An article at Help Net Security by Zeljka Zorz describes malware written in Visual BASIC which masquerades as legitimate updates DeepFreeze, Java, Windows, Adobe Reader, and other legitimate applications.
"They have the same icon and version details, and can fool regular users and experts alike…it opens the DHCP client, the DNS client, Network share and open port for receiving commands….Even if the users notice and delete the malware, they are still in danger of getting infected again by this and other malware since the legitimate software has lost its ability to auto-update. The only solution is to deinstall the damaged version, download the software again and reinstall it."
The information originally derives from a company called BKIS in Vietnam, and their original blog is at http://blog.bkis.com/en/malware-faking-adobe-update/.
Damballa have posted some apparently related information about a fake Adobe updater at http://blog.damballa.com/?p=614. However Mary Landesman casts significant doubt upon some of the technical detail at http://blog.scansafe.com/journal/2010/3/29/adobe-update-trojan-claims-are-invalid.html. She says:
In short, there's currently no evidence that this malware is overwriting or even interfering with Adobe updates. It appears to be nothing more than the millions of run-of-the-mill trojans that try to disquise themselves by adopting the name of a valid program.
While it's difficult to come to any deflnitive conclusions without a reference sample, this seems more likely than the sophisticated malware described at Help Net Security. However, BKIS have commented on the Scansafe blog in their own at http://blog.bkis.com/en/additional-information-about-file-replacing-virus/. Since they say that the malware they're referring to is detected by other products, the controversy around this issue seems to be around the technical detail of implementation and payload. That may simply be because we're all talking about different samples. BKIS, though a strong player in its home market, is not yet a big name internationally speaking. Perhaps as gets better known globally, there'll be better communication between them and the rest of the AV research community.
The Register also has an article about this. Thanks to J.L. for the additional pointers!
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/