In association with heise online

03 February 2012, 10:34

MSUpdate trojan attacked companies in the defence sector

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit


Zoom The conference flyer turned out to be a trojan.

Source: Seculert

Unknown attackers have tried to use an invitation to a prestigious conference to inject a trojan into companies in the defence sector. The security firms Seculert and Zscaler report that opening an attached PDF flyer caused recipients' computers to be infected with spyware via a previously undisclosed hole in Acrobat Reader.

According to the report, the attack mainly targeted government-related organisations, including military and aerospace contractors, in Europe and in the US. The security firms said that the attacks started back in 2009 and peaked in autumn 2010. Talking to The H's associates at heise Security, Seculert CTO Aviv Raff added that compromised computers, some of which had been infected for two years, were only discovered a few weeks ago.

A zero day hole in Adobe Reader was exploited to inject the msupdater.exe trojan into systems; once injected, the trojan did its best to look like a regular update process – for example, it used URLs in the http://domain.com/microsoftupdate/getupdate/default.aspx?ID=... format. The malware also contained a "remote administration toolkit" that allowed the attackers to remotely monitor and control victims' computers.

At the time of the attacks, these trojans went undetected by most AV products, although signatures for exploits and spyware programs such as msupdater.exe have since become available. However, whether AV products will detect current spyware tools is doubtful.

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-1427605
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit