-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA10-055A


Malicious Activity Associated with "Aurora" Internet Explorer Exploit

   Original release date: 
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
     * Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2


Overview

   Malicious activity detected in mid-December targeted at least 20
   organizations representing multiple industries including chemical,
   finance, information technology, and media.  Investigation into
   this activity revealed that third parties routinely accessed the
   personal email accounts of dozens of users based in the United
   States, China, and Europe. Further analysis revealed these users
   were victims of previous phishing scams through which threat actors
   successfully gained access to their email accounts.


I. Description

   Through analysis of the malware used in this incident, McAfee
   discovered one of the malware samples exploited a vulnerability in
   Microsoft Internet Explorer (IE). The vulnerability exists as an
   invalid pointer reference within IE and, if successfully exploited,
   allows for remote code execution.
   
   Microsoft has released Security Bulletin MS10-002, which provides
   updates for Internet Explorer that address this and other
   vulnerabilities.
   
   US-CERT is providing technical indicators that can be incorporated
   into an organizations security posture to detect and mitigate any
   malicious activity.
   
   Please see <https://www.us-cert.gov/cas/techalerts/TA10-055A.html>
   for further detail.
   
   The following signatures can be deployed to assist in detecting 
   malicious activity associated with this incident:
   
   Primary Malware Beacon
   
   alert tcp any any -> any any (msg:"Targeted Malware Communication
   Beacon Detected"; flow:to_server,established; dsize:20;
   content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88
   ff|"; depth:20; sid:7777777; rev:1;)
   
   Secondary Malware Beacon
   
   alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF";
   content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060;
   rev:1;)
   
   Note: US-CERT has not verified or tested these signatures and
   recommends proper testing prior to deployment.


II. Impact

   By convincing a user to view a specially crafted HTML document or
   Microsoft Office document, an attacker may be able to execute
   arbitrary code with the privileges of the user.


III. Solution

   The Internet Explorer vulnerability used in these attacks is
   addressed with the updates provided in Microsoft Security Bulletin
   MS10-002.
   
   Other recommendations include:
   
   * As a best practice, limit end-user permissions on systems by
   granting minimal administrative rights.
   * Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or
   IE 7. IE 8 automatically enables DEP.
   * Inspect network traffic history for communication with external
   systems associated with the attack.
   * Examine computers for specific files or file attributes related
   to the attack.


IV. References

 * How Can I Tell if I Was Infected By Aurora? -
   <http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf>

 * How do I know if my organization has been infected? -
   <http://www.mcafee.com/us/threat_center/aurora_enterprise.html>

 * McAfee Labs Tools Aurora Stinger 10.0.1.765 -
   <http://download.nai.com/products/mcafee-avert/aurora_stinger.exe>

 * Operation Aurora Hit Google, Others -
   <http://siblog.mcafee.com/cto/operation-%25E2%2580%259Caurora%25E2%2580%259D-hit-google-others/>

 * Vulnerability in Internet Explorer Could Allow Remote Code
   Execution -
   <http://www.microsoft.com/technet/security/advisory/979352.mspx>

 * Microsoft Security Bulletin MS10-002 -
   <http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA10-055A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA10-055A Feedback VU#492515" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2010 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History
  
  February 24, 2010: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBS4XBny/E9ke+6HGsAQIqbwgAoL3VP5PBhWiwuwcxDZ+1qoxl9md/0SYn
wCrWIaVn3gRVAFgOCkOwNOU3b5ZCZoiEA7X8Ez74XzpctpStO5tAGXu6cVYViUWK
ASJIRprfSkaNHJ2BDi/uqPPFKshsHW0oZhYnz3yzbjOa8h5TLWIap8Bs4VxjZH+Z
uwu71vgzuCXA/CXaTJEDGkhKUyhtNf675+oYTR4bpTFhMIyDi3ywtV51acpdCKNi
atUw4Z03U2HDwg5erCeKDI+pym58acDKumOOVDqBAWlwsDZ4j81U9bg4PEHHpCMZ
H07EVTyCQ2moau/cTpwVMxhLMdh5dVoRmK1AnC4Pms8eV7FOlbJ3KQ==
=AtB/
-----END PGP SIGNATURE-----