TODO cover.
Jan 27, 2010
Foreword
Cyber Espionage is a critical issue. Over 80% of intellectual property is stored online digitally. The
computing infrastructure in a typical Enterprise is more vulnerable to attack than ever before. Current
security solutions are proving ineffective at stopping cyber espionage. Malware is the single greatest
problem in computer security today. Yet, malware represents only the tip of the spear. The true threat is
the human being who is operating the malware. This human, or the organization he represents, is the true
threat that is targeting information for the purposes of financial gain, theft of state secrets, and theft of
intellectual property. True threat intelligence requires reaching beyond malware infections to identify the
individuals, country of origin, and intent of the attacker. Every day, HBGary obtains 1.5 gigs of malware
that has struck the Internet in the last 24 hour period. This malware is automatically reverse engineered
using Digital DNA(tm) in conjunction with a large VMWare ESX server farm. Millions of data points
are obtained and stored in a database that can be analyzed using a variety of tools, including link-analysis
with Palantir(tm). HBGary's goal is to track the individual actors behind malware infections, and to map
this global theatre of cyber threats. This Malware Summary Report reflects information that has been
obtained and analyzed by HBGary regarding the so-called 'Aurora' operation. Talk about financial,
critical infrastructure, military reliance on cyber systems.
Malware Threat Assessment Report
Acknowledgements
HBGary would like to thank the XXXX
Table of Contents
Contents
Summary ....................................................................................................................................................... 1
Key findings .............................................................................................................................................. 1
Immediate Actions ........................................................................................................................................ 1
Technical Analysis ........................................................................................................................................ 1
Recent Activity ............................................................................................................................................. 1
Operational Analysis ..................................................................................................................................... 2
Operational Proposals ................................................................................................................................... 2
Summary
The aurora malware operation, as identified by XXXX, was revealed to the public press on XXX (ref).
This malware operation has been associated with potential intellectual property theft including XXX
companies (as revealed by Google in press release XXX). It remains in question if the aurora attack
represents a targeted attack sourced from China.
Key findings
Aspects of the threat that are critical to enumerate:
Social
- Authors, Users, Identified Intent, Places.
- Palantir Chart.
Communications
- C2, IPs, Exfil, etc.
- Palantir Chart.
Vehicle
- Exploit and Payload methods
Remediation
- What can be done to secure against this threat. Things to watch out for.
Technical Information
The attack consists of four components:

Javascript based exploit vector

Shellcode component

Secondary payload server

Payload packages
Forensic toolmarks left in the payload packages can be traced to Chinese-language only sources. Lets list
out what those toolmarks are plainly before explaining them. This indicates that the actors responsible for
compiling the malware package were, in fact, from Chinese origin. The payload package obtained from
www.qvodcom1.com is clearly an instance of a Chinese developed malware package known as 'NB'
(Netbot Attacker). We need to explain here in some detail why it is so clear, maybe restating
what appears obvious, but just so the reader doesn’t have to think. The author of this package is known as
bhenpei12. Some analysis of the author to explain his origins. Also some analysis of the payload
server, payload, and author. There are several operators of this malware. See attached Palantir analysis.
Can we illuminate the distribution channels, forums, etc. Maybe worth describing this a little bit between
author and operators.
The javascript based attack vector was published in the public domain in XXX. With medium technical
skills, it is possible for an attacker to rewrite key components of this javascript, most importantly, they
can customize the javascript to point at any secondary payload server of their choosing. Is the primary
payload server required for the attack? Why do we call it a secondary payload server if it can also serve a
primary function. This makes it difficult to attribute an aurora attack based only on the use of the
javascript.
The secondary payload server exists to serve a primary and secondary payload executable. The primary
executable is downloaded first, and this subsequently will download one or more secondary payloads.
These secondary payloads represent potential advanced persistent threats (APT). Markers for APT. How
can you tell the difference?
NOTE: On this payload, we did not detect APT. The bhenpei12 malware looks like a bot, but designed
for DDOS type attacks.
Immediate Actions
Due to the nature of the infection, and the ability for the malware to extend its capabilities in-field by
downloading additional tools, we suggest that any infected machine be taken offline immediately and the
only sound approach is to re-install the machine for a trusted gold image. No attempt should be made to
“remove” the malware – these attempts are likely to fail and the malware will remain on the machine.
Digital DNA(tm) : the following Digital DNA sequence can be used to detect the presence of this
malware payload. A search should be performed with an 80% match threshold.
00 00 00 00
Instructions for using Digital DNA with HBSS / ePolicy Orchastrator can be found in attachment XXXX.
The attack javascript in question has a very specific pattern. Perimeter security devices should be updated
to detect the following patterns:
XXXXX PHIL HAS THIS.
360/ie2.htm
360/what.jpg
Archived netflow data can be reviewed for the same.
The secondary payload servers are likely to be configured for rapid replacement as to resist black holes
and IP blacklists. Why do we think this? Elaborate. An updated blacklist of potential Aurora C&C
servers can be obtained via FEED from XXXXXX. (Can we highlight endgames data here?) IF WE
COULD PRIORITIZE THE FEED PROCESSOR ON LIKELY AURORA, WE COULD ACTIVELY
EXTRACT THESE FROM OUR DAILY DROP.
There are two servers involved in the drop and control steps. The drop itself will have a primary and
secondary download. Configure your perimeter security devices to search for the following pattern:
XXXXX
mm.exe
mm/1.exe
mm/06.exe
mm/3.exe
mm/05.exe
mm/001.exe
mm/3.exe
mm/ie.exe
mm/01.exe
mm/78.exe
mm/00.exe
mm/78.exe
The command and control is provided by a wholly distinct server system, with the IP and location in no
particular relation to the placement of the payload dropper server. The command and control server
operates on port XXX and will contain traffic similar to the following pattern:
XXXXX
Acoording to Dennis Fisher, the following is on the first 20 bytes of every C&C packet:
[ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ]
And, the data sent from client to server is encoded with a logical NOT, and all data received from server
is XOR encoded with 0xCC.
Technical Analysis
The primary control logic can be found in module XXXX. This module has been written in
XXXLanguage, and public source intelligence reveals algorithms and methods that are only available on
Chinese language forums. The primary payload XX was not developed by the same individuals as the
dropper server or javascript attack component. Why do we say this? This suggests that multiple actors
are involved in the development of the final operational capability. This indicates that the primary module
XXX is likely a stand-alone cyber weapon component that is for sale in the black market, or was
developed by a specialized team servicing multiple groups within an agency or state-funded organization.
Thus, XXXX is probably available in the underground as a support-module add-on for existing malware
or malware in development.
The payload module in question uses older techniques, that have been in operation for at least XXX years.
The cutout sites used to communicate with the payload operate on a different server than the payload
dropper. SEE ATTACHED.
Recent Activity
Again, highlight endgames data if possible.
Operational Analysis
What follows are some of the analysis results obtained by link analysis and focused research within the
cyber social spaces of suspected actors related to this malware operation.
The above screenshot illustrates a subset of the data being tracked by HBGary. A description follows:
1. This is a dropper obtained from XXXX, which was directly accessed from the extracted shellcode
from Aurora-family javascript XXXX.
2. This node represents a forensic toolmark within the dropped executable. This toolmark was
obtained using physical memory assessment of the live executable, after it was allowed to unpack
itself in a virtual machine. This assessment was performed with HBGary Responder PRO.
3. The recovered toolmark(s) were researched against published source code artifacts on the
Internet. From this, a single posting was discovered with this exact toolmark, and this posting
exists only in one place and is of Chinese origin. From this, the author of the source code was
determined to be bhenpei12.
4. All social cyberspaces used by bhenpei12 were then enumerated. From this, postings in native
Chinese were discovered that confirm that bhenpei12 is the author and supplier of a malware
package known as 'NB' or 'Netbot Attacker'.
5. Within the social space around 'Netbot Attacker' are individuals who are testing and/or
asking for technical support regarding the malware package operation. These individuals have
been grouped within Palantir as 'technical support for bot'.
The above process, when carried further, produces many more social links. One or more operators of the
bhenpei12 malware package are clearly using the aurora-related javascript exploit package.
Operational Proposals
Maybe we should write a single more generic report about the APT that we update (like what Mandiant
did but better), this report is update quarterly. Then develop more specific reports on different types of
attacks, Aurora, Ghostnet. These reports inform about particular types of attacks, cyber and social
players, etc. These inform, provide the threat intelligence to defend more effectively against the attacks.
We need to have a QRC process for these so we can react quickly and provide them as near to the attack
as possible.
For the APT there are many things we can help set up. To combat this adversary takes significant
changes in how we conduct cyber operations. HBGary and HBGary Federal an both provide the
technology and expertise to carry out more effective cyber warfare.
It is suggested that HBGary begin a cover operation to locate and purchase XXXX from the black market,
and identify the seller by requesting specific technical upgrades we believe only the original developer w/
source code would be capable of. A second stage would be to offer to resell the XXXX component for
money and establish a long term working relationship. Finally, a third step to the operation would be to
offer partnership in business and make some substantial code contributions to the XXX source base,
establishing trust and partnership with the developer to a point where we are exposed to identity of buyers
for the technology, and potentially introducing plausibly deniable weaknesses into the architecture that
will allow backdoor access.
The same scenario could be applied to XXX, as we suspect this is a much lower developer on the food
chain, paid far less, and far less professional. This suggests it would be possible to lure them into
scenarios where we could extract a great deal of HUMINT from the individual for a much lower cost than
that required for the developer of XXXX.