Security researchers are continuing to delve into the details of the malware that's been used in the attacks against Google, Adobe and other large companies, and they're finding a complex package of programs that use custom protocols and sophisticated infection techniques.
The attacks, which are being called Aurora, were expressly designed to retrieve valuable files from compromised machines, and the analysis of the various pieces of malware used in the attacks shows that the software was well-suited to the task. In a blog post describing a detailed analysis of the applications, Guilherme Venere of McAfee says that there are a number of interrelated pieces of malware, each of which served a specific purpose.
After the initialization of the malware DLL, a connection is made to the command and control (C&C) server. The connection is made on port 443 which is usually used by the HTTPS protocol, encrypted with SSL. During analysis, we noticed that the employed protocol on this port was not the standard SSL protocol, but a custom encrypted protocol.Once the malware is on the machine and this handshake is complete, it begins gathering information about the PC and attempting to send the data to a remote command-and-control server. The application records the machine's OS version, name, service pack level and the registry key containing the description of the PC's main processor. This gives the attackers a clear picture of what sort of machine the malware is running on.
The backdoor client initiates the protocol by issuing a packet which always has the same first 20 bytes:
[ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ]
After the initiator handshake, the protocol uses a 20 byte packet as header for all communication that follows. All data sent from client to server is encoded with a logical NOT, and all data received from server is XOR encoded with 0xCC.
"As you can see this attack involved very advanced methods with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website. This way the attackers were able to covertly gather all the information they wanted without being discovered," Venere wrote.