Trojan uses fake Adobe certificate to evade detection

Share this article:
Trojan uses fake Adobe certificate to evade detection
Trojan uses fake Adobe certificate to evade detection

A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.

The malicious file carries an Adobe icon, but is suspiciously named “Word13.exe,” said Hiroshi Shinotsuka, a Symantec researcher who blogged about the malware on Friday.

Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs. The malware is capable of stealing data and creating, downloading, moving or deleting files. It also can capture screen shots from the compromised computer and steal information from Skype users.

Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information (see screen shot), Shinotsuka said.

“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he wrote.  “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”

Because VeriSign does the code signing for Adobe products, a legitimate cert would be issued by the Reston, Va.-based security company, Shinotsuka explained, not Adobe itself.  

In a Monday interview, Satnam Narang, security response manager at Symantec, told SCMagazine.com that the trojan has not yet been assigned a name, and that it could have been delivered through phishing emails containing weaponized attachments or via drive-by download.

Narang added that infection levels are currently low, as this threat surfaced on researchers' radars as recently as the past couple of weeks.

“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.