Berkeley CSUA MOTD:Entry 53646
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/12 [General] UID:1000 Activity:popular
7/12    

2010/1/20-29 [Computer/SW/Compilers, Computer/SW/Languages/Misc] UID:53646 Activity:nil
1/20    Watch out for these Chinese hackers!!! Project Aurora has
        infiltrated into the U.S.
        http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code
2025/07/12 [General] UID:1000 Activity:popular
7/12    

You may also be interested in these entries...
2014/1/14-2/5 [Computer/SW/Languages/C_Cplusplus] UID:54763 Activity:nil
1/14    Why is NULL defined to be "0" in C++ instead of "((void *) 0)" like in
        C?  I have some overloaded functtions where one takes an integer
        parameter and the other a pointer parameter.  When I call it with
        "NULL", the compiler matches it with the integer version instead of
        the pointer version which is a problem.  Other funny effect is that
        sizeof(NULL) is different from sizeof(myPtr).  Thanks.
	...
2011/3/7-4/20 [Computer/SW/Languages/C_Cplusplus] UID:54056 Activity:nil
3/7     I have a C question.  I have the following source code in two identical
        files t.c and t.cpp:
                #include <stdlib.h>
                int main(int argc, char *argv[]) {
                  const char * const * p1;
                  const char * * p2;
	...
2010/1/22-30 [Computer/HW/Laptop, Computer/SW/OS/OsX] UID:53655 Activity:high
1/22    looking to buy a new development laptop
        needs ssdrive, >6 hr possible batt life, and runs linux reasonably
        Anyone have a recommendation? Thx.
        \_ thinkpad t23 w ssdrive and battery inplace of drive bay
        \_ Ever wondered what RICHARD STALLMAN uses for a laptop?  Well,
           wonder no more!
	...
2009/8/31-9/9 [Computer/SW/Compilers] UID:53312 Activity:nil
8/31    I'm trying to learn ActionScript, like a step by step tutorial.
        The site at http://www.actionscript.org/resources/categories/Tutorials/Flash/Beginner
        isn't well organized. It doesn't explain how to get started with
        an editor, compiler, IDE. And should I even learn AS2 when you can
        learn AS3? Is Adobe Flash CS4 >>> CS3 or just CS4 > CS3?
	...
2009/2/28-3/11 [Computer/SW/Compilers] UID:52661 Activity:nil
2/28    I'm looking for a recommendation of a compiler/IDE to use to
        develop C/C++ code under Linux. In school, we used jove/gcc and
        I still use emacs/vi and gcc to this day. However, it is really
        lacking. Under Windows I tried Visual Studio and there were some
        really nice things about it, although it was so overwhelming that
        after 6 months of occasional use I still didn't really know what I
	...
2008/6/9-12 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:50194 Activity:nil
6/8     CSUA code guru please help. I need to see my random number
        generator with a good seed (I just need random 18 bit
        identifiers). The usual time(NULL) is OK, except my program
        might be invoked faster than once a second, and seeding using
        time() produced the same result. I tried clock() but it seems
        to return 0. My program needs to be run in Linux/DOS (Watcom
	...
2008/5/2-8 [Computer/SW/Compilers] UID:49874 Activity:low
5/2     How do I get the L1/L2 cache size and cache line size on my machine?
        Can I find this stuff out at compile time somehow?
        \_ You aren't planning on running your code on any other processors?
        \_ May I ask what it is you want to achieve ultimately? If you don't
           know your architecture and want to find out dynamically, there are
           tools that can peek/poke to give you definitive answers, plus you get
	...
2008/4/2-6 [Computer/SW/Languages/C_Cplusplus] UID:49645 Activity:moderate
4/2     Is there an interpreted version of C or C++ that can be used for
        educational purposes? It doesn't have to be full-featured or
        strictly adhere to the standards, but it's painful for students
        to change a variable in a for loop and then wait for a compile
        to see how it changes the result. Something really lightweight
        would encourage them to play around a lot more and learn more in
	...
2007/11/30-12/6 [Computer/SW/Compilers, Computer/HW/CPU] UID:48719 Activity:moderate
11/29   From the CSUA minutes:
        - Next Gen Console
        -- If we have $1800 in our accounts, should we buy a console:
           4 votes passes.
        -- Console voting: 2 votes each, neither passes
           * 360 = 600, more games
	...
2007/11/27-30 [Computer/SW/Languages/C_Cplusplus, Computer/SW/OS/Solaris] UID:48701 Activity:high
11/27   I'm using select to do a nonblocking check to see if a single socket
        has anything to read off it.  Problem is, I can have up to 12228
        file descriptors, and Linux fd_set only supports up to 4096.  Any idea
        what I can do about this?  (Or a better solution?) -jrleek
        \- 1. who are you
           2. i am busy this week and you didnt mention language
	...
2010/12/11-2011/2/19 [Computer/SW/Languages/Perl] UID:53984 Activity:nil
12/11   Anyone have experience with Perl PDF::API2 or PDF::API3?  Can you
        point me to a good tutorial for creating a simple document (a small
        table of 2-3 rows and a single image)?
	...
2010/7/21-8/9 [Computer/SW/OS/FreeBSD] UID:53890 Activity:nil
7/21    Can I just use ifconfig to expand my netmask on a FreeBSD box?
        Are there any gotchas here? Linux forces me to restart my network
        to expand my netmask.
        \_ yes... and no, you don't have to restart your network on linux either
           \_ Rebooting is the Ubootntoo way!
              \_ Oooboot'n'tootin!
	...
Cache (4972 bytes)
www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code -> www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/
With the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time - there is a persistent campaign of "espionage-by-malware" emanating from the People's Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the US government. "Operation Aurora" is the latest in a series of attacks originating out of Mainland China. Operation Aurora takes its name directly from the hackers this time - the name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The paths were left behind in the compiled binaries as shown below: code screenshot Although the code behind Operation Aurora has only recently been discovered, and the known samples of the main backdoor trojan (called Hydraq by antivirus companies) appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time - some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. This date is only a year or so after the Titan Rain attacks, which largely used widely-available trojans that were already known to antivirus companies. As a result of using completely original code and then only in highly-targeted attacks, the Aurora code seems to have escaped detection for quite some time. The compiler often offers other clues to a malware sample's origin. For instance, if the binary uses a PE resource section, the resource's headers will often provide a language code. The Hydraq component does use a resource section, but in this case, the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. There is one interesting clue in the Hydraq binary that points back to mainland China, however. While analyzing the samples, I noticed a CRC (cyclic redundancy check) algorithm that seemed somewhat unusual. CRCs are used to check for errors that might have been introduced into stored or transferred data. CRC algorithms and implementations of those algorithms, but this is one I had not previously seen in any of my reverse-engineering efforts. Below is the raw assembly code for the CRC algorithm in Hydraq: code screenshot The first thing that is unusual about this CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table. CRC-16 XMODEM", while requiring only a 16-value CRC table. It is actually a clever optimization of the standard CRC-16 reference code that allows the CRC-16 algorithm to be used in applications where memory is at a premium, such as hobby microcontrollers. Because the author used the C "int" type to store the CRC value, the number of bits in the output is dependent on the platform on which the code is compiled. In the case of Hydraq, which is a 32-bit Windows DLL, this CRC-16 implementation actually outputs a 32-bit value, which makes it compatible with neither existing CRC-16 nor CRC-32 implementations. Perhaps the most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese: code screenshot This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese. Although source code itself is not restrained by any particular human language or nationality, most programmers reuse code documented in their native language. To do otherwise is to invite bugs and other unexpected problems that might arise from misunderstanding of the source code's purpose and implementation as given by the code comments or documentation. In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase. And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.