New Malware Overwrites Software Updaters

← Back to Stories (view on slashdot.org)

New Malware Overwrites Software Updaters

Posted by Soulskill on Friday March 26, 2010 @06:31AM from the i'm-sure-the-updaters-don't-go-down-without-a-fight dept.

itwbennett writes "Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."

18 of 78 comments (clear)

Min score:

Reason:

Sort:

Irony: Adobe and Java updaters targeted by Metrathon · 2010-03-26 06:34 · Score: 5, Insightful

I've always filed the original forms of both these aggressive updaters under malware anyway...
1. Re:Irony: Adobe and Java updaters targeted by spun · 2010-03-26 06:44 · Score: 5, Funny
  
  Adobe installers are pernicious, sneaky, and they will attempt to install things you don't want. When an installer that acts like malware gets replaced with real malware, that could be classified as 'totally ironic' on the Morrisette Irony Scale.
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
2. Re:Irony: Adobe and Java updaters targeted by Ephemeriis · 2010-03-26 07:07 · Score: 3, Insightful
  
  I've always filed the original forms of both these aggressive updaters under malware anyway...
  Agreed.
  I always disable automatic updating on everything I can... And then I'll manually check it once a month or so.
  I realize I'm probably missing some updates, and probably vulnerable to some threats... But I just hate logging in to my computer and getting bombarded with four or five different update notices.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
3. Re:Irony: Adobe and Java updaters targeted by plover · 2010-03-26 07:08 · Score: 3, Funny
  
  ... on the Morrisette Irony Scale.
  I've got one of those. Mine goes to 10.
  
  --
  John
I'm torned by Yvan256 · 2010-03-26 06:34 · Score: 5, Funny

On the one hand, it's malware, on the other hand it replaces software from Adobe.
I can't decide if it's an enhancement or not.
1. Re:I'm torned by ByOhTek · 2010-03-26 06:36 · Score: 3, Funny
  
  So... malware disguising itself as malware? Brilliant!
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
2. Re:I'm torned by rcuhljr · 2010-03-26 06:37 · Score: 4, Funny
  
  I was going to mod this insightful until I saw the phrase "I'm torned"
3. Re:I'm torned by plover · 2010-03-26 07:20 · Score: 3, Interesting
  
  I completely neutered my copy of Adobe. I removed all the plug-in DLLs that did stuff I don't need or care about, or that were a security threat: accessibility, web linking, etc. I shut off Javascript execution in the preferences panel. And I disabled and removed everything related to Adobe Updater. If I feel like updating it, I will. (Hint: I don't.)
  I can still view ordinary documents without trouble. I can't "use" a form in the way that some companies have replaced their web browsers with Adobe front ends, but that's OK by me -- it's not required for my day job, and I certainly don't have to give fools like that my personal business.
  As a bonus, Adobe Reader launches much faster than before.
  
  --
  John
4. Re:I'm torned by idontgno · 2010-03-26 07:23 · Score: 3, Informative
  
  This is slashdot*. "Reading" has absolutely nothing to do with any post, any comment, any moderation, or any action or decision here whatsoever.
  You must be new here.
  *Yes, I am kicking you into a pit as I yell that.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
Even TFA admits nothing new by Orga · 2010-03-26 06:34 · Score: 4, Informative

Malware that poses as an updater or installer for applications such as Adobe's Acrobat or Flash are nothing new, said Rik Ferguson, senior security advisor for Trend Micro.
The only way you can tell if you are infected by Anonymous Coward · 2010-03-26 06:37 · Score: 5, Funny

If your copy of AdobeUpdater.exe runs reliably without unexplained crashing, you are probably running the malware version.
i had a bout of paranoia where i imagined this by circletimessquare · 2010-03-26 06:44 · Score: 5, Interesting

about a month ago, while going through the motions of updating java one day (clicking on all those security warnings, running the little interface), i thought: to hack a system, why not just copy this stupid little interface and have the user gleefully click through all of the little security warnings?
and now my fleeting paranoia is reality: you can't trust the updaters anymore
which makes this news from two days ago all the more prescient:
http://it.slashdot.org/article.pl?sid=10/03/24/189248
"Microsoft To Distribute Third-Party Patches"
furthermore, i despise the fact that just because i have quicktime and adobe and java installed, i have to always have these useless potentially bogus processes constantly running in the background doing nothing but waiting for their once monthly updates
it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft
now microsoft is responsible for a secure update process, you don't have to worry about 9 different third party update mechanisms and have them constantly running, and finally, the big fat shiny nail in the coffin: you don't have to worry about this malware posing as an updater
a negative being: now you're pretty much sending microsoft a manifest of all of your installed software every time you get an update, but i see no way around that without this new hack entering the picture

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:i had a bout of paranoia where i imagined this by CranberryKing · 2010-03-26 07:13 · Score: 3, Interesting
  
  It is surprising that MS hasn't done this yet. I don't think every app should be required to go through through a package manager, but it just makes sense for the big ones. GNU/Linux has had this for years. And I've had it with Adobe.
2. Re:i had a bout of paranoia where i imagined this by Kaboom13 · 2010-03-26 07:26 · Score: 3, Informative
  
  By the way, that article title was bullshit, it was about a 3rd party product that integrates with Microsoft's own WSUS server (used to distribute and control patching of Microsoft software) and uses it's api to distribute third party patches. It costs money, a decent amount of money. MS is not taking on the task of distributing 3rd party patches. You can read my comment on that story if you want to learn more about Secunia's product, I beta tested it. It's bad enough the editors do their best to pass on ignorance and misinformation, please don't help them.
Oh, for the good old days... by DigitalSorceress · 2010-03-26 06:51 · Score: 4, Interesting

I used to sit there and think, "well, if I were a criminal, I'd do this, that and the other" (this that and the other being stuff like replacing updaters, faking out security software so it couldn't update, having multiple processes that "watchdogged" each other, yada yada). Nowadays, they're doing that shit and a whole lot more I never thought of.
Once your system is comprised, it's pretty much never a good idea to trust it until its been completely rebuilt from the ground up.
I'm currently in the middle of doing this for a friend. Whatever the heck he had was so dug in that I had him replace the hard drive, reinstall a fresh OS, patch up, reinstall apps from disk, and now I'm restoring his user data from the original drive (carefully with auto-run disabled) mounted from a USB enclosure.

--

The Digital Sorceress
Re:Adobe was removed 3 years ago by mandelbr0t · 2010-03-26 06:54 · Score: 3, Funny

Absolutely none, assuming you are still using Lynx :-D

--
"Please describe the scientific nature of the 'whammy'" - Agent Scully
Adobe by dandart · 2010-03-26 07:38 · Score: 4, Insightful

Now if that's not an excuse to get away from Adobe Reader, what is? This?
Re:Well that doesn't mean much by cbiltcliffe · 2010-03-26 09:42 · Score: 3, Funny

I'm surprised since I thought her songs had achieved higher popularity than that, considering how much I heard them played on the radio.
Yes. Ironic, isn't it? :P

--
"City hall" in German is "Rathaus" Kinda explains a few things......