Google这次被攻击的漏洞来源

从两篇文章来看这次Google 受到的攻击来自于一个adobe reader 的漏洞,而且这不是第一次攻击,第一次攻击发生在7月份,那次攻击具体有多少受害者还不清楚。这次是Google在12月份发现的,反向追踪到接受资料的 服务器,才知道同时还有其他公司受害。有人说这次实际涉及到的公司包括Google有34家。

这次的攻击利用一个adobe reader 漏洞,通过在PDF文件中嵌入一段代码,并把PDF文件作为email附件发给被攻击对象,对方打开PDF文件时,就可以把一个木马安装在对方的机器上。 所以可以很精确地选择被攻击对象。搜集到的资料被木马发往一个指定的服务器。7月份的和12月份的代码虽然不完全相同,但编写和攻击方式类似,并且有同样 的联系服务器。

——————————————————–

http://news.cnet.com/8301-27080_3-10433744-245.html

Unpatched Adobe holes link Google and earlier attacks

The targeted attacks on Google and more than 30 other U.S. companies late last year bear striking similarities to targeted attacks on 100 U.S. companies last summer, a security researcher familiar with the attacks said Tuesday.

Last July, workers at about 100 U.S. technology companies were targeted with e-mails containing malicious PDF files that exploited a zero-day vulnerability in Adobe Reader. The attacks were detected early and there were no serious consequences, said Eli Jellenc, head of international cyberintelligence at VeriSign iDefense.


In mid-December, Google, Adobe Systems, and a host of other Silicon Valley companies were targeted by attacks originating in China, prompting Google on Tuesday to say that it will stop censoring its Chinese search results and to threaten to pull out of that market. The latest attacks also involved malicious PDF files in e-mail attachments and the code was similar to the previous attack, Jellenc said.

Google said the companies targeted in the attack numbered more than 20, but iDefense put the number at 34, including Google. In many of the cases, the attack was successful, Jellenc said. The attacks were targeting source code repositories, according to iDefense.

Coincidentally, Adobe on Tuesday patched a zero-day vulnerability in Reader and Acrobat that was discovered in mid-December and was being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers. Jellenc said he could not say for sure whether that was the vulnerability targeted in the attacks on Google and the others.

Reader was found to be one of the buggiest programs in 2009 and has been the target of numerous zero-day exploits in the wild.

The code samples obtained by iDefense from the two attacks are different but have very similar characteristics, he said. They contact two similar hosts for command-and-control communication to receive instructions from the attackers once the target machines are infected, according to iDefense. The servers used in both attacks employ the HomeLinux DynamicDNS provider and they both currently point to IP addresses owned by Linode, a U.S.-based company that offers virtual private server hosting, iDefense said. In addition, the IP addresses from both attacks are within the same subnet and they are six IP addresses apart, the company said in a statement.

“Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July,” iDefense said.

Jellenc said his company started helping some of the victimized companies with the investigation on Thursday night, providing information on characteristics of attacks launched by Chinese groups.

Examining the attacks
Google noticed the malicious code in its system in mid-December and then followed it back to the drop servers and determined that other companies–including at least two financial companies and one major defense contractor–had been targeted, Jellenc said citing sources familiar with the investigation.

Google also may have been able to see a target list of IP addresses in the code, he said. (Google has declined to provide more details about the attacks beyond what they have publicly stated.)

The attackers stored data acquired in the attacks at Texas-based hosting provider Rackspace and had command-and-control servers based in Taiwan that are commonly used by “actors out of the People’s Republic of China,” he said.

A Rackspace spokeswoman confirmed early Wednesday that a server at the company had been affected. “In this case, a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyberattack, fully cooperating with all affected parties,” she said. The hosting company runs the servers and operating systems for its customers’ Web sites, but customers run their own applications on the servers, she said.

Jellenc said that iDefense “confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past.”

At Google, attackers not only wanted intellectual property, but they tried to access Gmail accounts of Chinese human rights activists, Google said. Only two Gmail accounts appear to have been accessed and only limited account information, and not e-mail contents, was visible, according to Google. In addition, accounts of dozens of Gmail users in the U.S., China, and Europe who advocate human rights were accessed routinely by third parties, probably via phishing or malware located on the user’s computer, Google said.

While attacks can be traced back to a country of origin, it’s very difficult to prove that it was the work of a government agency, said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, which does independent research for the U.S. government.

The latest attacks are just the latest in a series of attacks from China on nonmilitary Web sites, according to Alan Paller, director of research at the SANS Institute. In November 2007, U.K. and U.S. companies doing business in China were targeted for proprietary information, he said. And in May 2008, Chinese entities hacked into organizations working for freedom in Tibet, he said.

“The interesting thing about this is somebody big is fighting back,” Paller said.

These types of attacks happen every day, said George Kurtz, chief technology officer at McAfee. “What we’re seeing is really the tip of the iceberg,” he said. “This is going to be bigger than originally anticipated.”

Jellenc and other security experts said they did not believe the targeted attacks were at all related to an attack Tuesday on Baidu, China’s largest search provider. In that attack, visitors to the Baidu site were re-directed to a site where a group calling itself the “Iranian Cyber Army” claimed responsibility for the attack. The same group had taken credit for a similar attack on Twitter last month.

Dan Kaminsky, director of penetration testing at IOActive whose research has helped improve the security of the Internet infrastructure, predicted the attacks would prompt references to a Digital Pearl Harbor.

“I don’t know how accurate or how fair that is but certainly something of note has occurred that has not occurred in previous years,” he said.

“I think everybody is surprised by the utterly unambiguous response,” Kaminsky added. “This definitely is ‘shot heard round the world’ territory, at least in our [security] community.”

——————————————————–

http://www.wired.com/threatlevel/201…e-hack-attack/

Google Hackers Targeted Source Code of More Than 30 Companies

A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to many of the companies and were in some cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to one that targeted other companies last July, the company said.

A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.

Adobe acknowledged Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the target of a “highly sophisticated” hack attack originating in China in December.

Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it, and that they had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

The hackers gained access to the company networks by sending targeted e-mails to employees, some of which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability. Adobe patched the critical vulnerability only on Tuesday this week.

In the recent attack on some of the companies, once a recipient clicked on the malicious PDF attachment, a backdoor Trojan program called Trojan.Hydraq was installed on their machine in the form of a Windows DLL, according to iDefense.

IDefense says that when Google discovered malware on its systems in December, it found that the code was communicating with a server set up to receive information stolen from the targeted companies.

“It was configured in such a way that it was able to receive a massive amount of data being exfiltrated to it,” says an iDefense spokeswoman who asked not to be named.

Google was able to determine, by examining the server, that the hackers had struck numerous other companies, she said. Google said in its Tuesday announcement that 20 other companies had been hacked. But iDefense found evidence that at least 33 were targeted.

The recent attacks bear a strong resemblance to another attack that occurred in July 2009, which targeted about 100 IT companies, iDefense says. In that earlier attack, the hackers also sent targeted e-mail to companies with a malicious PDF attachment, but it’s unclear how successful that attack was.

According to Ryan Olson, an analyst for iDefense, the attacks in July and December targeted different vulnerabilities. The one in July affected Adobe’s Reader, Acrobat and Flash applications, which it patched Jul. 30. The vulnerability the hackers are believed to have used in December also affected Reader and Acrobat.

iDefense obtained samples of the malicious codes used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently point to IP addresses belonging to a subset of addresses owned by Linode, a U.S.-based company that offers Virtual Private Server hosting.

“The IP addresses in question are … six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

Olson told Threat Level that the attackers are “incredibly good” at finding new exploits and infecting the right people but that nothing he’d seen in the malware indicated they were above average in writing malicious code.

“The sophistication here is all about the fact they were able to target the right people using a previously unknown vulnerability,” he says.

The iDefense spokeswoman told Threat Level that her company waited a week to disclose details about the attack until after Google went public with the news that it had been hacked. She said it’s her understanding that Google’s source code was targeted in the hack attack.

Google declined to publicly discuss the details of iDefense’s report.

Adobe’s announcement didn’t discuss specifically whether hackers had stolen its source code but said that it had “no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised” in the attack.

This post was updated with information from Olson about the malware used in the attack. It also was updated to clarify that the Hydraq trojan and PDF exploit were used to breach some of the companies, but not all of them.


Read More
http://www.wired.com/threatlevel/2010/01/google-hack-attack/#ixzz0cZ65OF2L

镜像链接:谷歌镜像 | 亚马逊镜像

分类: 新闻 标签: , , , ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.