Tech Blog
Explorer Exploit
>>
>>
>> National Cyber Alert System
>>
>> Technical Cyber Security Alert TA10-055A
>>
>>
>>Malicious Activity Associated with “Aurora” Internet Explorer Exploit
>>
>> Original release date:
>> Last revised: –
>> Source: US-CERT
>>
>>
>>Systems Affected
>>
>> * Microsoft Internet Explorer 6 Service Pack 1 on Microsoft
>> Windows 2000 Service Pack 4
>> * Microsoft Internet Explorer 6, 7, and 8 on supported
>> editions of Windows XP, Windows Server 2003, Windows Vista, Windows
>> 2008, Windows 7, and Windows Server 2008 R2
>>
>>
>>Overview
>>
>> Malicious activity detected in mid-December targeted at least 20
>> organizations representing multiple industries including chemical,
>> finance, information technology, and media. Investigation into
>> this activity revealed that third parties routinely accessed the
>> personal email accounts of dozens of users based in the United
>> States, China, and Europe. Further analysis revealed these users
>> were victims of previous phishing scams through which threat
actors
>> successfully gained access to their email accounts.
>>
>>
>>I. Description
>>
>> Through analysis of the malware used in this incident, McAfee
>> discovered one of the malware samples exploited a vulnerability in
>> Microsoft Internet Explorer (IE). The vulnerability exists as an
>> invalid pointer reference within IE and, if successfully
exploited,
>> allows for remote code execution.
>>
>> Microsoft has released Security Bulletin MS10-002, which provides
>> updates for Internet Explorer that address this and other
>> vulnerabilities.
>>
>> US-CERT is providing technical indicators that can be incorporated
>> into an organizations security posture to detect and mitigate any
>> malicious activity.
>>
>> Please see <https://www.us-cert.gov/cas/techalerts/TA10-055A.html>
>> for further detail.
>>
>> The following signatures can be deployed to assist in detecting
>> malicious activity associated with this incident:
>>
>> Primary Malware Beacon
>>
>> alert tcp any any -> any any (msg:”Targeted Malware Communication
>> Beacon Detected”; flow:to_server,established; dsize:20;
>> content:”|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88
>> ff|”; depth:20; sid:7777777; rev:1;)
>>
>> Secondary Malware Beacon
>>
>> alert tcp any any <> any any (msg:”ORC:DIS:BEACON_380DFF”;
>> content:”|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|”; sid:99980060;
>> rev:1;)
>>
>> Note: US-CERT has not verified or tested these signatures and
>> recommends proper testing prior to deployment.
>>
>>
>>II. Impact
>>
>> By convincing a user to view a specially crafted HTML document or
>> Microsoft Office document, an attacker may be able to execute
>> arbitrary code with the privileges of the user.
>>
>>
>>III. Solution
>>
>> The Internet Explorer vulnerability used in these attacks is
>> addressed with the updates provided in Microsoft Security Bulletin
>> MS10-002.
>>
>> Other recommendations include:
>>
>> * As a best practice, limit end-user permissions on systems by
>> granting minimal administrative rights.
>> * Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2
or
>> IE 7. IE 8 automatically enables DEP.
>> * Inspect network traffic history for communication with external
>> systems associated with the attack.
>> * Examine computers for specific files or file attributes related
>> to the attack.
>>
>>
>>IV. References
>>
>> * How Can I Tell if I Was Infected By Aurora? -
>>
<http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf>
>>
>> * How do I know if my organization has been infected? -
>> <http://www.mcafee.com/us/threat_center/aurora_enterprise.html>
>>
>> * McAfee Labs Tools Aurora Stinger 10.0.1.765 -
>> <http://download.nai.com/products/mcafee-avert/aurora_stinger.exe>
>>
>> * Operation Aurora Hit Google, Others -
>>
>><http://siblog.mcafee.com/cto/operation-%25E2%2580%259Caurora%25E2%258
0%259D-hit-google-others/>
>>
>> * Vulnerability in Internet Explorer Could Allow Remote Code
>> Execution -
>> <http://www.microsoft.com/technet/security/advisory/979352.mspx>
>>
>> * Microsoft Security Bulletin MS10-002 -
>> <http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>
>>
>> ____________________________________________________________________
>>
>> The most recent version of this document can be found at:
>>
>> <http://www.us-cert.gov/cas/techalerts/TA10-055A.html>
>> ____________________________________________________________________
>>
>> Feedback can be directed to US-CERT Technical Staff. Please send
>> email to <cert@cert.org> with “TA10-055A Feedback VU#492515″ in
>> the subject.
>> ____________________________________________________________________
>>
>> For instructions on subscribing to or unsubscribing from this
>> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>> ____________________________________________________________________
>>
>> Produced 2010 by US-CERT, a government organization.
>>
>> Terms of use:
>>
>> <http://www.us-cert.gov/legal.html>
>> ____________________________________________________________________
>>
>>Revision History
>>
>> February 24, 2010: Initial release