Trojan uses fake Adobe certificate to evade detection

Share this article:
Trojan uses fake Adobe certificate to evade detection
Trojan uses fake Adobe certificate to evade detection

A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.

The malicious file carries an Adobe icon, but is suspiciously named “Word13.exe,” said Hiroshi Shinotsuka, a Symantec researcher who blogged about the malware on Friday.

Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs. The malware is capable of stealing data and creating, downloading, moving or deleting files. It also can capture screen shots from the compromised computer and steal information from Skype users.

Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information (see screen shot), Shinotsuka said.

“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he wrote.  “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”

Because VeriSign does the code signing for Adobe products, a legitimate cert would be issued by the Reston, Va.-based security company, Shinotsuka explained, not Adobe itself.  

In a Monday interview, Satnam Narang, security response manager at Symantec, told SCMagazine.com that the trojan has not yet been assigned a name, and that it could have been delivered through phishing emails containing weaponized attachments or via drive-by download.

Narang added that infection levels are currently low, as this threat surfaced on researchers' radars as recently as the past couple of weeks.

“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.