[ZT]Researchers identify command servers behind Google attack

original: http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

VeriSign iDefense researchers have
identified the source of the recent cyber-assault against Google and
have found the command-and-control servers that were used to
orchestrate the attack.

By Ryan Paul
| Last updated January 14, 2010 8:45 AM

VeriSign’s iDefense security lab has published a report with
technical details about the recent cyberattack that hit Google and over
30 other companies. The iDefense researchers traced the attack back to
its origin and also identified the command-and-control servers that
were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public
that the Gmail Web service was targeted in a highly-organized attack in
late December. Google said that the intrusion attempt originated from
China and was executed with the goal of obtaining information about
political dissidents, but the company declined to speculate about the
identity of the perpetrator.

Citing sources in the defense contracting and intelligence
consulting community, the iDefense report unambiguously declares that
the Chinese government was, in fact, behind the effort. The report also
says that the malicious code was deployed in PDF files that were
crafted to exploit a vulnerability in Adobe’s software.

"The source IPs and drop server of the attack correspond to a single
foreign entity consisting either of agents of the Chinese state or
proxies thereof," the report says.

The researchers have determined that there are significant
similarities between the recent attack and a seemingly related one that
was carried out in July against a large number of US companies. Both
attacks were apparently managed through the same command-and-control

"The servers used in both attacks employ the HomeLinux DynamicDNS
provider, and both are currently pointing to IP addresses owned by
Linode, a US-based company that offers Virtual Private Server hosting.
The IP addresses in question are within the same subnet, and they are
six IP addresses apart from each other," the report says. "Considering
this proximity, it is possible that the two attacks are one and the
same, and that the organizations targeted in the Silicon Valley attacks
have been compromised since July."

If the report’s findings are correct, it suggests that the
government of China has been engaged for months in a massive campaign
of industrial espionage against US companies.

Update: Adobe disputes iDefense’s claim that PDFs were used to deploy the malware. In a statement
issued today, Adobe says that they have found no evidence that their
technology was used as an attack vector in this recent incident. This
is supported by independent research
conducted by security firm McAfee, which has found evidence that a
vulnerability in Internet Explorer—but not Acrobat Reader—was exploited
in the attack.


One comment


Fill in your details below or click an icon to log in:

WordPress.com 徽标

You are commenting using your WordPress.com account. Log Out /  更改 )

Google+ photo

You are commenting using your Google+ account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )


Connecting to %s