ATLANTA – Although the so-called China-based “Operation Aurora” attacks Google reported were less sophisticated than early analysis suggested,  they did managed to damage some sophisticated networks, says a report from Atlanta-based security firm Damballa.

Gunter Ollmann, vice president of research for Damballa said, “Based on a thorough analysis of deeper data surrounding the attacks and examination of both malware and CnC topologies used by the criminals behind the attacks, it appears that Aurora can be best classified as just another increasingly common botnet attack and one that is more amateur than average.”

The company said the attacks, linked to botnets, groups of computers infected with hidden softare, was “old school.”

Damballa traced the Aurora botnet to 22 countries, including China, the U.S., the United Kingdom, Germany and Taiwan and found it used an attack called “dynamic domain name system command and control.” Damballa says the technique is an older method rarely used by professional botnets today.

The 31 page Damballa report titled “The Command Structure of the Aurora Botnet: History, Patterns and Findings,” reveals that most of what has been reported to-date understates the breadth and ordinariness of the attack.

Among the reports findings:

• At the time the attack was first noticed by Google in December 2009, systems within at least seven countries had already been affected.
• The attacks that eventually targeted Google can be traced back to July 2009, with what appears to be the first testing of the botnet by its criminal operators.
• Some of the botnets focused on victims outside of Google, suggesting that each set of domains might have been dedicated to a distinct class or vertical of victims.
• There is evidence that there were multiple criminal operators involved and that the botnet operators were of an amateur level.

Val Rahmani, CEO at Damballa said, “It is clear that traditional defense-in-depth measures, even those taken by some of the most advanced companies in the world, are incapable of stopping these criminal operators.”

Damballa solutions identify advanced network threats, terminate criminal activity and provide remediation guidance. Damballa customers include major banks, Internet service providers, government agencies, educational organizations, manufacturers and other companies typically targeted by organized cybercrime. The company recently closed a $9 million funding round and named Rahmani CEO.

Previously on TechJournal South:

Atlanta’s Damballa names new CEO, confirms funding

Damballa locks up about $8.2M of $9M round for botnet security tech

Southeast Venture Conference, February 29 – March 1, 2012 at the Ritz Carlton in Tysons Corner, VA – Where Smart Money Meets Smart People.
www.seventure.org

© 2010, TechJournal South. All rights reserved.

Tags: Atlanta, Aurora botnet, Damballa, Google, Security