Coding error reveals RSA attackers operated from China

A simple error message returned by a server to which a malware sample was trying to connect revealed to Dell SecureWorks researchers the origin of the RSA attack, says Joe Stewart, the company’s Director of Malware Research.

Even though the message was seemingly truncated, the pattern could be tied to “HTran”, a very old piece of software that is used to obfuscate the real source or target of the attack by redirecting TCP traffic to alternate hosts.

The error message in question happens due to a coding mistake by the author of the software, a Chinese hacker that goes by the handle of “Lion”. The great news is that this knowledge can be used by organizations to detect Advanced Persistent Threats targeting their networks – they only need to comb through the logs for the error message.

They can also track down the IP addresses from which the attack is coordinated, as the researchers have done by using the malware sample used in the RSA attack. In this particular case, they tracked them down to a number of domains known to be connected to a variety of different APT trojans, and they are mostly located in the People’s Republic of China.

“It’s not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC,” comments Stewart. “Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.”

He also warns that the signatures that would prove that this type of traffic occurred on the network might soon prove to be obsolete, since the coding bug might soon be fixed by the attackers once this information is widely known. Unfortunately, that means that after a while, organizations will be able to detect only past attacks and not the ongoing ones.

It remains only to hope that attackers will make this kind of mistakes in the future.