Update Protection against Hydraq Trojan/Aurora Attack (MS10-002)
| Check Point Reference: | CPAI-2010-100 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS10-002 ThreatExpert Blog |
|
| Industry Reference(s): | CVE-2010-0249 |
|
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 | ||
| Vulnerability Description The Hydraq Trojan (also known as Aurora) was being used in the recent attack against Google and other large companies. A then unpatched Internet Explorer vulnerability (CVE-2010-0249) was used as one of the propagation vectors for this Trojan. The intent of the trojan is to open a back door on a compromised computer allowing a remote attacker to monitor activity and steal information from the compromised computer. Once installed inside a corporate network, the Trojan can also allow the attacker to use the initially compromised computer to launch into the rest of the infrastructure. |
||
|
Vulnerability Status The vulnerability is being actively exploited in the wild. |
|
|
Update/Patch Available Microsoft has released a cumulative security update for Internet Explorer: Microsoft Security Bulletin MS10-002 |
|
|
Vulnerability Details Upon installation on a computer, Trojan.Hydraq attempts to make contact with a command and control server in order to receive instructions and to upload any information that it may have collected. The Trojan will then be able to create, modify, and delete registry files, read and execute attributes of files, restart and shut down the computer, adjust token privileges and more. |
Protection Overview
This protection detects and blocks connections over port 443 that appear to be running the Aurora/Hydraq protocol.
To configure the defense, select your product from the list below and follow the related protection steps.