“Operation Aurora” was a coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious Web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, in Google’s case, gain access to user accounts. Microsoft has issued a security advisory and McAfee is working closely with Microsoft in this matter.
QUESTIONS & ANSWERS
What is McAfee doing to protect customers?
Could my organization be at risk of being infected?
The computer code that exploits the Microsoft Internet Explorer vulnerability has unfortunately been released publicly and is available on the Web. The public release significantly increases the possibility of widespread attacks using the vulnerability, putting Microsoft Internet Explorer users at potentially serious risk.
Microsoft is aware of the targeted attacks, primarily on Microsoft Internet Explorer 6, and lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
How can I protect my organization?
For system protection, we recommend the following steps:
1. Ensure that your McAfee antivirus/antimalware is up to date with a .DAT file 5862 or greater.
2. Run a full system scan on your system or each system if your .DAT files were not at this level.
3. Turn your Microsoft Internet Explorer browser settings to HIGH and restrict browsing to known sites until Microsoft provides a patch for the Internet Explorer exploit.
4. Enable Artemis, McAfee’s real-time file reputation engine which protects against known, new, and emerging threats, on your endpoint products. If you do not know how to do this, please visit the McAfee KnowledgeBase to access a video tutorial and KB articles.
5. If you have the capability to log all outbound Web requests, do so for future forensics.
How can I tell if my systems are infected by Aurora?
If you are a McAfee VirusScan Engine customer, verify that you are using .DAT 5862 released on January 15, 2010 and perform a full scan on all machines within your enterprise, starting with most sensitive servers. If you detect the following signatures triggered — Exploit-Cornele, Roarur.dr or Roarur.dll — you very likely have an infected Aurora host.
If you believe you may have been infected by Aurora, contact McAfee Foundstone. McAfee is offering free, onsite Incident Response Services to qualified companies affected by Aurora.