Incident Response, Malware, TDR

Trojan uses fake Adobe certificate to evade detection

A backdoor trojan that targets Windows users is employing a fake Adobe certificate to remain undetected, researchers have found.

The malicious file carries an Adobe icon, but is suspiciously named “Word13.exe,” said Hiroshi Shinotsuka, a Symantec researcher who blogged about the malware on Friday.

Once on victims' machines, the trojan injects itself into Internet Explorer or the user's Notepad programs. The malware is capable of stealing data and creating, downloading, moving or deleting files. It also can capture screen shots from the compromised computer and steal information from Skype users.

Aside from using the Adobe icon to trick users into trusting the file's legitimacy, the malware authors also have used a fake digital signature and entered other bogus certificate information (see screen shot), Shinotsuka said.

“It's fake, as the ‘Issued By' field says ‘Adobe Systems Incorporated,'” he wrote.  “Adobe is a VeriSign customer. Also, in the certificate information, we see that the [certificate authority] root certificate is not trusted – another dead giveaway.”

Because VeriSign does the code signing for Adobe products, a legitimate cert would be issued by the Reston, Va.-based security company, Shinotsuka explained, not Adobe itself.  

In a Monday interview, Satnam Narang, security response manager at Symantec, told SCMagazine.com that the trojan has not yet been assigned a name, and that it could have been delivered through phishing emails containing weaponized attachments or via drive-by download.

Narang added that infection levels are currently low, as this threat surfaced on researchers' radars as recently as the past couple of weeks.

“We don't necessarily have a specific number [of infections],” Narang said. “This is something we discovered in the wild. We don't have specific details on how many people, but it is pretty low at this point.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.