Symantec Gets into Depth of Hydraq
As Google, the search engine giant, is on thinking terms to retreat from China, the notion regarding the involvement of targeted attacks is getting stronger, with the participation of Hydraq Trojan in the attack comprising a major part of discussion.
Hydraq Trojan, once installed using the IE (Internet Explorer) vulnerability fixed by Microsoft, downloads additional files, reported security firm Symantec after examining the Trojan.
On the basis of its functionality, it can be suspected that Hydraq's intends to open a back door on an infected system. This is done to permit a remote attacker to keep a check on the activity of the user and promptly procure information from both the compromised machine as well as the larger infrastructure with which the system is associated.
Symantec, in its blog said that one of the elements of Hydraq is based on VNC code (Virtual Network Computing, and open source remote desktop access application), and this particular element is potential enough to stream live desktop feed to a remote machine, thereby giving the attacker an access to check user's online activities.
The security firm added that created in 2006, VNC files - Acelpvc.dll and VedioDriver.dll - were purposely authored for Hydraq. Further, this fact can be associated with a recent report given by Joe Stewart, a SecureWorks security researcher, stating that certain components of Hydraq aged four years, as per the news published by infosecurity.com on January 22, 2010.
When it compromises a system, the Hydraq Trojan enables an assailant to perform a number of operations, including restarting and shutting down the system, manipulating files, adjusting token privileges, and accumulating information such as computer name, version of the operating system, and the client IP.
A Hydraq Trojan based attack was observed by the firm previously in July 2009, wherein attackers used a PDF file to exploit the Reader, Adobe Acrobat and Flash Player Remote Code Execution Vulnerability. A Trojan horse (former version of the current Hydraq) was installed into the systems through this PDF.
Researchers reported that command and control servers of this Trojan are not active as of now, therefore Trojan still left are being neutralized in an effective manner.
» SPAMfighter News - 30-01-2010