Mar 23 2010
Malware faking Adobe update
Recently, bad guys have spread massive malware variants which have identical icons and version details as popular softwares’ update programs to bypass antivirus softwares as well as system analysts. Once having infected victims’ computers, malware will overwrite such update programs. Because the information about software’s icon or version is faked, ordinary users, sometimes even virus researchers themselves, are easily “fooled” and skip such malware without raising an eyebrow.
Figure 1: Malware’s key run and processes when read by Autorun and ProcessXP. Malware is hard to be detected.
From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.
In this case, Acrobat Reader version 9 is imitated. The malware overwrites AdobeUpdater.exe file in the folder Adobe/Reader 9.0/Reader. From our analysis, this is a new technique that malware overwrites the update file of some popular software.
Figure 2: Fake AdobeUpdater
Figure 3: Fake Java’s update
In such cases, the best advice for users is to update their antivirus softwares on a regular basis to get the best support and protection from specialists.
This malware is detected as W32.Fakeupver.trojan by Bkav. Bkav customers are protected against the malware by the latest version of our antivirus software.
Analyst: Nguyen Cong Cuong
[...] The malware, which infects Windows computers, masks itself as an updater for Adobe Systems’ products and other software such as Java, wrote Nguyen Cong Cuong, an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog. [...]
Hi can we get the md5 of the sample please?
[...] This post was mentioned on Twitter by Niels Groeneveld and Sarin Kittisares, Mint H.. Mint H. said: Malware faking Adobe update http://blog.bkis.com/en/malware-faking-adobe-update/ [...]
[...] : Nguyen Cong Cuong's blog (Security analyst) Share and [...]
[...] an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog. BKIS showed screen shots of a variant of the malware that imitates Adobe Reader Version 9 and [...]
[...] The malware, which infects Windows computers, masks itself as an updater for Adobe Systems’ products and other software such as Java, wrote Nguyen Cong Cuong, an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog. [...]
[...] 28th March 2010: the Bkis blog link is now available again, with a little more [...]
[...] Esta peligrosa modalidad de malware, que afecta a los ordenadores con el sistema operativo Windows, opera sobre las actualizaciones de distintos softwares comerciales de alta popularidad, entre los que destacan Java y Adobe, según han detallado analistas de seguridad de la compañía BKIS en su blog oficial. [...]
[...] Origine de l’article : http://blog.bkis.com/en/malware-faking-adobe-update/ [...]
The malware, which infects Windows computers, masks itself as an updater for Adobe Systems’ products and other software such as Java, wrote Nguyen Cong Cuong, an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog