Author Topic: Google, Citing Attack, Threatens to Exit China [FIXED :) ]  (Read 47904 times)

0 Members and 1 Guest are viewing this topic.

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #15 on: January 15, 2010, 12:36:07 PM »
about IE security involvement in attacks against Google: ...and others

http://www.microsoft.com/technet/security/advisory/979352.mspx
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx

Quote
Security Advisory 979352 Released

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.  Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer.  Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

edit: see here too:
Quote
IE zero-day used in Chinese cyber assault on 34 firms
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

Quote
Microsoft admits Explorer used in Google China hack
http://news.bbc.co.uk/2/hi/technology/8460819.stm
« Last Edit: January 15, 2010, 01:33:43 PM by Logos »

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #16 on: January 15, 2010, 12:53:15 PM »
Quote
Chinese government-backed search engine blocks access to Google company blog
Quote
Baidu, China's dominant search engine, has apparently cut off access to Google's company blog, after a post appeared there detailing the latter company's decision to cease cooperation with the Chinese government over concerns with censorship and cyber crime
http://www.brafton.com/industry-news/chinese-government-backed-search-engine-blocks-access-google-company-blog-$1353329.htm

someone on another forum where I post mentioned this, but gave no source and no link:
Quote
Alright, according to some news from China, Google had broke up with China government: No more google.cn, NO more Google China. Every employee of Google China will have a half year salary as severance pay and willing to find them jobs in other branch office of Google.
so this is completely unconfirmed so far...

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #17 on: January 15, 2010, 01:24:39 PM »
Quote
Security experts dissect Google China attack
http://www.theregister.co.uk/2010/01/14/google_china_attack_analysis/
Quote
The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication. The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.

The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Google, Citing Attack, Threatens to Exit China
« Reply #18 on: January 15, 2010, 01:35:15 PM »
Hi Logos,

Through these links that you have provided for us we can gradually depict the overall situation and it looks grim and it has various apparent and hidden implications, corporational interests play an important role, I think the privacy issue is being used more or less as an excuse or pretext. Apart from what really is at stake, there are the security issues also. It means the Internet is a place where threats raise their ugly heads everywhere, it does not matter from what angle they come in - zombie bot herder, malcreant cyber crime exploit user, targeted hack developer, cyber army skirmishes, malcode is "on the wire" everywhere all over the Internet, and the unaware aren't really helping the situation and those in charge turning a blind eye, we are in a predicament. Again we need China in the world and its century old culture and wisdom,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #19 on: January 15, 2010, 01:39:14 PM »
Quote
Again we need China in the world and its century old culture and wisdom

wisdom  ??? ...myth  ;) ... and weren't you mentioning yourself yesterday web sites suggesting that servers should IP block China?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Google, Citing Attack, Threatens to Exit China
« Reply #20 on: January 15, 2010, 02:02:26 PM »
Hi Logos,

Yes I have posted about how to block all of China and Korea as such if parties would think this would help. Also reckon that a lot of malcreants outside of China operate there, that is what I meant with that rephrase.

Internet Explorer has a very serious zero-day security hole
The vulnerability through which the attackers on Google used, works on all flaws of IE and works on each and every platform. As far as we know they used the attack via Internet Explorer 6 an a malicious website. Internet Explorer 8 in combination with Data Execution Prevention (DEP) prevents the attack. Well Microsoft thinks about launching an emergency patch. According to the software vendor the attack has only be seen in very targeted attacks, but every firm should reckon with the threat's danger.

"Complex attacks for specific corporational networks are often seen", says Microsoft Security Response Center (MSRC)'s Mike Reavy. He says that the Protected Mode inside IE 7 on Windows Vista and beyond limits what attackers can do. Users also could enable Data Execution Prevention (DEP)here. Or use Firefox with NoScript and Request Policy extensions installed, because again and again Javascript is at the culprit of mentioned attack.

Trojan horse
The attack itself was launched using, yes again folks, JavaScript code abusing the zero-day holek in Internet Explorer, acoording to MacAfee's Craig Schmugar. As soon as the OS was infested, the exploit installed a file drom a website, know taken offline. This file that installed a remote access Trojan (RAT), loading at start up. Malware also contacted a remote server, enabling the attacker access to the infected system. Schmugar confirms the attack cannot work with DEP installed,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #21 on: January 15, 2010, 02:07:48 PM »
yeah my mistake, I forgot they indeed mentioned IE 6 was mainly used...this said a majority of users don't have, as they suggested, security set to "high" in IE8. DEP yes.

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #22 on: January 15, 2010, 04:24:38 PM »
as mentioned earlier, Adobe has been under attack too, see article link posted by Pondus here:
http://forum.avast.com/index.php?topic=52252.msg453321#msg453321
http://www.v3.co.uk/v3/news/2256152/adobe-hit-chinese-google-attack

so it's not just Adobe as a company that's been attacked, but may be vulnerabilities used in pdf attachments that may have been another vector of attack against Google as stated here:

Quote
Security experts beg to differ, however. F-Secure chief research officer Mikko Hyppönen wrote in a blog posting yesterday: "We believe the attack was launched via a convincing email with an exploit-ridden PDF attachment."
http://www.f-secure.com/weblog/archives/00001854.html
http://www.youtube.com/watch?v=nFw9ZHy0V3c
« Last Edit: January 15, 2010, 04:27:16 PM by Logos »

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #23 on: January 15, 2010, 07:24:08 PM »
not sure if this link has been posted yet:

Quote
Researchers identify command servers behind Google attack

VeriSign iDefense researchers have identified the source of the recent cyber-assault against Google and have found the command-and-control servers that were used to orchestrate the attack.
http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Google, Citing Attack, Threatens to Exit China
« Reply #24 on: January 15, 2010, 10:57:19 PM »
Hi Logos,

More news here: Update today
After Yahoo, Symantec, Northrop Grumman and Dow Chemical have been attacked, also network giant Juniper was to be hacked. The company does not deny nor confirm this info of an attack.

Update today
To prevent detection of the malware on the company network the attackers made use of encryption, according to McAfee as they told Wired. "We never saw encryption on this level. It was rather cleverly done", according to Dmitri Alperovitch, vice president threat research. How the Google worker was taken to the malcoded site, will be published later. This could have been via e-mail,
Instant Messaging or Facebook.

At the end of the day a dozen instants of malware were placed on the system. One of the malicious software was a backdoor and an encrypted "covert channel", posing as a SSL-connection to prevent detection. The infected machine was then used to attack the rest of the Google company network. Just like Kurtz does, Alperovitch affirms that McAfee is sitting on information it is not allowed yet to disclose,

polonus

Info on the trojan used in the attacks:
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html

Damian
« Last Edit: January 15, 2010, 11:18:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #25 on: January 15, 2010, 11:13:54 PM »
hey Polonus,

that's very interesting info as usual... ;)

edit: what I'm actually wondering right now is how far is Google ready to push that, are they gonna take down Google.cn or not...there's a lot of speculation going on.
« Last Edit: January 15, 2010, 11:17:54 PM by Logos »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Google, Citing Attack, Threatens to Exit China
« Reply #26 on: January 15, 2010, 11:40:56 PM »
Hi Logos,

You got your answer here: http://www.theregister.co.uk/2010/01/15/us_google_china/
Google is doing their own form of ad policing at home:
http://www.theregister.co.uk/2010/01/15/google_bans_thirty_thousand_from_adwords/

The browser issue - Important is to look at the number of unpatched advisories. Internet Explorer always has a large number still open (highly critical ones) those in Firefox do not take that long to get patched:

source Secunia
IE8 unpatched 4 50% Vulnerability Report: Microsoft Internet Explorer 8.x

Unpatched 50% (4 of 8 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 8.x, with all vendor patches applied, is rated Extremely critical

Firefox unpatched 0
Vulnerability Report: Mozilla Firefox 3.5.x

Unpatched 0% (0 of 6 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.

But the used hole in the attacks was for IE6
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

And Chinese exploited this hole before: http://blog.trendmicro.com/zero-day-ie-flaw-being-actively-exploited/



How long has this hole been there unpatched (independent of using UAC and/or DEP that came in as additional solutions with Vista and later with W7) Another conclusion is that users cannot use XP SP3 anymore without additional security measures like a normal user account for using applications on the Internet and/or javascript blocking inside browsers (not available in IE so far)...again a lot of corporations did not make the switch from IE6 or XP on a network scale. Will this and other threats be a way to enforce the mitigation a bit, pure speculation of course on my part, well what is it then?

polonus


« Last Edit: January 15, 2010, 11:52:11 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hermite15

  • Guest
Re: Google, Citing Attack, Threatens to Exit China
« Reply #27 on: January 16, 2010, 12:02:14 AM »
yeah I knew the issue became/is/was very political, and an intervention of the US gvt was indeed expected. A Google rep said today that Google.cn (well, obviously not down yet...) still filters what it use to until now. Next days...or may be next week will be interesting.
 As to IE, running IE6 even patched today sounds so mad... I always have a laugh when I see my Secunia summary showing "no fix" for Internet Explorer 8  ;D

edit: a first reaction may be (on Thursday night already...)
Quote
China blocks number-one movie site IMDb
http://www.techradar.com/news/internet/china-blocks-number-one-movie-site-imdb-663458
source: http://www.theregister.co.uk/2010/01/14/china_firewall/
« Last Edit: January 16, 2010, 12:15:42 AM by Logos »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: Google, Citing Attack, Threatens to Exit China
« Reply #28 on: January 16, 2010, 01:07:48 AM »
Hi Logos,

Good reporting means to report on both side of this issue.
Please, read here, hypothesis from the past:
http://pubservant.blogspot.com/2007/10/chinese-cyber-army-myth-or-reality.html
Quote
So, is there really an army of PLA hackers that are blatantly attacking western government's computer networks, or is this just paranoia and China bashing?
Quote
I mean, could you imagine senior western government officials browsing the net and downloading dodgy software during their working hours on their government computers? Well, maybe you can, but then the problem wouldn't really be the hackers, would it?
that implicates that the Google employee was searching the Internet with IE6 (in a Google internet environment where everyone uses Google Chrome, renowned for it virtual tab security, a bit strange as we analyze the fact, or this employee was opening e-mail attachments or was using Twitter, Facebook etc.)
Quote
The more important question is then how many hackers does it take to exploit the security hole of a networking software? My answer would be ... just 1 actually.


conclusion:
Quote
Therefore, the idea of armies of PLA hackers launch coordinate software exploit attacks on western government networks is not really plausible.

Seems orchestraded like it says here:
(http://www.reuters.com/article/internetNews/idUSL2225757020071022?sp=true):
Quote
So what we could have here is is a piece of software that scans a network of systems for an existing vulnerability which can be exploited, allowing the host to be compromised WITHOUT REQUIRING ANY ACTION FROM THE USER.
Then we are back at base one and Chinese CyberCrime again exists and it goes against the lone malcreant theory of the author. The truth is out there, but what one?
We have seen the future, and it does not belong to you...
http://www.theregister.co.uk/2009/12/31/the_out_of_control_decade/

"There's always free cheese in a mousetrap, baby."

polonus

« Last Edit: January 16, 2010, 02:12:42 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: Google, Citing Attack, Threatens to Exit China
« Reply #29 on: January 16, 2010, 10:22:06 AM »
The Obama administration is one of the weakest administration that ever existed in American history.

They only talk and complaint like small kids.

It is urgent that the yfree world have a ver good CYBER DEFENSE

The Chinese economy only grow through espionage...

It is amazing that only 23% of the corporate world in America use SSL