Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Trojan.Hydraq – Typhoon In A Teacup

Created: 29 Jan 2010 16:05:48 GMT • Updated: 23 Jan 2014 18:29:54 GMT
Patrick Fitzgerald's picture
+1 1 Vote
Login to vote

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.

Trojan.Hydraq has been hailed as unique and also as the most sophisticated malware ever seen in the commercial space. This is being a little economical with the truth. The previous entries in the series contrast the features of Hydraq against other more advanced malware that has been around for some time. The vector of delivery, method in which the threat stays resident, techniques used to prevent analysis, the payload, and the possible motivation are all things that have been seen and utilized in the past. In fact, parts of the code have clearly been copied from online sources, as well as simply taken wholesale, in the case of of VNC.

The most sophisticated part of this attack was the use of an unpatched vulnerability (0-day) in Microsoft’s Internet Explorer, which itself was likely discovered due to a previous vulnerability, as it is within the same class as another recent disclosure. Even the use of a 0-day vulnerability in a targeted attack is something that we have seen before. This single attack doesn’t suddenly change the face of Information Security, as has been claimed.


Looking at this threat in an appropriate context, it doesn’t seem fair to hail this threat as sophisticated or unique. The only sophisticated aspect of this threat is how the exploit obtains control on a targeted computer. Everything else about this incident is something that we see time after time and something that we as a community should work together to prevent.

We owe a debt of responsibility to the people who depend on us for balanced and accurate assessments of the threat posed by any malware or attack. Exaggerated reports of an incident and the promotion of fear, uncertainty and doubt does not benefit the community, it only serves the agenda of a few vested interests.

Previous: Trojan.Hydraq's Backdoor Capabilities