Google hackers behind Adobe Reader PDF zero-day bug, Symantec warns
PDF worm linked to Google Aurora hack last year
By Gregg Keizer | Computerworld US | Published: 10:44, 15 September 2010
Researchers on Monday clashed over whether recent attacks that exploit a bug in Adobe Reader are the work of the group that hacked Google and dozens of other major corporations late last year.
On one side, Mountain View, California-based antivirus giant Symantec, whose security analysts said they've found evidence suggesting that the group which wormed its way into Google's corporate network in December 2009 is back in business.
On the other, Atlanta's much smaller SecureWorks, where researcher Don Jackson said that Symantec had "comingled" evidence of two separate attacks.
Related Articles on Techworld
At issue were recent PDF-based exploits attached to messages touting renowned golf swing coach David Leadbetter that have exploited an unpatched bug in Adobe's popular Reader PDF viewer.
Security experts have called that exploit "scary" and "clever" for the way it sidesteps critical Windows defenses designed to isolate malicious code and make it harder to execute malware.
Those attacks went public last week, when independent security researcher Mila Parkour reported the flaw to Adobe, then published her preliminary findings. Adobe issued a security warning a day later, and on Monday announced it would patch the problem early next month.
Symantec, which has found signs of attack emails going back to at least 1 September, fired the first shots early Monday when company researcher Karthik Selvaraj said that the wording of the Leadbetter e-mails was "very similar" to the phrasing used in the attacks against Google and others in January 2010. Those attacks were dubbed "Operation Aurora" by a McAfee researcher.
Google traced the Aurora attacks to Chinese hackers, prompting it to threaten shutting down its China operations. This summer, Google compromised with China's authorities over censorship issues, and remains part of the China search scene.
At the time, Google characterized the attacks as "highly sophisticated and targeted," and said at least another 20 major companies were also subjected to the same kind of assaults.
"We looked at how they're distributing and propagating the [newest] attacks," said Joe Chen, the director of engineering in Symantec's security response group today in an interview, talking about why his company believes the two attacks are the likely work of the same group.
Selvaraj provided more similarities. "In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation," said Selvaraj.
"Hydraq" is the name Symantec assigned in January to the Trojan horse deposited on PCs compromised by the Aurora attacks.
"They're using the same techniques as Hyrdraq, leading us to believe that either it's two groups sharing knowledge or one group responsible for both," added Chen. Not so fast, said Jackson.
"Hydraq is an off-the-shelf Trojan backdoor," said Jackson, talking about the malware that, once installed by both the Aurora and Leadbetter attacks, gives the hacker access to the compromised PC, letting him download more malicious code from remote servers to install on the systems, and then issue commands by remote control.
Lots of cybercriminals, especially Chinese hackers, use Hydraq, making it an poor piece of evidence, Jackson continued. "Saying that they both used Hydraq is like saying that to completely unrelated attacks were done by the same group because they both used Zeus," said Jackson, referring to the do-it-yourself crimeware kit he uncovered in 2007.
Zeus is the malware kit of choice for criminals specializing in financial fraud, Jackson has said previously.
Actually, the techniques used by the group guilty of building the Leadbetter exploit can be traced back to July 2009, Jackson argued, months before any evidence of Aurora had surfaced. "The guys behind the Leadbetter attacks have used this same M.O. for over a year," said Jackson.
Symantec's Chen also noted that his company's researchers had pegged the first proof of the Leadbetter group to July of last year, but said they saw it as an early sign of the malware gang that hacked Google.
"We believe the first evidence came out much earlier [than Aurora], last year," Chen said. "They use the same type of social engineering techniques." No, countered Jackson.
"The confusing point is that at the time Aurora was going on and Google was breached, during that incident, there were concurrent PDF-based attacks by the [Leadbetter] group," said Jackson.
That led Symantec down the wrong path. "They comingled the two attacks, which took place around the same time and were from the same general geographic area," Jackson said.
In fact, Selvaraj of Symantec cited geography as another piece of evidence that he said connected the Aurora and Leadbetter attacks. "We have seen a large number of detections of unique versions of the PDF - not yet seen elsewhere in the wild - coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks," said Selvaraj.
Shandong Province is important to the tale of the battling analysts. In February, the New York Times reported that experts, including investigators with the National Security Agency, had tracked the Aurora attacks to a pair of schools in China's Shandong Province, with the best clues pointing to the Lanxiang Vocational School, which has links to the Chinese military.
The second Shandong Province school, Shanghai Jiaotong University, has also been connected to a prominent Chinese hacker who some believe launched a series of DDoS (distributed denial of service) attacks against the whitehouse.gov site in 2001.
But tracking attacks to Shandong isn't proof, answered Jackson. "It's a big province, and it was used as a base by the previous [Leadbetter group's] attacks as well," he said. "The networks that launched Aurora are not related to these new attacks, I'm certain of that."
Adding to Symantec's likely confusion was that the Leadbetter bunch used the Aurora attacks as bait for a rogue PDF campaign that quickly followed news of the attack on Google, and its threat to retreat from China.
But Jackson's trump card was the fact that the Leadbetter group has consistently used malware-laden PDFs in its attacks, and the Aurora campaign did not.
"None of the companies that were attacked along with Google, none of those traced the attacks back to a PDF," Jackson said.
In the first few days after Google said it had been attacked, researchers did, in fact, speculate that one or more unpatched vulnerabilities in Adobe's Reader had been exploited using PDFs.
It quickly became apparent, however, that the Aurora attackers had exploited a zero-day in Microsoft's Internet Explorer , not Reader. McAfee, which was asked by several of the victimized companies to analyze the attack, said that in every instance, the IE bug was to blame.
The argument over which gang of hackers did what may soon be moot. On Monday, Adobe said it would patch the Reader and Acrobat bugs the week of 4 October.
Until patches are available, Microsoft and Adobe have urged users to install and configure the former's Enhanced Migration Experience Toolkit (EMET) to block attacks.