MSUpdate Trojan injected: Defense Sector
Unknown attackers have tried to use an invitation to a prestigious conference to inject a trojan into companies in the defence sector. The security firms Seculert and Zscaler report that opening an attached PDF flyer caused recipients’ computers to be infected with spyware via a previously undisclosed hole in Acrobat Reader.
According to the report, the attack mainly targeted government-related organizations, including military and aerospace contractors, in Europe and in the US. The security firms said that the attacks started back in 2009 and peaked in autumn 2010. Talking to The H’s associates at heise Security, Seculert CTO Aviv Raff added that compromised computers, some of which had been infected for two years, were only discovered a few weeks ago.
A zero day hole in Adobe Reader was exploited to inject the msupdater.exe trojan into systems; once injected, the trojan did its best to look like a regular update process – for example, it used URLs in the
http://domain.com/microsoftupdate/getupdate/default.aspx?ID=... format. The malware also contained a “remote administration toolkit” that allowed the attackers to remotely monitor and control victims’ computers.
At the time of the attacks, these trojans went undetected by most AV products, although signatures for exploits and spyware programs such as msupdater.exe have since become available. However, whether AV products will detect current spyware tools is doubtful.
- Fake Windows updater targets government contractors, stealing sensitive data (arstechnica.com)
- Trojan smuggles out nicked blueprints as Windows Update data (go.theregister.com)
- Fake Windows updater makes its way around (ubergizmo.com)