Operation Aurora

How do I know if my organization has been infected?
Operation Aurora, for the known attacks to date, delivers a set of files and utilizes a set of external domains in its attacks. Analyzing your systems and infrastructure for these identifiers can indicate exposure. Learn more.

Could my organization be at risk of being infected?
The computer code that exploits the Microsoft Internet Explorer vulnerability has unfortunately been released publicly and is available on the web. The public release significantly increases the possibility of widespread attacks using the vulnerability, putting Microsoft Internet Explorer users at potentially serious risk.

Microsoft is aware of the targeted attacks, has issued a security bulletin and patch, and lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

How can I protect my organization?
Upon learning of the attack, researchers at McAfee Labs delivered malware detection; behavioral and content signatures; web security, IPS, and IP security updates; product configuration suggestions; and advice on the McAfee Labs blog.

McAfee Global Threat Intelligence, our real-time, “in-the-cloud” data collection system for both known and emerging threats across all key threat vectors, monitors the web for exploits and hot spots related to Operation Aurora and other threats, and immediately delivers protection to McAfee products. Learn more.

For system protection, we recommend the following steps:

1. Ensure that your McAfee anti-virus/anti-malware software is up to date with a .DAT file 5864 or greater.
2. Run a full scan on your system or each system if your .DAT files were not at this level.
3. Ensure that McAfee Artemis™ technology is enabled on your McAfee endpoint products. McAfee Artemis technology is real-time file reputation analysis technology that protects against both known and emerging malware threats. If you do not know how to do this, please visit the McAfee Corporate Knowledge Base to access a video tutorial.
4. If you haven't already, deploy Microsoft's security updates for the appropriate IE platforms. Until you do so, turn your browser security settings to HIGH and restrict browsing to known sites.
5. If you have other McAfee products, please visit the McAfee Labs blog for the latest signature updates, product configuration suggestions, and advice.
6. If you have the capability to log all outbound web requests, do so for future forensics.

Take advantage of our solution kits and free trial offers

Incident Response Services. Let our Incident Response Team help you. If you believe you may have been infected by Aurora, McAfee is offering free, onsite Incident Response Services to qualified companies in North America affected by Aurora. Contact McAfee Foundstone services.

Risk Assessment. With Microsoft releasing an out-of-band patch for Aurora on Jan 21, 2010, many companies are now struggling to figure out which systems are vulnerable and which need to be patched. To help companies understand precisely which systems are at risk, and what systems need to be patched or not, you can take advantage of a free trial of McAfee Risk Advisor software.

Vulnerability Detection. This simple-to-use tool scans your environment for systems that have the Microsoft Internet Explorer vulnerability and detects infected systems that were exploited by Operation Aurora. Click here to learn more and download the McAfee Aurora Vulnerability Detection Tool.

System Cleanup. Take advantage of the free McAfee Stinger tool Take advantage of the free McAfee.

Web Gateway. McAfee Web Gateway solution's advanced anti-malware protection proactively secured organizations against Aurora—without an update and without worry. Get ahead of the next zero-day threat. Take advantage of a free trial of McAfee Web Gateway today.

Endpoint Security. To help protect your organization from Operation Aurora, take advantage of a free trial of McAfee Total Protection software for Endpoint with our all-in-one anti-malware technology, intrusion prevention, web protection, and endpoint firewall solution. Register here for your free trial.

Application Whitelisting. Take advantage of a free trial of McAfee Application Control software, our industry-leading application whitelisting solution that does not require any signature updates. To prevent Aurora and other zero-day attacks from affecting your environment, download your free trial.

Network Security. Secure your network from the Aurora attack today with advanced McAfee Network Security technologies. The most attacked and most sensitive networks in the world trust McAfee Network Security solutions. Register to request no-cost evaluation versions of our Firewall Enterprise Virtual Appliance and a virtual version of our Network Threat Response solution.

McAfee products' coverage for Aurora

Upon learning of the attack, researchers at McAfee Labs delivered malware detection; behavioral and content signatures; web security, IPS, and IP security updates; product configuration suggestions; and advice on the McAfee Labs blog.

Operation Aurora was a multi-staged attack. McAfee offers the following products and solutions that protect customers across the multiple stages of Operation Aurora.

Step 1: Attack initiated. User with IE vulnerability visits website infected with Operation Aurora malware.

• Risk Advisor (identifies overall risk of network to Aurora)
• McAfee Vulnerability Manager (identifies systems using vulnerable versions of IE)
• McAfee SiteAdvisor (blocks access to sites associated with Aurora)
• McAfee Firewall (blocks access to sites associated with Aurora)
• McAfee Web Gateway (blocks access to sites associated with Aurora)
• McAfee Email and Web Security Appliance (blocks access to sites associated with Aurora)
• McAfee Network Security Platform (stops IE exploitation delivery)
• Foundstone Services

Step 2: Attack in progress. Website exploits vulnerability; malware (disguised as JPG) downloaded to user system.

• McAfee VirusScan Enterprise software, with McAfee Artemis technology enabled (blocks Aurora malware)
• McAfee Firewall Enterprise (blocks Aurora connection via IP reputation)
• McAfee Web Gateway (detects/blocks Aurora malware disguised within JPGs) (zero-day protection)
• McAfee Email and Web Security Appliance (detects/blocks Aurora malware disguised within JPGs)
• McAfee Network Threat Response solution (detects malware disguised within JPGs) (zero-day protection)
• McAfee Host Intrusion Prevention solution (prevents exploit of IE vulnerability)
• Foundstone Services

Step 3: Attack setup complete. Malware installed on user system; malware opens back door (using custom protocol acting like SSL) that gives access to sensitive data.

• McAfee Firewall Enterprise (detects/blocks Aurora back-channel communication) (zero-day protection)
• McAfee Web Gateway (detects/blocks Aurora back-channel communication) (zero-day protection)
• McAfee Email and Web Security Appliance (detects/blocks Aurora back-channel communication)
• McAfee VirusScan Enterprise software (detects and deletes Aurora malware)
• McAfee Network User Behavior Analysis tools (identifies unexpected user behavior during Aurora reconnaissance and data collection phases)
• McAfee Application Control software (prevents install of Aurora malware) (zero-day protection)
• McAfee Network Data Loss Prevention solution (prevents Aurora from moving sensitive data off the network; provides forensic data on movement) (zero-day protection)
• Foundstone Services