Wavety.com

Google Wave, News, Reviews, Gadgets and Robots.

Security Expert Confirms Chinese Fingerprints On Google Attacks

Date: 2010.01.23 | Category: Google Security

A researcher working with a leading US security firm has claimed that he has found ‘fingerprints’ of Chinese hackers in the ‘highly sophisticated’ cyber attack that had targeted search engine giant Google and several other US-based companies.

The Director of SecureWorks’ Counter Threat unit, Joe Stewart, who reverse engineered the code that was used in the cyber attack, reported that the newly discovered ‘fingerprint’ of Chinese hackers is an error-checking algorithm in the software that installed the Hydraq backdoor on the compromised PCs.

Stewart reported in his paper that the algorithm that installed the Hydraq backdoor comes from a technical paper in the Chinese language that has been published exclusively on some Chinese websites.

He also said that the CRC, or cyclic redundancy check, used a table of only 16 constants, a compact version of the more standard 256-value table.

Claiming that the CRC-16 is ‘virtually unknown’ outside China, he added that “This indicates the Aurora code base originated with someone who is comfortable reading simplified Chinese. Although source code itself is not restrained by any particular human language or nationality, most programmers reuse code documented in their native language.”

Originally published on ITProPortal.com

BobbyWong

Mr. Stewart's "China code" claim seems to have some problem:

1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. The 4-bit CRC code has been around for over a decade in the device application arena. Once this fact is public, several code samples outside China have been located by bloggers discussing this issue.

2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.

Google "crc_table[16]" turns up many code examples ouside China, what does that prove?

3) Upon closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the algorithm, and code snip found by Googling the identified variable name, both turned up different code than what's in Aurora.

Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):

crc16 >> 12

however the code passed around in Chinese sites is unoptimized code using two divisions:

((uchar)(crc/256))/16

blog comments powered by Disqus

' target='_blank' onclick="pageTracker._trackPageview('/outgoing/ads2.net-communities.co.uk/openx/www/delivery/ck.php?n=a6d5c7a0_amp_cb=INSERT_RANDOM_NUMBER_HERE_http_//ads2.net-communities.co.uk/openx/www/delivery/ck.php?n=a6d5c7a0_amp_cb=INSERT_RANDOM_NUMBER_HERE&referer=');">

Recent Posts

Recent Comments

Categories

News, Reviews, Audio / Video, Links, Events, Extensions, Gadgets, Robots, Emulators, Sandbox

ITProPortal Network

Site is owned and published by Net Communities

© Copyright Wavety.com 2012