Malware Takes Over Windows, Adobe Updaters

Latest variants overwrite updater programs and replace them with malicious versions that contain identical icons, version details

Dark Reading Staff, Dark Reading

March 30, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

New malware variants are spreading worldwide that wrest control of the updater function of several popular applications, including Windows Updater and Adobe Updater, security researchers say.

Security experts long have worried about potential abuse of application updaters -- earlier versions of this type of malware replaced Windows system files and startup programs. But the latest variants overwrite updater programs and replace them with malicious versions that contain identical icons and version details, and make them even more convincing.

Nguyen Minh Duc, director of Vietnamese security firm Bkis Security, says these malicious programs are able to fake out antivirus programs and even security experts. "Because the information about software icon or version is faked, ordinary users -- sometimes even virus researchers themselves -- are easily fooled," Duc says. "It's a new trend of file-replacing malware."

Bkis researchers have seen variants that overwrite not only updaters for Windows and Adobe, but also for Java and DeepFreeze. Unlike their predecessors, these new variants don't create backup versions of the files they replace. "They only attack the software updaters and thus do not affect the software operations. In addition, with icons and version information faked by the viruses, we cannot define whether or not the systems have been infected by using tools (such as Autoruns, Process Explorer, etc.)," said Nguyen Cong Cuong, senior malware researcher for Bkis in a blog post over the weekend.

Another increasingly popular form of phony application installers builds a botnet: it's a fake Adobe Installer that gets pushed via a rogue Website that appears to be legitimate. It pushes a pop-up to the user, such as an error message for Adobe Flash Player that requires the user download an update to the app. Researchers at Damballa say the link goes to a phony Adobe Website that then pushes the Trojan, which stays in the system disguised as the legit Adobe Update Manager. It basically keeps the newly infected machine as a bot in a botnet.

Researchers at Defcon last year demonstrated an attack that hijacks application update sessions over WiFi. Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, also released a tool called Ippon (Japanese for "game over"), that can inject a realistic-looking update alert or can hijack an ongoing application update session and fake the user into downloading malware posing as the update.

Ippon can also generate an attack where a victim's computer can attack other machines nearby on the WiFi network.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights