www.fgks.org   »   [go: up one dir, main page]

The CnC of Operation Aurora

Home > Knowledge Center

Report: The Command Structure of the Operation Aurora Botnet:
History, Patterns, and Findings

March 2, 2010

Overview
Following the public disclosures of electronic attacks launched against Google and several other businesses, subsequently referred to as “Operation Aurora”, Damballa conducted detailed analysis to confirm that existing customers were already protected and to ascertain the sophistication of the criminal operators behind the botnet. There has been much media attention and speculation as to the nature of the attacks. Multiple publications have covered individual aspects of the threat – in particular detailed analysis of forensically recovered malware and explanations of the advanced persistent threat (APT).

DownloadBy contrast, Damballa has been able to compile an extensive timeline of the attack dating back to mid-2009 that identifies unique aspects to the Aurora botnet that have been previously unknown. Based upon this new information and our experience in dealing with thousands of enterprise-targeted botnets, Damballa believes that the criminal operators behind the attack are relatively unsophisticated compared other professional botnet operators. Even so, the results proved just as damaging as a sophisticated botnet since the threat was not quickly identified and neutralized.

Some key observations in this analysis report:

  • The major pattern of attacks previously identified as occurring in mid-December 2009 targeting Google appear to originate in July 2009 from mainland China.
  • Hosts compromised with Aurora botnet agents and rallied to the botnet Command-and-Control (CnC) channels were distributed across multiple
    countries before the public disclosure of Aurora, with the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.
  • Damballa identified additional botnet CnC domains used by these criminal operators and established a timeline of malware associations back to May 2nd, 2009 by tracking the evolution of the malware used by Aurora’s operators
  • This botnet has a simple command topology and makes extensive use of Dynamic DNS (DDNS) CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators any more. Reliance upon DDNS CnC is typically associated with new and amateur botnet operators
  • The criminals behind the Google attack appear to have built and managed a number of separate botnets and run a series of targeted attack campaigns in parallel. This conclusion is based upon CnC domain registration and management information. The earliest of the CnC domains associated with
    these botnets, reliant upon DDNS service provisioning, appear to have been registered on July 13th 2009
  • The botnet operators behind the Aurora attacks deployed other malware families prior to the key Trojan.Hydraq release. Some of these releases overlapped with each other. Two additional families of malware (and their evolutionary variants) were identified as “Fake AV Alert /Scareware – Login Software 2009” and “Fake Microsoft Antispyware Service,” both of which employed fake antivirus infection messages to socially engineer victims into installing malicious botnet agents.

 

Damballa protects enterprise organizations from bot-driven targeted attacks used for organized, online crime.