{"id":3622,"date":"2010-01-14T14:48:00","date_gmt":"2010-01-14T22:48:00","guid":{"rendered":"http:\/\/www.labs.com\/research\/blog\/?p=3622"},"modified":"2025-06-02T20:55:29","modified_gmt":"2025-06-03T03:55:29","slug":"more-details-on-operation-aurora","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/","title":{"rendered":"More Details on "Operation Aurora""},"content":{"rendered":"

Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others<\/a>\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.<\/p>\n

How were systems compromised?<\/strong><\/h2>\n

When a user manually loaded\/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;\u00c2\u00a0 Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability<\/a>.\u00c2\u00a0 Microsoft has released Security Advisory (979352)<\/a> for this vulnerability (CVE-2010-0249).<\/p>\n

What was the payload of the exploit?<\/strong><\/h2>\n

Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.\u00c2\u00a0 That executable installed a remote access Trojan to load at startup.\u00c2\u00a0 This Trojan also contacted a remote server.\u00c2\u00a0 This allowed remote attackers to view, create, and modify information on the compromised system.<\/p>\n

How wide-spread is this attack?<\/strong><\/h2>\n

Aurora appears to have been a very concentrated attack on specific targets.\u00c2\u00a0 It is not believed to be widespread at this time.<\/p>\n

How serious is this vulnerability?<\/strong><\/h2>\n

The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).\u00c2\u00a0 Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7. \u00c2\u00a0Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.<\/p>\n

How are McAfee customers protected from this attack?<\/strong><\/h2>\n

McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele<\/a>, Roarur.dr<\/a>, and Roarur.dll<\/a> in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.<\/p>\n

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.<\/p>\n

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.<\/p>\n

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.<\/p>\n

McAfee Vulnerability Manager: The FSL\/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.<\/p>\n

Updated Jan 14<\/span>
\nMcAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E\u201c), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).<\/p>\n

Updated Jan 16<\/span>
\nMcAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E\u201c), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).<\/p>\n

Updated Jan 18<\/span>
\nMcAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.<\/p>\n

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.<\/p>\n

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.<\/p>\n

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.<\/p>\n

Updated coverage information will be communicated through McAfee Security Advisories:
\nhttps:\/\/www.mcafee.com\/us\/threat_center\/securityadvisory\/signup.aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[3973],"class_list":["post-3622","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nMore Details on "Operation Aurora" | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"More Details on "Operation Aurora" | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2010-01-14T22:48:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T03:55:29+00:00\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"More Details on "Operation Aurora"\",\"datePublished\":\"2010-01-14T22:48:00+00:00\",\"dateModified\":\"2025-06-03T03:55:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\"},\"wordCount\":674,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\",\"name\":\"More Details on "Operation Aurora" | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2010-01-14T22:48:00+00:00\",\"dateModified\":\"2025-06-03T03:55:29+00:00\",\"description\":\"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"More Details on "Operation Aurora"\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"More Details on "Operation Aurora" | McAfee Blog","description":"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"More Details on "Operation Aurora" | McAfee Blog","og_description":"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2010-01-14T22:48:00+00:00","article_modified_time":"2025-06-03T03:55:29+00:00","author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"More Details on "Operation Aurora"","datePublished":"2010-01-14T22:48:00+00:00","dateModified":"2025-06-03T03:55:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/"},"wordCount":674,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/","name":"More Details on "Operation Aurora" | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2010-01-14T22:48:00+00:00","dateModified":"2025-06-03T03:55:29+00:00","description":"Earlier today, George Kurtz posted an entry, \u2018Operation \u201cAurora\u201d\u009d Hit Google, Others\u2019, \u00c2\u00a0on the McAfee\u2019s Security Insight blog\u00c2\u00a0 The purpose of this blog","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/more-details-on-operation-aurora\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"More Details on "Operation Aurora""}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/3622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=3622"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/3622\/revisions"}],"predecessor-version":[{"id":214987,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/3622\/revisions\/214987"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=3622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=3622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=3622"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=3622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}