Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Malware Overwrites Software Updaters

Posted by Soulskill on from the i'm-sure-the-updaters-don't-go-down-without-a-fight dept.

itwbennett writes "Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."

6 of 78 comments (clear)

  1. Even TFA admits nothing new by Orga · · Score: 4, Informative

    Malware that poses as an updater or installer for applications such as Adobe's Acrobat or Flash are nothing new, said Rik Ferguson, senior security advisor for Trend Micro.

  2. Re:I'm torned by idontgno · · Score: 3, Informative

    This is slashdot*. "Reading" has absolutely nothing to do with any post, any comment, any moderation, or any action or decision here whatsoever.

    You must be new here.

    *Yes, I am kicking you into a pit as I yell that.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  3. Re:i had a bout of paranoia where i imagined this by Kaboom13 · · Score: 3, Informative

    By the way, that article title was bullshit, it was about a 3rd party product that integrates with Microsoft's own WSUS server (used to distribute and control patching of Microsoft software) and uses it's api to distribute third party patches. It costs money, a decent amount of money. MS is not taking on the task of distributing 3rd party patches. You can read my comment on that story if you want to learn more about Secunia's product, I beta tested it. It's bad enough the editors do their best to pass on ignorance and misinformation, please don't help them.

  4. Re:Oh, for the good old days... by Anonymous Coward · · Score: 2, Informative

    Check the HPA (host protected area) of the drive. I'd wager it's hiding in there.

  5. Re:believe it or not by Spad · · Score: 2, Informative

    Not to 90% of users there isn't.

  6. Re:I'm torned by plover · · Score: 2, Informative

    I started by opening the Program Files\Adobe\Reader x.x\ folder. You'll see a folder called plug_ins. Make a new folder called "unwanted_plug_ins". Open the original plug_ins folder and you'll see a bunch of .API files (they're just renamed DLLs.)

    I picked through them by name, and got rid of the obvious ones first: SendMail.API, ReadOutLoud.API, weblink.API, etc. I just dragged them to the "unwanted" folder. I then opened Adobe Reader and did some simple viewing tests with an existing PDF to make sure it still worked.

    Later, when I opened something from the web that didn't work right, it was pretty obvious that I had removed something it wanted. The error was something like "couldn't verify digital signature" so I restored the original DigSig.api file.

    It was just some basic crawling thru their junk and applying common sense, nothing spectacularly innovative.

    --
    John