A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.
The malicious file carries an Adobe icon and is named Word13.exe. Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs, Symantec researcher Hiroshi Shinotsuka said.
The malware is capable of stealing data and creating, downloading, moving or deleting files. It also captures screen shots from the compromised computer and steal information from Skype users.
Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information, Shinotsuka said.
“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he said. “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”
Shinotsuka pointed out that a legitimate cert would be issued by VeriSign not Adobe.
The trojan could be delivered through phishing emails or via drive-by download, security response manager Satnam Narang said.
He said infection levels are currently low as this threat surfaced on researchers' radars as recently as the past couple of weeks.
“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”