Video Screencast Help
Security Response

Trojan.Hydraq's Backdoor Capabilities

Created: 28 Jan 2010 21:25:51 GMT • Updated: 23 Jan 2014 18:29:57 GMT
Patrick Fitzgerald's picture
0 0 Votes
Login to vote

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change attributes, and delete files.
•    Shut down and restart the computer.
•    Uninstall itself by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS] subkey.
•    Clear all system event logs.
•    Check if %System%\acelpvc.dll is present. If so, load it and call its EntryMain() export. This is used to provide VNC access.
•    Check if %System%\VedioDriver.dll is present. This is used to provide VNC access.
•    Open, read, and delete the %System%\drivers\etc\networks.ics file.
•    Retrieve the CPU speed by checking the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\"~MHz" registry value.

As you can see, this amounts to near complete control. This is not something that anyone wants running on his or her system, but this level of control is not unusual in backdoors. Let’s look at how this compares with Zeus—another backdoor that featured widely in the press.

Hydraq vs. Zeus

Zeus has similar functionality to what is listed above for Hydraq, but in addition to the basic functionality it also has the ability to accept commands from a configuration file. This configuration file is updatable via a command and control server. These commands are also far more sophisticated than what is offered by Hydraq.

The functionality includes, but is not limited to, monitoring particular URLs, redirecting URLs, changing DNS entries, and injecting HTML into arbitrary websites. Zeus can also, for example, open a cmd.exe session and execute arbitrary commands, essentially giving complete control over a system. This makes Zeus a formidable backdoor that has been very effective in its goal of stealing banking credentials and ultimately money across the Web.

Another feature of Hydraq that doesn’t stand up well in comparison to Zeus is the encryption used to protect and hide the data sent over the network. Hydraq uses a basic XOR obfuscation technique; it is easy to strip away this obfuscation to get at the data underneath. Zeus, on the other hand, uses RC4 with an arbitrarily chosen symmetric key that is pre-embedded in the binary—a complex and cryptographically secure algorithm—in order to protect its network transmissions. This is essentially unbreakable without having access to the threat itself.

Remotely view the desktop

The most notable aspect of Hydraq’s backdoor is its ability to give the attacker a live view of the infected machine’s desktop using VNC technology. More information and a video showing this facility in action can be found in our earlier blog on the subject here.

The consequences of having a backdoor like this on your system could be quite severe, but hopefully it’s abundantly clear that the consequences could be much worse. Compared to more advanced backdoors like Zeus the functionality of Hydraq is relatively limited.
----------------
Thanks to Nicolas Falliere and Eric Chien for their contributions to this blog.

Previous: How Trojan.Hydraq Stays On Your Computer