Google botnet attack was 'amateurish'

Posted by Emma Woollacott

The Aurora attacks on Google which prompted it to threaten to pull out of China were carried out by a bunch of amateurs, according to security firm Damballa.

According to the company, which specialises in handling botnet attacks, while Aurora may have been particularly damaging, it was a 'garden variety' botnet that can be traced back to July 2009.

"The threat originally disclosed by Google on January 12th, 2010 has frequently been associated with state-endorsed attacks, and many vendors have explained the operation using a military vernacular,” commented Gunter Ollmann, vice president of research for Damballa.

"Based on a thorough analysis of deeper data surrounding the attacks and examination of both malware and CnC topologies used by the criminals behind the attacks, it appears that Aurora can be best classified as just another increasingly common botnet attack, and one that is more amateur than average."

Ollman said that the botnet has a simple command topology and made extensive use of Dynamic DNS CnC techniques - a construction that would be classed as rather old-fashoned today, and is now rarely used by professional botnet criminal operators.

"Trojan.Hydraq would have been just another piece of dumb malicious software if it did not have the ability to connect to a CnC server and receive new instructions or allow its criminal operators interactive control over its victims,” he says.

Damballa reckons that by the time Google first noticed the attack last December, at least seven countries had already been affected.

There's a report, here.