The battle of words between Google and China continues to heat up, as Chinese officials continue to deny allegations by the internet search giant claiming that a series of recent attacks exploting a vulnerability in Internet Explorer originated from China. Publications such as China Daily have run a series of editorials criticizing Google's threat to pull business from China. However, these editorials have paid little, if any, attention to the actual details of the attacks.
Instead, China's Foreign Ministry spokesperson Ma Zhaoxu declared that Google should expect "no exception" to China's policies and that "foreign companies in China should respect the laws and regulations" and "respect the public interest of Chinese people and China's culture and customs." Tough talk aside, Google has confirmed the begining of negotiations with the Chinese government regarding the censoring of search results and the company's apparent willingness to shut down operations in China.
Taking more of an investigative approach, Joe Stewart, director of malware research for managed security company SecureWorks, analyzed the code in the backdoor trojan that the attack dropped. Called Hydraq by anti-malware companies, it contained debugger symbol file paths called Aurora, which is what gave the project its name in the information security community.
The debugger that Stewart used found a cyclic redundancy check (CRC) – a common algorithm designed to ensure that code is still intact after it has been transferred. But the data used by this algorithm was simpler than many others. By searching online for source code with similar data (called constants), Stewart tracked down a single instance that produced the same output.
"Perhaps the most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers," Stewart said, adding that searches show the code appears to be entirely unknown outside of China.
Stewart also found identifiers in the code suggesting that English-language systems had been used to compile it, although he added that these identifiers could have been edited later.
Certain elements of the code appear to have been in development since 2006, Stewart said. "This date is only a year or so after the Titan Rain attacks, which largely used widely available trojans that were already known to antivirus companies," Stewart noted. "As a result of using completely original code and then only in highly targeted attacks, the Aurora code seems to have escaped detection for quite some time."
Titan Rain was a co-ordinated attack on US computers, originating from China, that took place from 2003.
Comments
ChasL says:
07 February 2010
Mr. Stewart's "China code" claim seems to have some problem:
1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. The 4-bit CRC code has been around for over a decade in the device application arena. Once this fact is public, several code samples outside China have been located by bloggers discussing this issue.
2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.
Google "crc_table[16]" turns up many code examples ouside China, what does that prove?
3) Upon closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the algorithm, and code snip found by Googling the identified variable name, both turned up different code than what's in Aurora.
Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):
crc16 >> 12
however the code passed around in Chinese sites is unoptimized code using two divisions:
((uchar)(crc/256))/16
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.