Loading
Feb 06

Fellow reader Josef pointed out a NYT article that reported the recent Operation Aurora malware that attacked Google CN contained identifiable code from China, and it implicated the Chinese government. The journalist relied on a blog written by security expert Mr. Joe Stewart of SecureWorks.

However on closer examination, Mr. Stewart’s “China code” claim seems to have some problem:

1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. This 4-bit CRC algorithm is not from China, but has been around for twenty years in the device application arena. Once this fact is public, several code samples outside China have been found.

2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation, when he alluded to a variable name in the Aurora machine code. There appears to be no link between the “crc_ta[16]” variable he identified as Chinese, and the machine code in Aurora. The variable name “crc_table[16]” would’ve compiled to the same machine code, and is widely cited by US programmers, does this mean the virus is written by the US government?

3) Mr. Stewart’s citations, a Chinese white paper containing the CRC algorithm, and code snippet found by Googling the identified variable name, both turned up different code than what’s in Aurora.

Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):

t = crc16 >> 12;

while the code passed around on Chinese sites is unoptimized code using two divisions:

da=((uchar)(crc/256))/16

What’s most troubling, however, is not these technical deficiencies. Mr. Stewart seems to have gone beyond science, technology, and made the political, ideological leap that the Chinese government is involved, while nothing he cited supports this claim – and our supposed impartial media seems to be all too happy to repeat these half-truth and twist of facts.