Thanks to "Symantec Security Response" for providing this information.
It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public.
As the fallout from this event begins to settle a little, it helps to step back a bit and try to figure out exactly what happened and when. We will try and tell you the facts about this Trojan as we see it.
Large companies are common targets for hackers and attackers of various kinds and it is not uncommon for these companies to be actively monitoring traffic to and from their critical IT infrastructure. So it comes as no surprise that Google announced in its blog on the 12th January 2010 that it was the target of what it termed as a “highly sophisticated” attack on its business assets. In addition the blog also mentioned that a host of other large corporations were also targets of this same attack.
Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. These accounts belonged to individuals or organizations dealing with information that may have been politically sensitive. Because of the seemingly political nature of the attacks, the posting suggested that Google may cease the censoring of certain sensitive topics related to China, and also raised the possibility of the search giant pulling out of China altogether.
The story of the attacks went public following the announcement from Google, with news media organizations worldwide choosing to place the story prominently on the front pages of numerous Web sites and printed publications. Far from being confined to security-related mailing lists and blogs, the story became part of the week’s headlines with its news of potentially politically motivated “information warfare” in conjunction with the possibility of significant change ahead for one of the world’s most prominent companies.
Anatomy of the Attack
For a number of years targeted attacks have nearly always followed the same modus operandi. An email is sent to an individual, or small group of individuals, within an organisation. All efforts are made to make the email look legitimate, that is, it will appear as though it was sent by somebody the recipient trusts and the subject matter will often be related to the recipient's area of business. In order to install the malware, the user must be tricked into either clicking a malicious link or launching a malicious attachment. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate.
The Trojan.Hydraq incident was no different and was almost textbook in its execution of a targeted attack. While there is much talk of the most recent incident, we observed a Trojan.Hydraq based attack in July 2009. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq.
Trojan.Hydraq itself is very much a standard backdoor Trojan. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. It doesn't use any anti-debugging or anti-analysis tricks. It just uses some basic obfuscation in the form of spaghetti code on some of its components.