JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Assessing Outbound Traffic to Uncover Advanced Persistent Threat<br />
Figure 3: Replicating the Operation Aurora Attack in Metasploit<br />
However, signatures alone have shortcomings. Days after exploit code associated with the<br />
attack against Google was made publicly available, the Operation Aurora exploit was integrated<br />
into the Metasploit ® framework (see Figure 3). Metasploit ® is a free, open source penetration<br />
testing solution for testing exploits. [Metasploit ® contributors, 2010 and 2011].<br />
Shortly thereafter, Avert Labs produced Intrusion Detection System (IDS) signatures to detect<br />
the malicious Aurora command and control network traffic. [Blaxo, 2010]. A copy of the<br />
signature follows.<br />
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora C&C<br />
Checkin"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00<br />
fe<br />
ff ff ff ff ff ff ff ff ff 88 ff|"; offset:0; depth:20;<br />
classtype:trojan-activity; reference:url,<br />
www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-intothe-aurora-communication-protocol/;<br />
sid:10000000001; rev:1;)<br />
Page 10