Google's "Get Out of China" Free Card analyzed
1/16/2010 by: Sean Kalinich
Throughout history there have always been people willing to steal and spy. It is an honored profession in many cultures and seen as a great act of patriotism to risk your life to gather information from another country. Of course the country you are spying on will see it quite different, but the world is all perception anyway. Now that we are in the age of the Cyber Spy, espionage is often done from a single console which is connected through multiple bounces to remote systems that have been previously compromised for use in distributed attacks. This makes it harder [but not impossible] to track and locate the perpetrators and also means that even if you find the source system of an attack that does not mean that is the root source. As we mentioned the origin of the actual attack many come through several bounce systems [called BNCs] before it gets to the system that has the command and control [CNC] functions and from there several more BNCs before you find the source of the malicious code. Even communication from an infected target system is hard to trace. Too often the malicious coder will place an intermediate server for direct communication with infected target systems which then can bounce the traffic for return to the main CNC servers. Yes, sometimes people get sloppy and try to script a return bounce from a target system but that leaves the path open to discovery by decompiling the code on the infected system. So in the end it is very hard to find the source of any sophisticated attack.
By now I know you are wondering what this has to do with anything. Well it has everything to do with a recent announcement by Google. In the announcement Google directly pointed the finger at China for corporate espionage. They claim that they were able to trace the source of a targeted attack on their [and other company'’] systems to China. The attack, Google claims, was vectored through a vulnerability in Microsoft’s Internet Explorer and was used to gain remote control of systems with access to sensitive data. So far the story sounds entirely plausible.
But let’s take a look at the presented facts and see if they really hold water or if there is something else going on that Google and others might now want you to know about.
Google’s Part -
When Google first entered the Chinese market in 2006 it was under an agreement with the Chinese government that they keep tabs on who is searching for what information. They also required Google to block certain search terms and phrases. What many people do not know is that Google also had to keep track of who was using [and what they were doing with] their GMail service. This was a requirement of them doing business in China, which is recognized as one of the largest internet markets in the world.
Coming back to 2010, Google is now saying it had always hoped it would be able to drop those systems eventually. I am not sure why they are saying they thought this, perhaps they felt their power and money would sway the Chinese government, they were just staggeringly naïve, or they are not being honest. In fact the opposite has been happening; Google [and other companies] have found themselves under pressure to implement even stricter filtering and provide more information to the overly paranoid Chinese government. I am sure that at some point the Google Executives must have been regretting their decision to open up shop in China, but how do you leave and save face?
Crying Foul -
On Tuesday, Google announced that it had uncovered a sophisticated multi-layered attack on their own corporate infrastructure as well as up to 20 other companies. They say that this attack ran from mid-December to January 4th roughly a period of three weeks. The report of the attack was interesting, first Google claimed that it exploited a vulnerability in Adobe’s Acrobat Reader, but then changed the statement to say that it was an unknown flaw in IE. Google says that they had some IP [Intellectual Property] stolen and that some basic GMail account information [account creation date and subject lines of e-mails] was accessed. These accounts were used by two human rights activists in China. Google then went on to say that these accounts were the actual goal of the attack and that the attack was traced back to its source and was found to be using CNC servers with IPs previously associated with other attacks from China. Google’s comments sounded hurt and offended, yet while claiming foul they did not release any information to detail the attack.
McAfee Steps in-
While Google was unwilling [or unable] to detail the attack they uncovered and tracked down; the folks at McAfee were able to. According to McAfee the attack was JavaScript based and use multiple layers of encryption and packing to get past malware scanners. It was basically a “drive by” attack. This is where a malicious coder sends a link to a corrupted web page that forces the download of code components onto a system. However McAfee then went on to detail that the code used multiple encryption keys further masking the modules in the code. One module even encrypted and masked its communication with source servers as normal SSL [Secure Socket Layer] communication. The code was a back door to allow remote control of the infected system. McAfee said it was a beachhead that allowed the attackers entry into the system where they could explore further at will. But although McAfee was able to detail the level of sophistication of the code, strangely they were not willing to point the finger at China. They said that they were unable to conclusively determine the location of the control servers.
Adobe and Microsoft -
Remember how we said that initially Google and other researchers thought it was a flaw in Adobe Reader? This is an interesting statement by both Google and McAfee, you see for the better part of two years Adobe Products [Flash and the Acrobat Reader Plug-in] have been used as a vector for attack. In fact at the 2009 Pwn2Own it was a flaw in Flash that allowed Windows Vista to fall. Still Adobe was not happy with being the scape goat on this one; they quickly released a statement saying there was no evidence that this was the case.
However, if you cannot blame Adobe, Microsoft is just as good. After all everyone knows that Microsoft products have tons of holes and flaws. So Google and McAfee went for Internet Explorer. Finding a previously unknown flaw in IE is not out of the realm of possibility and is more than plausible. But, is it what happened? Well, after a few updates and some additional information [we also spoke to a few white and black hats] we find that things are not so simple. As we mentioned, Google said the attack targeted IE; this prompted MS to take a look and to release a security advisory. However, MSA 979352 says something that is downright confusing... Here is a quote from the MSA
“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
Microsoft is admitting there is a flaw but also saying that the only known reports are against IE 6; so we see some things are not adding up. None of the information provided offers proof of the attack or investigation. It is quite simply PR statements being made with little supportive evidence. All the players have things to gain and lose.
What does it all mean -
But that is not the only thing I noticed in the Google and other announcements. As I mentioned in the opening paragraph attacks like the one Google is claiming happened are very sophisticated. They use multiple BNCs, layered encryption and masked protocols to transfer information to and from Command and Control sources. These layers and BNCs can be a mass of false trails and each one can have its own security layer as well. So how did Google untangle that mass in such a short amount of time to locate the servers in China? Again talking with the guys that do this for fun [and sometimes profit] they have said that it is possible to track down a CNC server quickly if you already know some of the legs or if the person setting up the CNC uses the same encryption type on all legs of the path, basically if the person running the attack is in a hurry or are very foolish. Now factor in the information from McAfee, a company that has not done well in the face of other security companies over the past few years. McAfee has taken a back seat to Symantec, Kaspersky, ESET and others. Adobe gets the initial blame but says it was not them [while quietly pushing out a patch for Acrobat in Mid-December] Microsoft takes the blame but then spins it to say they there are no reports of this vector being used on anything but IE 6 limiting the impact of the now exposed flaw.
Now if this is true then I have to ask; why is anyone with access to sensitive IP or other information still using IE6? Having been the director of IT for more than one company in my life I would be firing my staff if they left something like that on anyone’s system. I would hope that Google and others would have a system in place for updates and patches. If not then I would be very worried about using any systems or products they offer as it shows a complete lack of security awareness.
What does all this mean? Well to put it bluntly, Google wants out of China. They have been under pressure since day one to cooperate with censorship, and search laws that are nothing short of medieval. They entered the market for money, plain and simple but now are seeing that there is a cost they will have to pay to be there. This cost is simply not worth what they are getting in return. So they drop a corporate attack and get everyone up in arms over the incident. I am not saying that there was not an attack, or that it was not from China. I am saying that their presented time-line, lack of evidence and other speculative comments make this a rather transparent PR stunt. Talking with a few other companies [and a few security experts] about attacks like this and we were told they are happening “all the time” and that while the actual attack can be easily found it can take months to track the attack back to the source. Everyone we spoke to was highly suspicious of how quickly Google tracked the attack back to its source considering the level of sophistication that Google and McAfee are claiming. Added into this is a group of US companies that now have the US Government involved. This will put a large amount of pressure on China to bow to Google’s will and let them out of China without consequence or to make concessions for Google to continue to operate there. Remember Eric Schmidt backed President Obama during his campaign and has been a technology advisor as well, it looks like he might be calling in some favors at this point. So, while Google is calling this attack the straw that broke the camel’s back, personally I think it is more like a get out of jail free card for Google.
Tags:
Google, Green Dam, Censorship, Net Neutrality, Chins, Microsoft, McAfee, Expliots, Security
© 2009 - 2011 Bright Side Of News*, All rights reserved.