Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others
The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.
Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.
He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.
HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.
Call me cynical, but it sounds to me like HBG is using this whole 'Aurora' thing to try to sell copies of it's latest product.
Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."
Assuming they did find distinct characteristics about the programmer('s) code, that's like having a partial fingerprint and no database of fingerprints to compare it to. Do they expect to get every person in the world that can write code to submit samples for comparison?
Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."
I also find this hard to believe. In working with people over extended periods of time, a decent programmer can generally figure out which of his coworkers wrote a piece of code based on things such as commonly-used variable names, snippets of syntax, tab-width, 1TBS vs. Allman bracing style and comments. Most or all of this information is lost when the code is compiled and debugging symbols removed.
He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."
As usual, I'm going to apply Occam's Razor here and guess that if it walks like a duck, and quacks like a duck, it's probably going to be served with packets of duck sauce. :)