Home / Analysis  /  Symantec Video Explains The Hydraq VNC Connection

Share This Post

Analysis

Symantec Video Explains The Hydraq VNC Connection

Symantec has today revealed further details about how the much publicised Trojan.Hydraq attack works, via a video in a controlled lab environment.

One of the components of the Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that they were specifically written for use with Hydraq using modified VNC code.

In conjunction with Hydraq, these files allow a remote attacker to control and stream a live video feed from an exploited computer. When looking at the information stored in the files, one thing stands out. The file creation information states that the files were created back in 2006.

Other components of Hydraq have creation dates in 2009. This leads to the possibility that the Hydraq samples that we are seeing today may have been in development or evolved over time. However, another possibility is that the time and date were set wrong on the computer that was used when the source files were compiled.



Share This Post

Christian Harris is editor and publisher of BCW. Christian has over 20 years’ publishing experience and in that time has contributed to most major IT magazines and Web sites in the UK. He launched BCW in 2009 as he felt there was a need for honest and personal commentary on a wide range of business computing issues. Christian has a BA (Hons) in Publishing from the London College of Communication.