Hydraq IE 0 Day Exploit (Symantec)
What does Hydraq do?
Hydraq is a targeted attack that installs itself on a user’s computer or an organization’s server. It then can be used to search an organization for private information. Hydra can capture and forward all information from an infected computer, including a live feed of windows on a screen and all information typed on the keyboard. Hydra can also be remotely updated to perform additional tasks, including attempting to compromise other machines.
How does Hydraq infect a computer?
- Through a vulnerability in the Internet Explorer web browser HTTP MSIE Memory Corruption Code Exec (BID 37815)
- As an attachment to an email using a pdf file read by Adobe Acrobat, Adobe Reader, and Adobe Flash Player Adobe APSB09-10
Typically an email is sent to an individual or small group of individuals, within an organization. All efforts are made to make the email look legitimate, that is, it will appear as though it was sent by somebody the recipient trusts . The subject matter will often be related to the recipient’s area of business. In order to install the malware, the user must be tricked into either clicking a malicious link or opening an attachment. Both methods then exploit a vulnerability to install the Trojan onto the machine.
What is the current state of Hydraq?
At this time, the command and control servers are no longer active so any of the Hydraq trojans still remaining in the field are effectively non-functional. Symantec has released definitions to detect and remove infections of the Hydraq trojan.
Customers are encouraged to follow best practices in general and specifically to update to the latest patches available for Adobe Acrobat, Adobe Reader, and Adobe Flash Player. See: Adobe APSB09-10. At this time a patch is not available for the Internet Explorer, but IPS signatures have been released by Symantec which block exploitation of both vulnerabilities.
Information on Hydraq
- Security Blog: The Trojan.Hydraq Incident
- Security Blog: Protect Yourself Against Exploit Targeting New IE Zero-Day Vulnerability
- Security Response Report: Trojan.Hydraq
Symantec customers are protected
Our product and services teams discuss how Symantec customers are effectively protected from this threat.
Symantec Protection Suite
The Hydraq attacks were targeted at the core security infrastructure of organizations. Multiple layers of defense bolster an organization’s ability to defend against such attacks. Symantec Protection Suite users have a robust defense at the gateway with Brightmail Gateway for SMTP email security, along with Web Gateway for Web traffic and usage, ensuring that an organization is able to monitor all incoming and outgoing mail and Web traffic – constantly monitoring for and stopping threats. The Protection Suite ensures endpoints are clean with its market-leading Endpoint Security product. Finally, by having access to Symantec’s Backup Exec for desktops and laptops, in the event an endpoint is infected, doing a complete re-image is quick and easy, ensuring up-time and employee productivity. Symantec’s security products are backed by our Global Intelligence Network, ensuring customers are protected and up-to-date on rules and signatures.
Symantec Security Information Manager
A number of these attacks were achieved using a combination of attack vectors, resulting in back door Trojans being installed. Security Information Manager can effectively collect and prioritize these events as they occur across the layered security solutions that need to be deployed to protect against a broad variety of these attack vectors. Security Information Manager can further contribute global intelligence to the correlation process to include malicious IP, Worm IP and Botnet IP lists that can be manually updated to automatically conclude incidents around this particular attack. Early detection of single exploited attack vectors may provide preemptive visibility to attacks before they can fully execute.
DeepSight Early Warning Services
Symantec DeepSight Early Warning Services provides actionable intelligence covering the complete threat lifecycle, from initial vulnerability to active attack. On January 15 we published a journal about a new unpatched Microsoft Internet Explorer vulnerability, which is leveraged by malware identified by Symantec as Trojan.Hydraq. DeepSight Analysts continue to provide updates to this evolving threat as new information becomes available. DeepSight subscribers benefit from personalized notifications and expert analysis (including patches, countermeasures and workarounds) to better protect critical information assets against a potential attack.
Symantec Managed Security Services
Symantec Managed Security Services monitors over 800 customers (including 92 of the Fortune 500). In response to this threat, Symantec MSS updated our detection capabilities for both the targeted Trojan.Hydraq as well as exploits against the recent IE vulnerability. This monitoring includes customers’ firewalls, intrusion detection sensors (IDS), web proxies and system logs. As this threat is primarily client side, any clients with our Managed Endpoint Security service also received updates to protect their endpoints from this attack. Our SOC Analysts are available to work with customers to take proactive steps to mitigate the IE vulnerability within their enterprise as needed.
Symantec Critical Systems Protection
The focus of these attacks was to steal intellectual property. Symantec Critical Systems Protection plays a significant role in defending this data by placing constraints around which users and applications have access to sensitive data. Any unauthorized users or applications would have been denied access to the data and an alert would have been generated by making the attempt. Additionally, Symantec Critical Systems Protection provides out-of-the-box protection against both known and unknown remote code execution attempts.
Altiris Total Management Suite
With this attack, Total Management Suite customers benefit from the ability to gain complete visibility into their IT environment. Users run accurate asset inventory reports to react quickly to threats and vulnerabilities and take the necessary steps to remediate. Total Management Suite will have quickly found the necessary software updates and/or patches then run automatic processes for all assets – like upgrading to IE 8 in this case. Total Management Suite also generates reports to ensure successful updates or migrations, and update asset inventory reports to prepare for ongoing management.
Symantec Hosted Services
Trojan.Hydraq spans multiple communication protocols and can evade signature-based detection. Symantec Hosted Services help protect against converged threats that span email, Web, and instant messaging. Our proprietary heuristic technology for malware and spam filtering, captures and shares threat intelligence across these protocols and provides identification of previously unseen threats. All managed via a single, integrated security management console that simplifies administration while increasing visibility and control.