Researchers picking apart the malware sample used in the hacking attacks against several U.S. companies say some parts of the malware codebase has been in existence in China for nearly four years, confirming fears that these types of coordinated, targeted attacks have been going on for a very long time.
According to Joe Stewart, a malware analyst at SecureWorks, discovered several components of the malware were written in mid-2006, more than three years before the attacks on Google, Adobe and others were first discovered.
In an interview with Threatpost's Dennis Fisher, Stewart said the attackers behind the cyber-espionage saga were very skilled and used several discrete modules in the malware codebase to each perform separate tasks during the exploitation, installation and remote-control process.
"I'd say it's of average sophistication for this kind of Trojan backdoor these days. It's not of any staggering technical complexity," Stewart said in an interview. "But the attackers did some things right. They used the code sparingly in highly targeted attacks, they didn't just use something off the shelf and they didn't pack and encrypt the binaries, because that looks suspicious. Using custom code was a smart move."
Despite the absence of "hard evidence" linking the attacks to to the Chinese government, Stewart said there were enough clues in the code to suggest it was created by people in the People's Republic of China.
One significant discovery, Stewart explained, was a CRC (cyclic redundancy check) algorithm that was used to check for errors that might have been introduced into stored or transferred data.
After digging through it and looking for references to the CRC algorithm on Google, Stewart found that essentially every site that referenced the algorithm was in Chinese. Also, the original reference source code for the CRC algorithm was written in Chinese.
Google has publicly blamed the attack on Chinese hackers but there are reports that insiders at the company's China office are being investigated.
- Microsoft says Google was hacked with IE zero-da
- Microsoft readies emergency IE patch to counter public exploits