Trojan uses fake Adobe certificate to evade detection

Share this article:
Trojan uses fake Adobe certificate to evade detection
Trojan uses fake Adobe certificate to evade detection

A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.

The malicious file carries an Adobe icon, but is suspiciously named “Word13.exe,” said Hiroshi Shinotsuka, a Symantec researcher who blogged about the malware on Friday.

Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs. The malware is capable of stealing data and creating, downloading, moving or deleting files. It also can capture screen shots from the compromised computer and steal information from Skype users.

Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information (see screen shot), Shinotsuka said.

“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he wrote.  “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”

Because VeriSign does the code signing for Adobe products, a legitimate cert would be issued by the Reston, Va.-based security company, Shinotsuka explained, not Adobe itself.  

In a Monday interview, Satnam Narang, security response manager at Symantec, told SCMagazine.com that the trojan has not yet been assigned a name, and that it could have been delivered through phishing emails containing weaponized attachments or via drive-by download.

Narang added that infection levels are currently low, as this threat surfaced on researchers' radars as recently as the past couple of weeks.

“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.