Comments on: The Truth About Two Malware Families Related to Operation Aurora http://blog.damballa.com/?p=578 An Ongoing Conversation About Targeted Attacks Tue, 17 Aug 2010 12:49:15 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: delightedzuk http://blog.damballa.com/?p=578&cpage=1#comment-252 delightedzuk Sat, 27 Mar 2010 21:58:52 +0000 http://blog.damballa.com/?p=578#comment-252 On a second look, those domains looks very very similar to Aurora's domains... Check my presentation which I gave on technical details regarding the Aurora activity at : http://www.ihackbanme.com/presentation/Google%20Vs.%20China%20Presentation_updated.pdf I think someone is trying to copy the way of acting on those malware... just so Aurora can be accused once the malware is being caught. Or it's the other way around -> Aurora's writers made this malware so no one will suspect of the real owners (Chinese ?)... Interesting. On a second look, those domains looks very very similar to Aurora’s domains…

Check my presentation which I gave on technical details regarding the Aurora activity at :
http://www.ihackbanme.com/presentation/Google%20Vs.%20China%20Presentation_updated.pdf

I think someone is trying to copy the way of acting on those malware… just so Aurora can be accused once the malware is being caught. Or it’s the other way around -> Aurora’s writers made this malware so no one will suspect of the real owners (Chinese ?)…

Interesting.

]]> By: delightedzuk http://blog.damballa.com/?p=578&cpage=1#comment-251 delightedzuk Sat, 27 Mar 2010 21:53:51 +0000 http://blog.damballa.com/?p=578#comment-251 Hey there! Nice article! You say that the sys file is related to operation aurora, but after analyzing the sys file myself in operation aurora, I can say that it contained another file, and was not a driver. Check out my external file analysis since proper binary analysis couldn't have been made at the current status of the file : http://imthezuk.blogspot.com/2010/03/aurora-sys-file-used-in-attack-external.html Check this out :) So, if in this case the msconfig32.sys is a driver, it's just means they both used the same name, but it doesn't mean nothing more. I don't think myself it's related to a malwares common over the net, I think it was a dedicated attack for fortune 500 companies / other interesting companies to steal info from. You can contact me via my blog if needed. Good luck http://imthezuk.blogspot.com Hey there! Nice article!
You say that the sys file is related to operation aurora, but after analyzing the sys file myself in operation aurora, I can say that it contained another file, and was not a driver.
Check out my external file analysis since proper binary analysis couldn’t have been made at the current status of the file :

http://imthezuk.blogspot.com/2010/03/aurora-sys-file-used-in-attack-external.html

Check this out :)

So, if in this case the msconfig32.sys is a driver, it’s just means they both used the same name, but it doesn’t mean nothing more.
I don’t think myself it’s related to a malwares common over the net, I think it was a dedicated attack for fortune 500 companies / other interesting companies to steal info from.

You can contact me via my blog if needed. Good luck

http://imthezuk.blogspot.com

]]> By: The Truth About Two Malware Families Related to Operation Aurora « "The CTI Blog" http://blog.damballa.com/?p=578&cpage=1#comment-247 The Truth About Two Malware Families Related to Operation Aurora « "The CTI Blog" Tue, 23 Mar 2010 15:14:07 +0000 http://blog.damballa.com/?p=578#comment-247 [...] Truth About Two Malware Families Related to Operation Aurora By skeoseyan The Truth About Two Malware Families Related to Operation Aurora: “The Truth About Two Malware Families Related to Operation [...] [...] Truth About Two Malware Families Related to Operation Aurora By skeoseyan The Truth About Two Malware Families Related to Operation Aurora: “The Truth About Two Malware Families Related to Operation [...]

]]>