US-CERT Technical Cyber Security Alert TA10-055A -- Malicious Activity Associated with "Aurora" Internet Explorer Exploit
- From: US-CERT Technical Alerts <technical-alerts@xxxxxxxxxxx>
- Date: Wed, 24 Feb 2010 19:30:18 -0500
-----BEGIN PGP SIGNED MESSAGE-----
National Cyber Alert System
Technical Cyber Security Alert TA10-055A
Malicious Activity Associated with "Aurora" Internet Explorer Exploit
Original release date:
Last revised: --
* Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
* Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2
Malicious activity detected in mid-December targeted at least 20
organizations representing multiple industries including chemical,
finance, information technology, and media. Investigation into
this activity revealed that third parties routinely accessed the
personal email accounts of dozens of users based in the United
States, China, and Europe. Further analysis revealed these users
were victims of previous phishing scams through which threat actors
successfully gained access to their email accounts.
Through analysis of the malware used in this incident, McAfee
discovered one of the malware samples exploited a vulnerability in
Microsoft Internet Explorer (IE). The vulnerability exists as an
invalid pointer reference within IE and, if successfully exploited,
allows for remote code execution.
Microsoft has released Security Bulletin MS10-002, which provides
updates for Internet Explorer that address this and other
US-CERT is providing technical indicators that can be incorporated
into an organizations security posture to detect and mitigate any
Please see <https://www.us-cert.gov/cas/techalerts/TA10-055A.html>
for further detail.
The following signatures can be deployed to assist in detecting
malicious activity associated with this incident:
Primary Malware Beacon
alert tcp any any -> any any (msg:"Targeted Malware Communication
Beacon Detected"; flow:to_server,established; dsize:20;
content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88
ff|"; depth:20; sid:7777777; rev:1;)
Secondary Malware Beacon
alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF";
content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060;
Note: US-CERT has not verified or tested these signatures and
recommends proper testing prior to deployment.
By convincing a user to view a specially crafted HTML document or
Microsoft Office document, an attacker may be able to execute
arbitrary code with the privileges of the user.
The Internet Explorer vulnerability used in these attacks is
addressed with the updates provided in Microsoft Security Bulletin
Other recommendations include:
* As a best practice, limit end-user permissions on systems by
granting minimal administrative rights.
* Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or
IE 7. IE 8 automatically enables DEP.
* Inspect network traffic history for communication with external
systems associated with the attack.
* Examine computers for specific files or file attributes related
to the attack.
* How Can I Tell if I Was Infected By Aurora? -
* How do I know if my organization has been infected? -
* McAfee Labs Tools Aurora Stinger 10.0.1.765 -
* Operation Aurora Hit Google, Others -
* Vulnerability in Internet Explorer Could Allow Remote Code
* Microsoft Security Bulletin MS10-002 -
The most recent version of this document can be found at:
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA10-055A Feedback VU#492515" in
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
Produced 2010 by US-CERT, a government organization.
February 24, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----