發表評論 評論 (46 個評論)
- 回復 Hansonding
- 我的感覺這是一個非常有趣的商業遊戲,這幾天我正在整理一些思路,寫一寫谷歌為什麼此時此刻的「突然發飆」。這絕對不是簡單的技術而是一種特別的商業炒作。玩的非常精彩!
- 回復 pekinese
- about DNS, it is easy to resolve, just build couple "root name servers" inside china, then have all "tier-1 service providers" in China, use "chinese root name servers"; it's easy to replicate all DNS record, NS, MX, A and so on"; by this, internet inside China just function as "intranet or extranet" the different only for us, from outside, may not use www.soho.com...
- 回復 SirCat
- snortbsd: well, so far no one knows the exact means of those attacks, but we can be 100% sure that google systems are not microsoft windows based, which means很佩服作者花的功夫
其主要目的
確實如您所說:
就是要把責任釘在中國政府身上
其動機呢?
就只能猜測了
呵呵
- 回復 snortbsd
- pekinese: about DNS, it is easy to resolve, just build couple "root name servers" inside china, then have all "tier-1 service providers" inthere was no real root server in china. used to be all of them were in the states back to early 90s.
china telecom isn't tier-1 provider, though with its enormous capacity. it is not that china telecom doesn't want to, the reason is very political. there is no centralized firewall for connecting outside. all of chinese firewalls are distributed, that is why the details of blocking a bit different from localtions to locations, depending on where you are in china...
- 回復 snortbsd
- SirCat: 很佩服作者花的功夫well least i am good enough to spot "experts"...
其主要目的
確實如您所說:
就是要把責任釘在中國政府身上
其動機呢?
就只能猜測了
呵呵
- 回復 brainwasher
- 有點意思,美軍可不能小瞧了。
- 回復 解濱
- 謝謝諸位的質疑。 這件事目前還在不斷地演化之中。 一般的黑客,攻陷一個目標后一定要給自己留個後門(back door)以便自己再回去。 這一次入侵谷歌的黑客也留了後門,但高就高在那個後門太精密了,用加密的辦法上了鎖,只有黑客本人可以進去。 美國的專家對那個惡意代碼reverse engineer后,看到了源代碼,也就是source code。 那個加密的演演算法使美國人大吃一驚,因為那不是西方教科書中說的任何一種。 他們費了老鼻子的勁,才從一個全部是中文的,中國專業期刊的網站上找到了那個演演算法的原文。 那篇論文並沒有英文索引或摘要。
看來中國的學術論文也並非某些人說的那樣全部抄襲外國的。 好的東西埋得很深。
- 回復 解濱
- 《連線》雜誌文章給出了大量攻擊細節(見參考文獻8),非常值得一讀。 翻譯如下:
文章引述McAfee公司的話,說(攻擊Google的)黑客使用了前所未有的戰術,組合了加密、隱秘編程技術和IE中的未知漏洞,意圖是竊取Google、Adobe和許多其他大公司的源代碼。
該公司威脅研究副總裁Dmitri Alperovitch說:在國防工業之外,我們從未見過商業行業的公司遭受過如此複雜程度的攻擊。
Alperovitch說,攻擊者使用了十幾種惡意代碼和多層次的加密,深深地挖掘進了公司網路內部,並巧妙掩蓋自己的活動。在掩飾攻擊和防範常規偵測方法上,他們的加密非常成功。我們從未見過這種水平的加密。非常高超。
McAfee之所以將這種攻擊命名為Auroro(極光),是因為他們發現,黑客在將惡意代碼編譯為可執行文件時,編譯器將攻擊者機器上的路徑名插入代碼中。
在IE漏洞被曝光后,微軟很快發布了針對性的安全建議書。而McAfee也在其產品中增加了偵測這種攻擊所用惡意代碼的功能。
雖然最初的攻擊始自公司僱員訪問惡意網站,但是研究人員還在試圖確定網站的URL是通過郵件、聊天程序還是其他方式,比如Facebook或者其他社會化網站。
當用戶訪問惡意網站的時候,他們的IE瀏覽器將被襲擊,自動而且秘密地下載一系列惡意代碼到計算機中。這些代碼就像俄羅斯套娃那樣,一個跟著一個地下載到系統中。
Alperovitch表示,最初的攻擊代碼是經過三次加密的shell code,用來激活漏洞挖掘程序。然後它執行從外部機器下載的程序,後者也是加密的,而且會從被攻擊機器上刪除第一個程序。這些加密的二進位文件將自己打包為幾個也被加密的可執行文件。
其中一個惡意程序會打開一個遠程後門,建立一個加密的秘密通道,偽裝為一個SSL鏈接以避免被偵測到。這樣攻擊者就可以對被攻擊機器進行訪問,將它作為灘頭陣地,繼續進攻網路上的其他部分,搜索登錄憑據、知識產權和其他要找的東西。
McAfee因參與攻擊調查,從被攻擊公司那裡得到了攻擊所用的一些惡意代碼副本,並在幾天前加強了自己的產品。
對於另一家安全企業iDefense之前所說的有些攻擊使用了Trojan.Hydraq木馬,Alperovitch表示,他發現的惡意代碼此前任何反病毒廠商都不知道。
iDefense還說攻擊者使用了惡意PDF附件和Adobe PDF程序的漏洞,而Alperovitch說,他調查的公司里沒有發現這種情況。但他表示攻擊不同公司的方法可能不同,不限於IE漏洞。
當黑客進入系統后,他們將數據發送給位於美國伊利諾依州和得克薩斯州以及中國台灣的指揮控制伺服器。Alperovitch所沒有識別到美國的系統牽涉到這次攻擊,也沒有提到攻擊者的戰果。但Rackspace報告他們無意中在攻擊中發揮了少量作用。而iDefense則表示攻擊者的目標是許多公司的源碼庫,而且很多情況下都成功得手。
Alperovitch說攻擊看上去是從12月15日開始的,但也有可能更早。似乎結束於1月4日,那一天,用來與惡意代碼傳輸數據的指揮控制伺服器被關閉。
他說:我們不知道伺服器是由攻擊者關閉的,還是其他組織關閉的。但是從那時起,攻擊停止了。
Aperovitch還指出,攻擊的時機非常好,是在假日期間,公司的運營中心和安全響應團隊人手很少。攻擊的複雜程度令人印象深刻,是那種此前僅針對國防工業的攻擊類型。一般對於商業部門,攻擊只是為了獲取財務方面的信息,通常是通過SQL注入攻擊公司的網站,或者攻擊公司不安全的無線網路。網路罪犯一般不會花大量的時間把攻擊精雕細刻到如此程度,每個方面都採取混淆/加密防範。
McAfee還掌握了更多攻擊細節,但目前不準備公布。他們已經與美國執法部門合作,並將這一問題告知美國各級政府。
- 回復 snortbsd
- 解濱: 謝謝諸位的質疑。 這件事目前還在不斷地演化之中。 一般的黑客,攻陷一個目標后一定要給自己留個後門(back door)以便自己再回去。 這一次入侵谷歌的黑客也留了backdoors are always secured...
- 回復 snortbsd
- 解濱: 《連線》雜誌文章給出了大量攻擊細節(見參考文獻8),非常值得一讀。 翻譯如下:i don't see any proofs so far that chinese government behind those attacks. on the contrary, i smell the setup...
文章引述McAfee公司的話,說(攻擊Google的)黑客使用了前所未有的戰術,組合
- 回復 解濱
- snortbsd: i don't see any proofs so far that chinese government behind those attacks. on the contrary, i smell the setup...Read this:
http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/
The CRC algorithm used in the code is only published in simplified Chinese language with no author name (bad thing - they should give the original author credit for what he or she has achieved). Here is the Chinese publication:
http://www.mcu-club.com/upload/2009112715521857532.pdf
or
http://www.fjbmcu.com/chengxu/crcsuan.htm
This is a popular algorithm ONLY among Chinese programmers. It has not been used outside of China until now - the whole world is now paying attention to it. Too bad we still have no idea who the original author is.
So far, there is no single (official or unofficial) Chinese information
security experts coming out to reject the U. S. experts' claim. Once you see evidence like this, you have no doubt. What we see is similar to the DNA evidence in biology.
Please also look at the simplified Chinese words in the codes.
That is why even some pro-communist IT specialists do agree that the Chinese government is behind the Google attack took place last month.
- 回復 SirCat
- snortbsd: well least i am good enough to spot "experts"...人多眼雜就是好
咱看的時候
確實被作者
旁徵博引
和語氣的肯定
給蒙住了
可能又是篇
訂製之作
呵呵
- 回復 snortbsd
- SirCat: 人多眼雜就是好i started my ip related career in early 90s, not including my unix time in college...:)
咱看的時候
確實被作者
旁徵博引
和語氣的肯定
給蒙住了
可能又是篇
訂製之作
呵呵
- 回復 snortbsd
- 解濱: Read this:1) the finger pointing of this proof is that this crc algorithm was originally from china and only chinese programmers know that crc algorithm.
http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/
The CRC algorithm used in the code is o
this algorithm was free available online! as the notion of "ONLY among Chinese programmers", i really doubt on that. it would not convince me that it was free online for so long and no one in the west ever noticed. do you really think the very existence of nsa is for nothing? one can easily find chinese speaking programmers craft the code in the west and use that for their political purposes.
2) so far no any official "experts" from either google or us government come out and present their case officially. until that happens, i think china side should just ignore the fusses there or fusses here...
3) "pro-communist IT specialists"??? you??? certainly i don't buy it!!!
- 回復 snortbsd
- SirCat: 人多眼雜就是好the fishy parts are:
咱看的時候
確實被作者
旁徵博引
和語氣的肯定
給蒙住了
可能又是篇
訂製之作
呵呵
1) those evidences are conveniently located the supposedly compromised server in taiwan. with the status of taiwan, no one can verify that statements are true or not.
2) instead of officially charging chinese government or so, so far accusers use media campaigns and logs from "experts" lauded their accusations. hacking happens all the time, why this case pumped so much commotions? a series events before this (last year) and after this, you gotta wonder what really happening behind all of this...
- 回復 SirCat
- snortbsd: the fishy parts are:是啊
1) those evidences are conveniently located the supposedly compromised server in taiwan. with the status of taiwan, no one can
顯然是
有人前方鼓風浪
有人後邊把扇搖
呵呵
- 回復 snortbsd
- SirCat: 是啊there are tons of chinese codes free available online that potentially use that crc algorithm. for instance, the chinese version of linux (called red flag?) and its associated freeware; another chinese version freebsd, which is called chiling (i think, running on the chinese supercomputer) and those freeware associated with that. those two major operating systems (unix based) are free for download. even more for wintel based.
顯然是
有人前方鼓風浪
有人後邊把扇搖
呵呵
the expert blog analyzed code based on wintel, which could be from numerous sources.
it is absurd to finger pointing china as sole suspect on this matter. in fact, i strongly believe it could be a setup as prelude for a political campaign.
- 回復 SirCat
- snortbsd: there are tons of chinese codes free available online that potentially use that crc algorithm. for instance, the chinese version of linux (called red同感。
像以前的歷次「宣傳戰役」一樣
比如
達爾富爾
呵呵
