In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.
Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that they were specifically written for use with Hydraq using modified VNC code. In conjunction with Hydraq, these files allow a remote attacker to control and stream a live video feed from an exploited computer. When looking at the information stored in the files, one thing stands out. The file creation information states that the files were created back in 2006.
Other components of Hydraq have creation dates in 2009. This leads to the possibility that the Hydraq samples that we are seeing today may have been in development or evolved over time. However, another possibility is that the time and date were set wrong on the computer that was used when the source files were compiled.
We have created the following video in a controlled environment in our lab to show how the files work in conjunction with Hydraq.
Threats that are capable of viewing and controling desktops remotely in real-time using VNC or other means are nothing new or sophisticated. In the past we have blogged about other threats with similar capabilities such as Ghostnet and Zeus.
Thanks to Piotr Krysiuk for his analysis and contributions configuring and screencasting the video.