Once the Hydraq trojan has been installed using the Internet Explorer vulnerability patched by Microsoft this week, it downloads additional files, Symantec reported.
"We know that one of the components of this trojan is based on the code of VNC (Virtual Network Computing, and open source remote desktop access application) and this component has the ability to stream a live feed of a desktop to a remote computer", the company blogged. This enables the attacker to watch what the user is doing.
The VNC files, VedioDriver.dll and Acelpvc.dll, were specifically written for Hydraq, and were created in 2006, the company said. This correlates with a recent report from Joe Stewart at SecureWorks that certain components in the trojan were four years old.
"Other components of Hydraq have creation dates in 2009," said Symantec. "This leads to the possibility that the Hydraq samples that we are seeing today may have been in development or evolved over time. However, another possibility is that the time and date were set wrong on the computer that was used when the source files were compiled."
The trojan lets an attacker carry out a number of activities when it compromises a PC, including adjusting token privileges, manipulating files, restarting and shutting down the computer, and gathering information such as the client IP, computer name, and operating system version. It also lets the attacker download a remote file and execute it, which opens the door for malware updates and other exploits, Symantec explained.
The attack was extremely targeted, with very low numbers of exploited machines, according to Symantec. The command-and-control servers coded into the malware are no longer active, added Symantec, meaning that for the time being at least, trojans in the field are "effectively neutralised".
Comments
ChasL says:
07 February 2010
Mr. Stewart's "China Code" claim seems to have some technical deficiencies:
1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. The 4-bit CRC code has been around for twenty years in the device application area. Once this fact is public, code samples outside China have been found by bloggers discussing this issue.
2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.
A slightly different Google using "crc_table[16]" as keyword turns up many such code examples outside China.
3) On closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the CRC algorithm, and code snippet found by Googling "crc_ta[16]", both turned up different code than what's in Aurora.
Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):
crc16 >> 12
however the code passed around in Chinese sites is unoptimized code using two divisions:
((uchar)(crc/256))/16
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.