  15. ghabuntu says:

    First medication to this ailment

    Organizations and individuals should stop using the really crappy IE. I wonder why no one is mentioning that!

  16. ghabuntu says:

    Lol Dwyatt, I perfectly agree with you. I’d say they have a full dossier in an entire warehouse

  17. senyorita says:

    f you have a directory called system32 then you’re probably hacked. Because you’re stupid.

    yo..that’s rich ,seriously.

  18. Felipe says:

    @BILL DUDLY: why not a good presentation?. Bill I don’t want to think you still believe in “Security through obscurity”, if this so, you are deluded, man. To share this knowledge let us open our eyes and let everyone open their eyes – if you want to open them -.

    @TJ: Maybe Windows or MacOS are mature OS’s, also Linux is growing up too… Anyway I am Linux boy, sometimes a Mac boy and sometimes a Windows boy, each one fills a need at a given time… In security no matter what OS you are using, all of these are hackable. Just is required a time of research… Security is a chain and one of the weakest link is THE USER. Sometimes, some users are really stupid, other times they just does not have enough knowledge of what they are facing on internet, maybe because they are not (well) trained.

    To Reduce the Risk of Vector Attack on Users-Side (Client-Side exploitation) maybe could be a good idea to use this equation: (Training + Knowledge) + Common Sense.

    @praetorianprefect.com: Good job guys! Follow in this way.

  19. Re Treat says:

    Just downloaded java.sun.com/products/archive/hotjava/3.0/index.html HotJava-3.0 browser. Looks quite nice and clean, strips stupid ad stuff. Cross platform, no os fanboy fights. Probably not targetted for exploits. Looks good as a workaround while MS fixes IE. Might be confident enough to visit a porn site again.

  20. [...] Demostración de cómo funciona el "Exploit" de IE usado en los ataques a Google [ENG]  praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit…  por crises hace 2 segundos [...]

  21. To those who lambasted me for running windows, bla bla bla, I can only assume you have never worked as an infosec professional in an enterprise setting, and have never helped a customer with a security problem in a typical environment. That’s really all I have to say on the matter..

  22. [...] , mai detaliat jos + video cu asa ceva in actiunea. Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action __________________ paxnWo: vreau sa fac dragoste cu black Kabron: =))) Kestor: [...]

  23. [...] in action and some of the source code: http://www.darkreading.com/vulnerabi…leID=222301235 Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action Reply With Quote   + Reply to Thread « Bulletproof [...]

  24. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

  25. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

  26. Samuel Lai says:

    Very informative video and information. Thanks.

  27. [...] I’m happy to note that according to Google Analytics only 28% of you are using Internet Explorer. My hat’s off to 72% of you. If you are in that other 28%, however, unless you like your personal data compromised or you want to feel the thrill of having your PC ride in a botnet herd, use it to download Chrome or Firefox or Opera or Safari or whatever and don’t open it again until Microsoft gets out a patch for the Aurora exploit. [...]

  28. Racist US says:

    Dont FXXXing understand why every time those US com have any hacking problem would point their fingers on others, bloody di-ck head.

    You made the software, you sell it, you get the profit, and dont want to get blame, it’s your fault not to produce a better one, and then when sh-it happen, just try to blame others, first off Russian, then middle-east, then Gaza, then now the Chinese, why dont you point it to yourself ? simply ignore the fact and blame others.

  29. [...] questo interessante video. Che dire? scary… Io elimino ie dal mio ufficio oggi stesso. Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action __________________ FlareVM.it: Server Virtuali Xen con risorse garantite a partire da [...]

  30. ANON2 says:

    Thanks for taking the time to show us how it works in action.

  31. jrusi says:

    It doesn’t work for me. When user opens the site I get: “Sending Microsoft Internet Explorer “Aurora” Memory Corruption to client”

    I have metasploit: =[ metasploit v3.3.4-dev [core:3.3 api:1.0] + — –=[ 492 exploits – 230 auxiliary + — –=[ 192 payloads – 23 encoders – 8 nops =[ svn r8144 updated today (2010.01.18)

  32. @Chrome: Not sure what you mean? Cisco guys running Windows? Close only counts with horseshoes? The only context Cisco came up in was if Cisco Security Agent (or other HIPS product) was able to protect an unpatched machine…As for horseshoes…?

    Anyways, thanks to Praetoria for the excellent posting on this attack!

  33. [...] Detailed info about Operation Aurora. AKPC_IDS += "408,";Popularity: unranked [?] Inderjeet Singh is the founder and main author of [...]

  34. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

  35. [...] at all you’ll know that the zero-day vulnerability codenamed Aurora (watch it in action on Praetorian Prefect) in Microsoft’s popular Internet Explorer web browser was the cause of the security breaches. [...]

  36. [...] The attack against Google has been picked apart; a zero-day exploit in Internet Explorer was the method. The method was covered at CNET and is described in detail by McAfee’s CTO, George Kurtz, in a blog post. The blog Praetorian Prefect has a description and video of the attack in action. [...]

  37. Nik says:

    Could you please publish the actual code of the exploit?

  38. [...] de populaire hacktool Metasploit is de exploit voor dit lek nu bekendgemaakt.  Daarmee wordt het mogelijk een website neer te zetten waarmee het lek wordt misbruikt.  Het [...]

  39. [...] Praetorian Prefect Seguimiento de George KurtzCTO El blog de Sergio Hernando [...]

  40. [...] сам эксплойт. Ссылка на Praetorian Project. Ссылки на сплойт:  [...]

  41. [...] cycle. The update is for the Internet Explorer vulnerability which was reported to be used by the Aurora exploit to attack Google and several other companies. The last time Microsoft released an out of band patch [...]

  42. [...] in question affects all versions of Internet Explorer since IE 6 and can be seen in action over here. Microsoft is expected to release a patch later today to fix the [...]

  43. Gabriel says:

    Excellent presentation, as always. It worries me that people are still using IE6, pretty much proven to be the most insecure browser in the history of browsing, though.

  44. [...] (under review) And some more random links: Code Used in Google Attack Now Public : programming Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action [...]

  45. default_dev says:

    I use iPhone SDK at work. Every time you attempt to just “stare” at a freed object it throws an exception and kills your process at once. It is good to know that in Windows everything is more gentle.

  46. [...] Información del exploit de Internet Explorer que emplearon contra Google [...]

  47. [...] The site (91.121.221.39) that the homepage was linked to appears to be a warez site hosted in Roubaix, France, hosted by ISP Ovh Systems. TechCrunch is of course hosted by Rackspace.com, which was recently in the news because of the role their servers played in the ‘Aurora’ attack on Google. [...]

  48. [...] Angriff auch manuell per Policy mit dem ProxySG herausfiltern. Mit folgender Policy kann man den veröffentlichten Exploit Source Code unschädlich [...]

  49. [...] a video detailing how this hack works in action in case you are like me and interested in the juicy technical [...]

  50. [...] video, tratto da praetorianprefect.com mostra l’hacker che avvia una sessione di Metasploit, sceglie l’exploit ie_aurora, [...]

  51. [...] video mostra come l’hacker avviando una sessione di Metasploit e scegliendo l’exploit [...]

  52. [...] video at the Praetorian Prefect website demonstrates how Google and the rest have been, according to most news reports, exploited via the [...]

  53. [...] video at the Praetorian Prefect website demonstrates how Google and the rest have been, according to most news reports, exploited via the [...]

  54. [...] IE Exploit in Action from The Crew of Praetorian Prefect on Vimeo. Il video, tratto da praetorianprefect.com mostra l’hacker che avvia una sessione di Metasploit, sceglie l’exploit ie_aurora, [...]

  55. [...] a CNBC broadcast, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last [...]

  56. [...] second major instance of this type of error in Internet Explorer recently (with the well publicized ‘Google Aurora’ attack being associated with a similar type of code defect in the popular [...]

  57. it is not good idea to hear this.

  58. CNBC broadcast, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last

  59. [...] planned, but that doesn’t make the risk any less meaningful. Apparently, the Aurora exploit isn’t all that complicated to use in its most basic [...]

  60. mk-job says:

    Very nice for Exploit, So Good.

  61. As basic as Aurora was, it was extremely effective. Stuxnet has made it look like child’s play though.

  62. WOLVERINE says:

    The bad guys have been very active in the last days is bad news…

    Salu2 de WOLVERINE

  63. Quora says:

    What technologies and skills are needed to pull a “hack” like the one China did to Google?…

    You’re referring to the Aurora vulnerability (http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/). In order to pull this off you would need to: 1. Be able to find a use after free vulnerability in Internet Explorer (if you …

  64. [...] QuestionHow does Quora automatically comment back to a blog that is referenced on Quora?Like http://praetorianprefect.com/arc…  BIU     @   Edit Link Text Show answer summary [...]

  65. [...] the news lately. A number of firms and government institutions were breached in what was termed the Google Aurora attacks last year, the year before that the Ghostnet spy network was uncovered affecting embassies and [...]

  66. lee johno says:

    fantastic blog great resources

  67. Rosco Mavudo says:

    The A-TEAM works for Gawker Media. Gawker Media has two hired teams hunting down hackers. Lulz2 says they will take down Gawker MEdia AGAIN! Let’s see who is the BEST!

  68. visit…

    [...]while the sites we link to below are completely unrelated to ours, we think they are worth a read, so have a look[...]…