Trojan used fake Adobe certificates

By

Backdoor steals data, captures screenshots.

A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.

Trojan used fake Adobe certificates

The malicious file carries an Adobe icon and is named Word13.exe. Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs, Symantec researcher Hiroshi Shinotsuka said.

The malware is capable of stealing data and creating, downloading, moving or deleting files. It also captures screen shots from the compromised computer and steal information from Skype users.

Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information, Shinotsuka said.

“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he said.  “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”

Shinotsuka pointed out that a legitimate cert would be issued by VeriSign not Adobe.

The trojan could be delivered through phishing emails or via drive-by download, security response manager Satnam Narang said.

He said infection levels are currently low as this threat surfaced on researchers' radars as recently as the past couple of weeks.

“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?