Backdoor.Tidserv.K

Often when a Trojan arrives on a computer, it saves itself to a specific location. It can save itself on the C: drive, the D: drive, or even somewhere more unusual; for example, in a location with a folder name that it has created itself using random characters. It may then go on to create or modify certain registry entries. It can do this so that it can execute every time your computer starts. Threats may also modify existing registry entries in order to perform devious tasks, such as lowering security settings on the computer by disabling firewalls and antivirus software.

At any rate it is typical for a threat to leave some trace of itself on the computer, which makes it possible to identify that the threat exists. Having said that, some threats may use a rootkit to hide their presence on a computer, thus making them more difficult to locate.

Recently, however, we detected a threat (...

The use of search engines to deliver malware is well known. Previously we reported that attackers were using Google-sponsored search results to promote malicious websites. Instead of using techniques such as search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers recently managed to compromise well known site autonagar.com, which is promoted by Google’s sponsored links. Interestingly, up until late last week, autonagar.com was hosting malicious exploits and was blacklisted by Google SafeBrowse. However, at the time of posting this blog the malicious code has been removed from autonagar.com and Google is no longer blocking it.

In this specific example, users who rely on Google’s sponsored links run the risk of their computers being...

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

Hydraq takes advantage of the Svchost.exe process in Windows.  When a Windows system starts up it checks the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

These entries are referred to as service groups.  The information under this key will have all the information required by the operating system in order to load the service group into memory.  The following screenshot shows the services loaded into a particular instance of svchost on a clean computer:

...

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...