The battle of words between Google and China continues to heat up, as Chinese officials continue to deny allegations by the internet search giant claiming that a series of recent attacks exploting a vulnerability in Internet Explorer originated from China. Publications such as China Daily have run a series of editorials criticizing Google's threat to pull business from China. However, these editorials have paid little, if any, attention to the actual details of the attacks.
Instead, China's Foreign Ministry spokesperson Ma Zhaoxu declared that Google should expect "no exception" to China's policies and that "foreign companies in China should respect the laws and regulations" and "respect the public interest of Chinese people and China's culture and customs." Tough talk aside, Google has confirmed the begining of negotiations with the Chinese government regarding the censoring of search results and the company's apparent willingness to shut down operations in China.
Taking more of an investigative approach, Joe Stewart, director of malware research for managed security company SecureWorks, analyzed the code in the backdoor trojan that the attack dropped. Called Hydraq by anti-malware companies, it contained debugger symbol file paths called Aurora, which is what gave the project its name in the information security community.
The debugger that Stewart used found a cyclic redundancy check (CRC) – a common algorithm designed to ensure that code is still intact after it has been transferred. But the data used by this algorithm was simpler than many others. By searching online for source code with similar data (called constants), Stewart tracked down a single instance that produced the same output.
"Perhaps the most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers," Stewart said, adding that searches show the code appears to be entirely unknown outside of China.
Stewart also found identifiers in the code suggesting that English-language systems had been used to compile it, although he added that these identifiers could have been edited later.
Certain elements of the code appear to have been in development since 2006, Stewart said. "This date is only a year or so after the Titan Rain attacks, which largely used widely available trojans that were already known to antivirus companies," Stewart noted. "As a result of using completely original code and then only in highly targeted attacks, the Aurora code seems to have escaped detection for quite some time."
Titan Rain was a co-ordinated attack on US computers, originating from China, that took place from 2003.