Aurora aka Trojan.

Hydraq
The fancy name given by the Chinese disguises the simple fact that Aurora which roared the cyber world, making the life of security admins of major IT firms & other sectors a nightmare was a simple Trojan. Lets have a short glace over why it was named Aurora On 4th of March 2004, The Home Land Security USA produced a video, it shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke. The video was produced for top US policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants. "They've taken a theoretical attack and they've shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure," said Amit Yoran, former US cybersecurity chief for the Bush administration. The electrical attack never actually happened. The recorded demonstration, called the "Aurora Generator Test"

"Operation Aurora" The latest in a series of attacks originating out of Mainland China. Previous attacks have been known as "GhostNet" and "Titan Rain." Operation Aurora takes its name directly from the hackers this time the name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The paths were left behind in the compiled binaries as shown below:

Although the code behind Operation Aurora has only recently been discovered, and the known samples of the main backdoor trojan (called Hydraq by antivirus companies) appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. This date is only a year or so after the Titan Rain attacks, which largely used widely-available trojans that were already known to antivirus companies. As a result of using completely original code and then only in highly-targeted attacks, the Aurora code seems to have escaped detection for quite some time. The compiler often offers other clues to a malware samples origin. For instance, if the binary uses a PE resource section, the resources headers will often provide a language code. The Hydraq component does use a resource section, but in this case, the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. There is one interesting clue in the Hydraq binary that points back to mainland China, however. While analyzing the samples, We noticed a CRC (cyclic redundancy check) algorithm that seemed somewhat unusual. CRCs are used to check for errors that might have been introduced into stored or transferred data. There are many different CRC algorithms and implementations of those algorithms, but this is one I had not previously

seen in any of my reverse-engineering efforts. Below is the raw assembly code for the CRC algorithm in Hydraq:

The first thing that is unusual about this CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table. By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input:

This source code was created to implement a 16-bit CRC algorithm compatible with the implementation known as "CRC-16 XMODEM", while requiring only a 16-value CRC table. It is actually a clever optimization of the standard CRC-16 reference code that allows the CRC-16 algorithm to be used in applications where memory is at a premium, such as hobby microcontrollers. Because the author used the C "int" type to store the CRC value, the number of bits in the output is dependent on the platform on which the code is compiled. In the case of Hydraq, which is a 32-bit Windows DLL, this CRC-16 implementation actually outputs a 32-bit value, which makes it compatible with neither existing CRC-16 nor CRC-32 implementations. Perhaps the most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. The full paper was published in

simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites. This CRC-16 implementation seems to be virtually unknown outside of China.

Now lets have a sneak peek in the latest developments by our neighbors: Aurora has been till now developed till the 3rd operational stages: During stage I of Operation Aurora: Operation Process Type: Exploit

Aliases

~JS.Elecom.A (VisrusBuster) EXP/Comele.A (Avira) Exploit.Comele (Ikarus) Exploit.Comele.A (BDC) Exploit/ComeIE (Panda) Exploit:JS/Elecom.A (Microsoft) JS/Elecom.A (Cat Quick Heal) Operation Aurora

Analysis of the initial heavily-encrypted javascript exploit revealed that, if successful, the exploit would cause a connection to 'hxxp://demo[remove].jpg' downloading a malicious, XOR-encrypted binary that we detect as Roarur.dr. This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe". A.exe is decrypted to b.exe in the same directory and executed. Currently the above website is down.

Exploit-Comele affects all version of Internet Explorer which have JavaScript enabled. DEP (Data Execution Prevention) currently blocks against this generation of the exploit, however this cannot be confirmed for future generations and users are requested to keep their machines up to date on Patches.

Symptoms
Outbound network connections to the aforementioned website (initial variant).

Method of Infection
This maliciously crafted script attempts to exploit vulnerability during handling of certain DOM operations.

Operation Aurora (stage II - downloaded malware):

Aliases

Backdoor.Win32.Mdmbot (Ikarus) Backdoor:Win32/Mdmbot.A (Microsft) Backdoor:Win32/Mdmbot.B (Microsft) Backdoor:Win32/Mdmbot.C (Microsft) Backdoor:Win32/Mdmbot.D (Microsft) Trj/Roarur.A (Panda) TROJ_HYDRAQ.SMA (Trend Micro) Trojan.Hydraq (Symantec) W32/Roarur.NAF!tr.spy (Fortinet)

Characteristics

Exploit-Comele - Operation Aurora (stage I - initial exploit) Roarur.dll - Operation Aurora (stage III - dropped/installed malware)

When executed the following file is dropped in to the %SYSDIR% folder

%SystemDir%\Rasmon.dll

A batch file is created to delete the initial dropped file here:

%SYSDIR%\DFS.bat

This DLL is detected as Roarur.dll trojan with the 5862 DATS. Rasmon.dll is injected into SVCHOST.EXE and it creates an additional service on the victims computer. The following registry keys are created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS[% random 4 chars %] o "ImagePath" = %SystemRoot%\svchost.exe -k netsvcs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS[% random 4 chars %] o "Start"= 02, 00, 00, 00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS[% random 4 chars %]\Parameters o "ServiceDll" = %SystemRoot%\rasmon.dll

An attempt to connect to the following remote server is made:

360.home[removed].com

Method of Infection
This Trojan is known to be downloaded by the Exploit-Comele Trojan.

During the 3rd stage : It creates an additional Service on the victims computer and checks for the presence of certain files on the system.

Aliases

APPL/Remote.RealVNC.94 (Avira) Backdoor.Mdmbot.A (VirusBuster) Backdoor.Mdmbot.B (VirusBuster) Backdoor:Win32/Mdmbot.A (Microfoft) Backdoor:Win32/Mdmbot.B (Microsoft) Backdoor:Win32/Mdmbot.C (Microfoft) Backdoor:Win32/Mdmbot.D (Microfoft) Trj/Roarur.A (Panda) Troj/Spy-EY (Sophos) TROJ_HYDRAQ.G (Trend Micro) TROJ_HYDRAQ.SMA (Trend Micro) Trojan.Hydraq (Symantec) Trojan.Hydraq!gen1 (Symantec) W32/Genome.EPOX!tr (Fortinet) W32/Hydraq.K!tr (Fortinet) Win32:Roarur [Trj] (Avast)

Characteristics After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered: The following filenames were seen for DLLs associated with this detection:

Rasmon.dll Securmon.dll A0029670.dll Acelpvc.dll AppMgmt.dll

The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage. The samples above connect to one of the following domains:

360.home[removed].com sl1.home[removed].org blog1.serve[removed].com google.home[removed].com ftp2.home[removed].com update.our[removed].com

The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol. When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

Adjust process privileges, terminate processes Control services Remote file execution Registry manipulation File system manipulation (search, remove, copy) System manipulation (turn system off, reboot, clean events) Call other components, inter process communication Network.ics manipulation

When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS [% random 4 chars %]

"ImagePath" = %SystemDir%\svchost.exe -k netsvcs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS [% random 4 chars %] o "Start"= 02, 00, 00, 00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\R aS [% random 4 chars %] \Parameters o "ServiceDll" = %SystemDir%\rasmon.dll
o

Different variants have been observed using different file names, services names and dll locations. For example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ AppMgmt\Parameters o ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll"

The DLL (RASMON.DLL) is injected into the SVCHOST.EXE and performs the following functions:

Checks to see if the following files are present on the system: acelpvc.dll (presence of this file does not necessarily imply an infection ) VedioDriver.dll (presence of this file does not necessarily imply an infection )

Connection to the following remote server is made (new variants have been captured that connect to different servers):

360.home[removed].com update.ou[removed]y.com

The trojan accepts commands from the controlling host. Different variants have different capabilities including:

Escalate process priviledges. Shutdown or reboot the system. Execute commands via cmd.exe. Download additional components. Modify the system registry. List local resources (Drives, services etc.) Modify the local filesystem.

execute mdm.exe. Self update.

The backdoor gathers the following information from the victims machine and sends it back to the server:

Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key Service pack name Machine name OS Version

By Abhishek Kar -Jai Hind-