Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for January of 2010
Showing posts in English
Éamonn Young | 29 Jan 2010 21:13:08 GMT


Often when a Trojan arrives on a computer, it saves itself to a specific location. It can save itself on the C: drive, the D: drive, or even somewhere more unusual; for example, in a location with a folder name that it has created itself using random characters. It may then go on to create or modify certain registry entries. It can do this so that it can execute every time your computer starts. Threats may also modify existing registry entries in order to perform devious tasks, such as lowering security settings on the computer by disabling firewalls and antivirus software.

At any rate it is typical for a threat to leave some trace of itself on the computer, which makes it possible to identify that the threat exists. Having said that, some threats may use a rootkit to hide their presence on a computer, thus making them more difficult to locate.

Recently, however, we detected a threat (...

Patrick Fitzgerald | 29 Jan 2010 16:05:48 GMT

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.


Parveen Vashishtha | 28 Jan 2010 22:31:48 GMT

The use of search engines to deliver malware is well known. Previously we reported that attackers were using Google-sponsored search results to promote malicious websites. Instead of using techniques such as search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers recently managed to compromise well known site, which is promoted by Google’s sponsored links. Interestingly, up until late last week, was hosting malicious exploits and was blacklisted by Google SafeBrowse. However, at the time of posting this blog the malicious code has been removed from and Google is no longer blocking it.

In this specific example, users who rely on Google’s sponsored links run the risk of their...

Patrick Fitzgerald | 28 Jan 2010 21:25:51 GMT

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change...

Joji Hamada | 28 Jan 2010 11:19:45 GMT

Yesterday we saw SEO poisoning attacks when searching for keywords such as "Apple Tablet". Now, after the product announcement has been made, we are seeing the same attack with the actual name of the product included in the search term.

Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are likely to produce results from sites like,, or, ultimately compromising your computer with rogue security software.



No worries for Symantec product users.  Our HTTP FakeAV Redirect Request IPS signature will detect the attack.  Our...

Dermot Harnett | 27 Jan 2010 20:13:05 GMT

With Valentine’s day a little over two weeks away it is not surprising that spammers are already targeting this holiday. Valentine’s Day is a common target for spammers and in January 2009 the top five Valentine’s Day-related spam subject lines were as follows:

1.    Increase your length, the best valentine’s gift
2.    Show off your length for valentine’s
3.    Get it before Valentine’s day and watch her smile
4.    You have been invited to partake in a shopping spree with [Removed] This Month for Valentines!
5.    Happy Early Valentines Day, You have been selected to go on a $1000 Shopping spree to [Removed]

From time to time the products that spammers offer are surprising. A recent spam sample offered the perfect engagement ring but you would have to wonder about their target audience; seriously, who would buy an engagement ring...

Patrick Fitzgerald | 26 Jan 2010 16:40:57 GMT

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

Hydraq takes advantage of the Svchost.exe process in Windows.  When a Windows system starts up it checks the following registry key:


These entries are referred to as service groups.  The information under this key will have all the information required by the operating system in order to load the service group into memory.  The following screenshot shows the services loaded into a particular instance of svchost on a clean computer:


Patrick Fitzgerald | 25 Jan 2010 17:17:17 GMT

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...

Andrea Lelli | 22 Jan 2010 04:12:37 GMT

You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework.

This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.

The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was...

Peter Coogan | 21 Jan 2010 17:51:15 GMT

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...