Hydraq Attack's Resiliency Uncovered

By Matthew Hines  |  Posted 2010-01-26 Print this article Print

Security researchers continue to peel back the layers on the Trojan.Hydraq aka Operation Aurora attacks first reported publicly earlier this month, and the techniques employed by the threat to stay alive on infected machines were apparently neither cutting-edge, nor particularly sophisticated.

According to researchers with Symantec -- who've published a series of blogs examining various technical elements of the Trojan.Hydraq campaign -- the attack used methods commonly observed in other malware programs to remain alive inside of the organizations it infiltrated, restart after systems restart.

The Trojan specifically takes advantage of the Svchost.exe process in Windows to stick around, according to a recent blog post on the topic authored by Symantec expert Patrick Fitzgerald.

Among the best known attacks to use the same approach was the W32.Downadup Trojan, aka Conficker, which had a fairly sizeable footprint, comparatively speaking.

As the Trojan.Hydraq is believed to have gone unnoticed in some cases for as long as several months, this would seem to further illustrate that straightforward attack methods still seem to work fine when aimed at a readily available zero day flaw.

"This is an effective technique which can be used to help malware persist on a compromised computer. However, while effective this technique is neither new, nor complex," Fitzgerald writes.

For technical details of the technique check here.

Symantec has also taken a closer look at Trojan.Hydraq's obfuscation techniques, as well as how the attack utilized modified VNC code.

There's also an in-depth post covering the zero day exploit involved.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel