Operation AURORA

Damballa released 31 page report titled "The Command Structure of the Aurora Botnet: History, Patterns and Findings,"

IT is a ‘garden variety’ Command and control botnet

First noticed by Google in December 2009, made public on January 12, 2010

Operation AURORA

The primary malware Hydraq is a later staging in a series of malwares consisting of At lest three different families

Were deployed using fake antivirus infection messages tricking the victim into installing the malicious botnet agents

“ Trojan.Hydraq would have been just another piece of dumb malicious software if it did not have the ability to connect to a CnC server and receive new instructions”

The Damballa research paper can be downloaded at: http://www.damballa.com/research/aurora.

+ =

Attacker entices the victims to press F1 on their website

Display a message box that does not go away until F1 is pressed

Affects older Windows like XP or 2000

Help !

Workaround

cacls "%windir%\winhlp32.exe" /E /P everyone:N

Help !

Warning about a unpatched flaw in IE 6 and 7

Invalid pointer reference bug

IE Zero Day

IE 6 service pack 1 on Windows 2000 service pack 4 and IE 7contain this bug

IE Zero Day

Attacker entices the user to click on a Link in an Email or Messenger

User visits a website with malicious code

Microsoft Patches up

Issued patches that fix vulnerabilities in Windows and Office

MS 10-016 patch = addresses flaw in Movie maker that allowed remote command execution

MS 10-017 patch = addresses vulnerabilities in Excel

Adobe released a fix which updates the Reader from 9.3 to 9.3.1

Subvert the domain sandbox and make Cross Domain Calls

Allowed an attacker to crash the program and execute commands

Adobe fix

Zeus Trojan

Zeus collected extensive data from individuals at commercial and government systems,

Around 68,000 corporate login credentials, 2,000 SSL certificate files, and usernames and passwords for online banking sites and social networks.

Zeus Trojan

Zeus is capable of stealing data from protected store of a PC

Criminals exploited vulnerabilities in Adobe Flash and holes in Adobe reader.

Malicious PDF’s were used

“This you ???”

“somebody wrote something about you in this blog here”

You will get a URL, clicking on it would ask you to login into a third party site

Twitter Phishing

Firefox Add-Ons

Master Filer Sothink Web Video Downloader version 4

They were able to sneak through Mozilla’s malware scanner

Upload all add-on submissions to the free Virustotal.com, which uses about 40 different engines to scan each submission.

ClamAV

Cloud Security Alliance names top 7 threats to Cloud

Similar to OWASP Top 10

Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and API Malicious Insiders

http://www.cloudsecurityalliance.org/topthreats.html

Cloud Security

Windows 7 has a ‘SoftAP’ which allows a PC to function as Wi-Fi client and an access point simultaneously

This masks the entry of unauthorized users onto the corporate network.

It also can allow parking-lot hackers to piggyback onto the user's laptop and "ghost ride" into the corporate network unnoticed.

Windows 7

School used student laptop webcams to spy on them at school and home

School used student laptop webcams to spy on them at school and home

The issue came to light when the Robbins's child was disciplined for

"improper behavior in his home" and the Vice Principal used a photo taken

by the webcam as evidence.

Spy Kids

Twitter users celebrate 10 billion tweets

Virgin rolling out 100Mbps broadband this year

Now almost 200 million registered domains

Google hammered for Buzz privacy issues

Thank You