How do I protect my organization against this threat?
- Verify that you have the latest Symantec antivirus definitions, dated January 14, 2010 or later. These will protect against all currently known Hydraq variations.
- Verify that you have the Symantec Intrusion Prevention System (IPS) signatures (found using Security Updates by Product on the page) dated January 15, 2010 or later. These include the definitions listed above. Symantec strongly recommends deploying an IPS (also called Network Threat Protection) if you are not already using one. An IPS is the best protection against future attempts to exploit known vulnerabilities.
- Be vigilant about applying software security patches. Specifically, make sure you have applied the Adobe patch and the Microsoft IE patch for the vulnerabilities identified as playing a part in this attack.
Details on the detection and prevention signatures available from Symantec can be found here:
What does Hydraq do?
Hydraq is a targeted attack that is also currently referred to as Aurora, Google Attacks, and the Microsoft IE Vulnerability (advisory number 979352). It installs itself on a user's computer or an organization's server. It then can be used to search an organization for private information. Hydra can capture and forward all information from an infected computer, including a live feed of windows on a screen and all information typed on the keyboard. Hydra can also be remotely updated to perform additional tasks, including attempting to compromise other machines.
How does Hydraq infect a computer?
Typically an email is sent to an individual or small group of individuals, within an organization. All efforts are made to make the email look legitimate, that is, it will appear as though it was sent by somebody the recipient trusts . The subject matter will often be related to the recipient's area of business. In order to install the malware, the user must be tricked into either clicking a malicious link or opening an attachment. Both methods then exploit a vulnerability to install the Trojan onto the machine.
What is the current state of Hydraq?
At this time, the command and control servers are no longer active so any of the trojans still remaining in the field are effectively non-functional. However the primary concern to businesses is the risk of other cybercriminals using the same exploits. In light of this incident, beyond the protection steps stated above, customers are encouraged to follow best practices in general and review their overall security policies and procedure.
Information on Hydraq
The most recent information appears at the top of this list.
Symantec products that can strengthen your organization’s security
Multiple layers of defense bolster an organization's ability to defend against such attacks. Symantec Protection Suite users have a robust defense at the gateway with Brightmail for email security, along with Web Gateway for Web security, ensuring organizations can monitor all incoming and outgoing mail and Web traffic. Protection Suite also ensures endpoints are clean with its Endpoint Security product. Not only does Endpoint Protection detect and remove specific malware distributed in the attack, but vulnerable systems are also proactively protected by advanced intrusion prevention signatures from all future attacks of the exploits used until you're able to patch all vulnerable systems. Finally, Symantec Protection Suite offers rapid data and system recovery to help recover individual files and folders in seconds or complete Windows systems in minutes.
Symantec Security Information Manager can effectively collect and prioritize malware activity events as they occur across the layered security solutions needed to confront this broad variety of attack vectors. Early detection of single exploited attack vectors may provide preemptive visibility to attacks before they can fully execute.
Symantec has tracked the Hydraq threat and identified a number of IP addresses used by this Trojan and labeled them as malicious. Symantec Security Information Manager can automatically receive updates on malicious IPs such as these and can automatically prioritize IP event activity that is occurring. This, in turn, can result in remediation of potential attack vectors before they are exploited.
A variety of protection technologies will trigger alerts based on the multiple attack vectors this Trojan will execute. Symantec Security Information Manager rules can be updated to aggregate these alerts to identify priority areas of remediation.
Symantec DeepSight Early Warning Services provides actionable intelligence covering the complete threat lifecycle, from initial vulnerability to active attack. On January 15 we published a journal about a new unpatched Microsoft Internet Explorer vulnerability, which is leveraged by malware identified by Symantec as Trojan.Hydraq. DeepSight Analysts continue to provide updates to this evolving threat as new information becomes available. DeepSight subscribers benefit from personalized notifications and expert analysis (including patches, countermeasures and workarounds) to better protect critical information assets against a potential attack.
Symantec Managed Security Services monitor over 800 customers (including 92 of the Fortune 500). Leveraging the Symantec Global Intelligence Network, Managed Security Services analysts are trained to spot the early warning signs of such attacks and can take immediate remedial actions. This monitoring includes customers' firewalls, intrusion detection sensors (IDS), web proxies and system logs. Our Security Operations Center analysts are available to work with customers to take proactive steps to mitigate the IE vulnerability within their enterprise as needed.
The focus of these attacks was to steal intellectual property. Symantec Critical System Protection plays a significant role in defending this data by placing constraints around which users and applications have access to sensitive data. Any unauthorized users or applications would have been denied access to the data and an alert would have been generated by making the attempt. Additionally, Symantec Critical System Protection provides out-of-the-box protection against both known and unknown remote code execution attempts.
Total Management Suite (TMS) helps customers gain complete visibility into their IT environment, helping software managers quickly prepare for software updates and patches. Customers can run accurate asset inventory reports of software versions, licenses, and usage so they can react quickly to threats and vulnerabilities and take the necessary steps to remediate. Total Management Suite can quickly find the necessary software updates and/or patches and then run automatic processes for all assets . For example, an admininstrator could quickly identify which machines need Adobe and Internet Explorer patches, quickly push the patches out, and verify that the patches were correctly installed.
Symantec Hosted Services help protect against converged threats that span email, Web, and instant messaging by employing multiple commercial engines and a proprietary scanning engine, Skeptic, which is able to identify previously unseen zero-hour threats. This information is shared across services for enhanced protection. Skeptic employs proprietary heuristics technologies to identify malicious threats. Heuristics technologies have been shown to identify and stop threats well before signature scanners are aware – and before threats are disclosed – providing an intelligent, extra line of defense to protect against threats that signature-based systems may miss. In fact, this extra line of defense detects up to 25% of all the malware stopped by Symantec Hosted Services.
Data Loss Prevention can detect confidential information being sent back to a command and control server and prevent that data from leaving the corporate network. It can also find where confidential data is stored and remove it from inappropriate or exposed locations. For example, confidential data sitting on a public file share that should not be stored there.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
