Once the Hydraq trojan has been installed using the Internet Explorer vulnerability patched by Microsoft this week, it downloads additional files, Symantec reported.
"We know that one of the components of this trojan is based on the code of VNC (Virtual Network Computing, and open source remote desktop access application) and this component has the ability to stream a live feed of a desktop to a remote computer", the company blogged. This enables the attacker to watch what the user is doing.
The VNC files, VedioDriver.dll and Acelpvc.dll, were specifically written for Hydraq, and were created in 2006, the company said. This correlates with a recent report from Joe Stewart at SecureWorks that certain components in the trojan were four years old.
"Other components of Hydraq have creation dates in 2009," said Symantec. "This leads to the possibility that the Hydraq samples that we are seeing today may have been in development or evolved over time. However, another possibility is that the time and date were set wrong on the computer that was used when the source files were compiled."
The trojan lets an attacker carry out a number of activities when it compromises a PC, including adjusting token privileges, manipulating files, restarting and shutting down the computer, and gathering information such as the client IP, computer name, and operating system version. It also lets the attacker download a remote file and execute it, which opens the door for malware updates and other exploits, Symantec explained.
The attack was extremely targeted, with very low numbers of exploited machines, according to Symantec. The command-and-control servers coded into the malware are no longer active, added Symantec, meaning that for the time being at least, trojans in the field are "effectively neutralised".