-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-055A Malicious Activity Associated with "Aurora" Internet Explorer Exploit Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 * Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2 Overview Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts. I. Description Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution. Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities. US-CERT is providing technical indicators that can be incorporated into an organizations security posture to detect and mitigate any malicious activity. Please see <https://www.us-cert.gov/cas/techalerts/TA10-055A.html> for further detail. The following signatures can be deployed to assist in detecting malicious activity associated with this incident: Primary Malware Beacon alert tcp any any -> any any (msg:"Targeted Malware Communication Beacon Detected"; flow:to_server,established; dsize:20; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; sid:7777777; rev:1;) Secondary Malware Beacon alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF"; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060; rev:1;) Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment. II. Impact By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user. III. Solution The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002. Other recommendations include: * As a best practice, limit end-user permissions on systems by granting minimal administrative rights. * Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or IE 7. IE 8 automatically enables DEP. * Inspect network traffic history for communication with external systems associated with the attack. * Examine computers for specific files or file attributes related to the attack. IV. References * How Can I Tell if I Was Infected By Aurora? - <http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf> * How do I know if my organization has been infected? - <http://www.mcafee.com/us/threat_center/aurora_enterprise.html> * McAfee Labs Tools Aurora Stinger 10.0.1.765 - <http://download.nai.com/products/mcafee-avert/aurora_stinger.exe> * Operation Aurora Hit Google, Others - <http://siblog.mcafee.com/cto/operation-%25E2%2580%259Caurora%25E2%2580%259D-hit-google-others/> * Vulnerability in Internet Explorer Could Allow Remote Code Execution - <http://www.microsoft.com/technet/security/advisory/979352.mspx> * Microsoft Security Bulletin MS10-002 - <http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-055A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@xxxxxxxx> with "TA10-055A Feedback VU#492515" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 24, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS4XBny/E9ke+6HGsAQIqbwgAoL3VP5PBhWiwuwcxDZ+1qoxl9md/0SYn wCrWIaVn3gRVAFgOCkOwNOU3b5ZCZoiEA7X8Ez74XzpctpStO5tAGXu6cVYViUWK ASJIRprfSkaNHJ2BDi/uqPPFKshsHW0oZhYnz3yzbjOa8h5TLWIap8Bs4VxjZH+Z uwu71vgzuCXA/CXaTJEDGkhKUyhtNf675+oYTR4bpTFhMIyDi3ywtV51acpdCKNi atUw4Z03U2HDwg5erCeKDI+pym58acDKumOOVDqBAWlwsDZ4j81U9bg4PEHHpCMZ H07EVTyCQ2moau/cTpwVMxhLMdh5dVoRmK1AnC4Pms8eV7FOlbJ3KQ== =AtB/ -----END PGP SIGNATURE-----