Aurora Malware Hashes and Domains

James Tarala20 Critical Controls, Advanced Persistent Threat

McAfee has recently released specific details about their analysis of the Aurora malware that was used to compromise 30+ companies over the past few months. This malware is consistent with the types of files that Enclave and other organizations who have responded to APT based attacks have discovered. It appears to utilize many of the same mechanisms and even file name in many such cases. A link to one of their reports on the topic can be found at:

www.mcafee.com/us/local_content/reports/how_can_u_tell_v5.pdf

Specifically the hashes for the Aurora malware are:

securmon.dll: E3798C71D25816611A4CAB031AE3C27A
Rasmon.dll: 0F9C5408335833E72FE73E6166B5A01B
a.exe: CD36A3071A315C3BE6AC3366D80BB59C
b.exe: 9F880AC607CBD7CDFFFA609C5883C708
AppMgmt.dll: 6A89FBE7B0D526E3D97B0DA8418BF851
A0029670.dll: 3A33013A47C5DD8D1B92A4CFDCDA3765
msconfig32.sys: 7A62295F70642FEDF0D5A5637FEB7986
VedioDriver.dll: 467EEF090DEB3517F05A48310FCFD4EE
acelpvc.dll: 4A47404FC21FFF4A1BC492F9CD23139C
wuauclt.exe: 69BAF3C6D3A8D41B789526BA72C79C2D
jucheck.exe: 79ABBA920201031147566F5418E45F34
AdobeUpdateManager.exe: 9A7FCEE7FF6035B141390204613209DA
zf32.dll: EB4ECA9943DA94E09D22134EA20DC602

In addition they have also identified a list of domains that you should be blocking that are used as a part of this malware as well. The following domains have been detected as containing malicious code associated with the Aurora malware:

ftpaccess[dot]cc
google[dot]homeunix[dot]com
tyuqwer[dot]dyndns[dot]org
blogspot[dot]blogsite[dot]org
voanews[dot]ath[dot]cx
360[dot]homeunix[dot]com
ymail[dot]ath[dot]cx
yahoo[dot]8866[dot]org
sl1[dot]homelinux[dot]org
members[dot]linode[dot]com
ftp2[dot]homeunix[dot]com
update[dot]ourhobby[dot]com
filoups[dot]info

Thanks again to the teams at McAfee / Foundstone for releasing this data. These are the types of datasets we need to be better about sharing if we are going to be effective at stopping these directed attacks!