Google hack malware said to be Chinese in origin

Researcher finds clues in Trojan code of Operation Aurora

One researcher examining a sample of the malware used to attack Google and others for espionage purposes says it clearly is Chinese in origin, citing technical attributes of the Trojan's cyclic redundancy check algorithm.

The attack disclosed last week impacted Google and possibly at least 30 other companies, and has been dubbed Operation Aurora after the name given it by McAfee  

"CRCs are used to check for errors that might have been introduced into stored or transferred data," says SecureWorks security researcher Joe Stewart in a paper titled "Operation Aurora: Clues in the Code."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

One researcher examining a sample of the malware used to attack Google and others for espionage purposes says it clearly is Chinese in origin, citing technical attributes of the Trojan's cyclic redundancy check algorithm.

The attack disclosed last week impacted Google and possibly at least 30 other companies, and has been dubbed Operation Aurora after the name given it by McAfee  

"CRCs are used to check for errors that might have been introduced into stored or transferred data," says SecureWorks security researcher Joe Stewart in a paper titled "Operation Aurora: Clues in the Code."

In examining the Hydraq Trojan in the malware code, Stewart found it uses a 16-bit CRC implementation that shows the source-code sample "is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in controllers."

This CRC algorithm "seems to be virtually unknown outside of China," Stewart's paper states. "This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese." Although source code is not restrained by any human language or nationality, most programmers will reuse code documented in their native language since to do otherwise "is to invite bugs and other unexpected problems" from misunderstanding of the source code's purpose, the SecureWorks paper says.

"In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the People's Republic of China authored the Aurora codebase," Stewart wrote in the paper. "And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored."

Read more about security in Network World's Security section.