McAfee: Explorer Flaw Led to Attacks on Google

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

McAfee (NYSE: MFE) on Thursday said a new and previously undisclosed zero-day vulnerability in Microsoft’s Internet Explorer software provided the opening hackers needed earlier this week to break into the networks used and operated by Google and as many as 20 different high-profile corporations.

In a blog entry posted Thursday afternoon, McAfee CTO George Kurtz said his team of researchers worked “around the clock” with “multiple organizations” that were hit by the highly sophisticated and coordinated attack as well as the U.S. government and various law enforcement agencies.

After analyzing several pieces of malicious code used to access the networks, McAfee researchers determined that the hackers had themselves assigned the “Aurora” moniker to the series of unprecedented attacks.

“Based on our analysis, ‘Aurora’ was part of the file path on the attacker’s machine that was included in two of the malware binaries that we have confirmed are associated with the attack,” Kurtz said. “That file path is typically inserted by code compilers to indicate where debug symbols and source code are located on the machine of the developer. We believe the name was the internal name the attacker(s) gave to this operation.”

McAfee’s investigation found that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.

McAfee said Microsoft officials have been working with McAfee throughout the investigative process and the Redmond, Wash.-based software giant is expected to publish an advisory on the matter soon.

Kurtz said the intruders, which Google and independent researchers said were based in China, gained access to Google’s Gmail and other networks by sending a tailored attack to one or a few targeted individuals. The attacks have pushed the search giant’s already tenuous relationship with the Communist superpower to the breaking point.

Posing as a trusted source

“We suspect these individuals were targeted because they likely had access to valuable intellectual property,” Kurtz said. “These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.”

McAfee researchers found that once the malware was downloaded and installed, it opened a back door that allowed the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker was then able to identify “high-value targets” and start to siphon off valuable data from the company.

Previously, Google officials theorized that hackers were exploiting a zero-day vulnerability in Adobe Systems’ (NASDAQ: ADBE) Acrobat and Reader applications, a security gap that was purportedly closed on Tuesday when the San Jose, Calif.-based software developer released its long-awaited patch and security update.

Microsoft and Google officials were not immediately available to comment on McAfee’s findings.

On Wednesday, Google officials told the New York Times that its internal investigation found that Gmail accounts of Chinese and Tibetan activists had been compromised in separate attacks involving phishing and spyware and that at least 34 companies had been targets of the attacks originating in China.

McAfee’s Kurtz said these highly customized attacks, known as advanced persistent threats (APT), have previously been seen only by governments and compared them to the equivalent of the modern drone on the battlefield — capable of pinpoint accuracy and the ability to deliver a highly destructive payload.

“All I can say is ‘Wow’,” Kurtz said. “The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats.”

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.