Wednesday, January 20, 2010

Operation Aurora - Evidence Found for Chinese Attack on Google

Via -

An American computer security researcher has found what he says he believes is strong evidence of the digital fingerprints of Chinese authors in the software programs used in attacks against Google.

n the week since the announcement, several computer security companies have made claims supporting Google’s suspicions, but the evidence has remained circumstantial.

Now, by analyzing the software used in the break-ins against Google and dozens of other companies, Joe Stewart, a malware specialist with SecureWorks, a computer security company based in Atlanta, said he determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.

The malware at the heart of Google attack is described by researchers as a “Trojan horse” that is intended to open a back door to a computer on the Internet. The program, called Hydraq by the computer security research community and intended to subvert computers that run different versions of the Windows operating system, was first noticed earlier this year.

Mr. Stewart describes himself as a “reverse engineer,” one of a relatively small group of software engineers who disassemble malware codes in an effort to better understand the nature of the attacks that have been introduced by the computer underground, and now possibly by governments as well.

“If you look at the code in a debugger you see patterns that jump out at you,” he said. In this case he discovered software code that represented an unusual algorithm, or formula, intended for error-checking transmitted data.

He acknowledged that he could not completely rule out the possibility that the clue had been placed in the program intentionally by programmers from another government intent on framing the Chinese, but he said that was unlikely. “Occam’s Razor suggests that the simplest explanation is probably the best one.”


There is one interesting clue in the Hydraq binary that points back to mainland China, however. While analyzing the samples, I noticed a CRC (cyclic redundancy check) algorithm that seemed somewhat unusual. CRCs are used to check for errors that might have been introduced into stored or transferred data. There are many different CRC algorithms and implementations of those algorithms, but this is one I had not previously seen in any of my reverse-engineering efforts.


The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table.


The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table. By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input:


In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase. And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.


  1. I've been skeptical of the Chinese link in these attacks, but this seems like a pretty firm piece of evidence. I spent a little time googling for non-Chinese references to that CRC algorithm but couldn't find any either.

    I'm not a CRC expert so I have no idea how widely read the paper might be, but there are no obvious hits in Google. This seems like a very strong find.

    The author of the malware almost certainly spoke Chinese - which isn't common for westerners.

    I'm glad more concrete evidence is emerging.

  2. Matt, Joe Stewart's claim is not credible. The nibble CRC16 algorithm has been used for years (and yes, even outside China). Here's an example from 2003 IDG listserv: