Evidence found of Chinese attack on Google

SAN FRANCISCO--An American computer security researcher has found what he says he believes is strong evidence of the digital fingerprints of Chinese authors in the software programs used in attacks against Google.

The search engine giant announced last Tuesday that it had suffered a series of Internet break-ins it believed were of Chinese origin. The company's executives did not, however, detail the evidence leading them to the conclusion that the Chinese government was behind the attacks, beyond stating that e-mail accounts of several Chinese human rights activists had been compromised.

In the week since the announcement, several private computer security companies have made claims supporting Google's suspicions, but the evidence has remained circumstantial.

Now, by analyzing the software used in the break-ins against Google and dozens of other companies, Joe Stewart, a malware specialist with SecureWorks, a computer security company based in Atlanta, said he determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese-authored technical paper that has been published exclusively on Chinese-language Web sites.

The malware at the heart of Google attack is described by researchers as a "Trojan horse" that is intended to open a back door to a computer on the Internet. Called Hydraq by the computer security research community, and intended to subvert computers that run different versions of the Windows operating system, the program was first noticed earlier this year.

Stewart describes himself as a "reverse engineer," one of a relatively small group of software engineers who disassemble malware codes in an effort to better understand the nature of the attacks that have been introduced by the computer underground, and now possibly by governments as well.

"If you look at the code in a debugger you see patterns that jump out at you," he said. In this case he discovered software code that represented an unusual algorithm, or formula, intended for error-checking transmitted data.

He acknowledged that he could not completely rule out the possibility that the clue had been placed in the program intentionally by programmers from another government intent on framing the Chinese, but said that this was unlikely.

"Occam's Razor suggests that the simplest explanation is probably the best one," he said.

Entire contents, Copyright © 2010 The New York Times. All rights reserved.