Information Security all in one place!

MSUpdate Trojan injected: Defense Sector

MSUpdate Trojan injected: Defense Sector – Unseen for 2 years maybe more:

Unknown attackers have tried to use an invitation to a prestigious conference to inject a trojan into companies in the defence sector. The security firms Seculert and Zscaler report that opening an attached PDF flyer caused recipients’ computers to be infected with spyware via a previously undisclosed hole in Acrobat Reader.

Image representing Seculert as depicted in Cru...
Adobe Reader X computer icon

According to the report, the attack mainly targeted government-related organizations, including military and aerospace contractors, in Europe and in the US. The security firms said that the attacks started back in 2009 and peaked in autumn 2010. Talking to The H’s associates at heise Security, Seculert CTO Aviv Raff added that compromised computers, some of which had been infected for two years, were only discovered a few weeks ago.

A zero day hole in Adobe Reader was exploited to inject the msupdater.exe trojan into systems; once injected, the trojan did its best to look like a regular update process – for example, it used URLs in the http://domain.com/microsoftupdate/getupdate/default.aspx?ID=... format. The malware also contained a “remote administration toolkit” that allowed the attackers to remotely monitor and control victims’ computers.

At the time of the attacks, these trojans went undetected by most AV products, although signatures for exploits and spyware programs such as msupdater.exe have since become available. However, whether AV products will detect current spyware tools is doubtful. 

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s