Forgot your password?
typodupeerror
Security Software IT

New Malware Overwrites Software Updaters 78

Posted by Soulskill
from the i'm-sure-the-updaters-don't-go-down-without-a-fight dept.
itwbennett writes "Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."
This discussion has been archived. No new comments can be posted.

New Malware Overwrites Software Updaters

Comments Filter:
  • by Metrathon (311607) on Friday March 26, 2010 @02:34PM (#31630198)

    I've always filed the original forms of both these aggressive updaters under malware anyway...

  • That's a Good Idea (Score:3, Insightful)

    by Petersko (564140) on Friday March 26, 2010 @02:34PM (#31630208)
    Everybody I know would click through that bad boy without a moment's hesitation.
    • You do have to wonder why it would want to do this. If it already has the box rooted, why not just do what it wants? If it doesn't how did it overwrite an application? In OS X you have to type in an admin pw for it to update, but I don't think it could overwrite an application without being root, so I don't know why it would care.

      • by Talennor (612270)

        Because, instead of registering yourself to run by using the registry, you're substituting your payload for a program already set to run. It makes less noise and requires actually scanning the running processes instead of scanning the Windows registry and filenames of running processes. It's also easier for new virus writers to do.

        And to contradict this entire thread: GP is missing the point, too. The malware isn't looking for further user interaction. Just a hook on startup to get going and doing its

      • by Artifakt (700173)

        if a program can overwrite the updater in general, it could probably overwrite selectively, so it claims to be an already installed higher version number or newer patch than the what the real software is likely to produce in the next few months. Six months, a year or so later, the real updates overlap the malware and replace it, which effectively erases the malware, but it's usually had enough time to do whatever the designer wanted in the interm. The more the target software adheres to a predictable update

  • I'm torned (Score:5, Funny)

    by Yvan256 (722131) on Friday March 26, 2010 @02:34PM (#31630210) Homepage Journal

    On the one hand, it's malware, on the other hand it replaces software from Adobe.

    I can't decide if it's an enhancement or not.

    • by ByOhTek (1181381) on Friday March 26, 2010 @02:36PM (#31630252) Journal

      So... malware disguising itself as malware? Brilliant!

    • by rcuhljr (1132713) on Friday March 26, 2010 @02:37PM (#31630268)
      I was going to mod this insightful until I saw the phrase "I'm torned"
      • If you have an Adobe application, you must think having it is better than not (or else, what is it doing there). I keep the reader around because it can do the most complicated pdfs better than any other reader. Annoying that this is how the pdf standard is... I keep a copy of word around for the same reason.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          OSS Alts Exist for reading PDF's that don't have this pushy update system. That's the problem is that when you launch any adobe produce, it launches the updater, which is the problem(Executable redirect). ;

          • I don't deny that OSS alternatives exist. However, there are pdf documents that they don't layout correctly--so I need acrobat reader. Sometimes even LaTeX can break them and jstor is really likely to.

        • Re:I'm torned (Score:4, Interesting)

          by plover (150551) * on Friday March 26, 2010 @03:20PM (#31630868) Homepage Journal

          I completely neutered my copy of Adobe. I removed all the plug-in DLLs that did stuff I don't need or care about, or that were a security threat: accessibility, web linking, etc. I shut off Javascript execution in the preferences panel. And I disabled and removed everything related to Adobe Updater. If I feel like updating it, I will. (Hint: I don't.)

          I can still view ordinary documents without trouble. I can't "use" a form in the way that some companies have replaced their web browsers with Adobe front ends, but that's OK by me -- it's not required for my day job, and I certainly don't have to give fools like that my personal business.

          As a bonus, Adobe Reader launches much faster than before.

          • by psoriac (81188)

            Would you be willing to share the process you used to do that?

            • Re: (Score:3, Informative)

              by plover (150551) *

              I started by opening the Program Files\Adobe\Reader x.x\ folder. You'll see a folder called plug_ins. Make a new folder called "unwanted_plug_ins". Open the original plug_ins folder and you'll see a bunch of .API files (they're just renamed DLLs.)

              I picked through them by name, and got rid of the obvious ones first: SendMail.API, ReadOutLoud.API, weblink.API, etc. I just dragged them to the "unwanted" folder. I then opened Adobe Reader and did some simple viewing tests with an existing PDF to make sure

          • I completely neutered my copy of Adobe.

            Just curious, instead of going to all that trouble, why wouldn't something like Foxit be simpler and easier with similar results?

          • Or you could have simply installed another PDF reader!

            Did you buy an iPhone and jail-broke it, by any chance? ;)

      • Re: (Score:3, Insightful)

        In other words, you were going to mod a post insightful until you read the first two words of the post? Hm. ;)
  • by Orga (1720130) on Friday March 26, 2010 @02:34PM (#31630216)
    Malware that poses as an updater or installer for applications such as Adobe's Acrobat or Flash are nothing new, said Rik Ferguson, senior security advisor for Trend Micro.
  • by Anonymous Coward on Friday March 26, 2010 @02:37PM (#31630262)

    If your copy of AdobeUpdater.exe runs reliably without unexplained crashing, you are probably running the malware version.

  • by Finallyjoined!!! (1158431) on Friday March 26, 2010 @02:37PM (#31630264)
    On the strength of this, looks like Java will be following it.

    What difference will that make to my general new-fangled-interweb experience?

    Enquiring minds need to know...
    • by mandelbr0t (1015855) on Friday March 26, 2010 @02:54PM (#31630514) Journal
      Absolutely none, assuming you are still using Lynx :-D
    • Re: (Score:3, Insightful)

      by BitZtream (692029)

      You're going to stop using Java because you just heard about someone making malware that pretends to be the updater ...

      If you're going to stop using any software package that has been used as a facade for a malware infection that you probably just need to stop using your computer now, I don't know of an OS that hasn't been attacked with a fake dialog trying to trick a user.

      • Re: (Score:3, Funny)

        by Volante3192 (953645)

        I don't know of an OS that hasn't been attacked with a fake dialog trying to trick a user.

        From the comments I see here regularly, apparently Linux and OS X.

        • Re: (Score:3, Funny)

          by Chris Mattern (191822)

          I have never seen a fake Linux dialog. I've had my browser in Linux display fake *Windows* dialogs. They tend to be fairly...obvious.

      • You should get out more.......
      • I don't know of an OS that hasn't been attacked with a fake dialog trying to trick a user.

        Me neither, and sometimes I even fall prey to it.
        # sudo apt-get install malware
        Password:
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        The following NEW packages will be installed:
        cool-benign-app-1.1
        After this operation, 1.6MB of additional disk space will be used.
        Do you want to continue? [Y/n]? y

        I did that and got infected. WTF?! I'll never use cool-benign-app ag

      • What dialogs? Real men don’t need no stinkin” GUIs!

        Yes, I’m posting this, by holding an acoustic coupler like a telephone and whistling. Now get off my line!

  • about a month ago, while going through the motions of updating java one day (clicking on all those security warnings, running the little interface), i thought: to hack a system, why not just copy this stupid little interface and have the user gleefully click through all of the little security warnings?

    and now my fleeting paranoia is reality: you can't trust the updaters anymore

    which makes this news from two days ago all the more prescient:

    http://it.slashdot.org/article.pl?sid=10/03/24/189248 [slashdot.org]

    "Microsoft To Distribute Third-Party Patches"

    furthermore, i despise the fact that just because i have quicktime and adobe and java installed, i have to always have these useless potentially bogus processes constantly running in the background doing nothing but waiting for their once monthly updates

    it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft

    now microsoft is responsible for a secure update process, you don't have to worry about 9 different third party update mechanisms and have them constantly running, and finally, the big fat shiny nail in the coffin: you don't have to worry about this malware posing as an updater

    a negative being: now you're pretty much sending microsoft a manifest of all of your installed software every time you get an update, but i see no way around that without this new hack entering the picture

    • Re: (Score:2, Troll)

      by BitZtream (692029)

      You mean after at least 15 years of popup ups on web pages trying to appear to be desktop applications for 'cleaning your registry' or 'defragmenting your system' ... that you JUST NOW realized they might actually do it with real desktop apps ....

      Seriously? Is this your first day on the Internet?

      • there's a difference between a pop up in a browser frame and a modal dialog box from an application

        and, get this, you can actually see the difference

        and, i hope i'm not getting too far ahead of you here, it matters in terms of what kind of attack vector you are dealing with

        have i totally blown your mind yet? ;-P

    • s/microsoft/debian
    • Re: (Score:3, Interesting)

      by CranberryKing (776846)
      It is surprising that MS hasn't done this yet. I don't think every app should be required to go through through a package manager, but it just makes sense for the big ones. GNU/Linux has had this for years. And I've had it with Adobe.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        But then how would the apps use their fancy new updater with the "purchase premium version" and other nonsense advertisements for toolbars and other bullshit?

      • by thejynxed (831517)

        I think they should. They should also all require signing by Microsoft and the software vendor, which can be revoked by Microsoft and locally by system administrators.

        I for one, would welcome Steam as an integrated part of Windows 8.

        Wow, if they did that, I would have an actual use for that TPM chip that's sitting on my motherboard.

    • By the way, that article title was bullshit, it was about a 3rd party product that integrates with Microsoft's own WSUS server (used to distribute and control patching of Microsoft software) and uses it's api to distribute third party patches. It costs money, a decent amount of money. MS is not taking on the task of distributing 3rd party patches. You can read my comment on that story if you want to learn more about Secunia's product, I beta tested it. It's bad enough the editors do their best to pass on ignorance and misinformation, please don't help them.

    • by mcgrew (92797) *

      furthermore, i despise the fact that just because i have quicktime and adobe and java installed, i have to always have these useless potentially bogus processes constantly running in the background doing nothing but waiting for their once monthly updates

      it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft

      I think it makes more sense for these apps to STFU and not run at all, unless another program calls them. THEN it can update, or better yet, j

      • by dissy (172727)

        I think it makes more sense for these apps to STFU and not run at all, unless another program calls them. THEN it can update, or better yet, just have an updater run on boot then shut itself the hell off until you need the app.

        Or someone should introduce their programmers to crontab and Scheduled Tasks, as those were invented to do exactly that while using the least resources as possible.

    • by Vexo (825223)

      it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft

      Yes of course - why waste time finding exploits in individual update services when it's so much easier to just go ahead and infect everything at once.

    • by Talennor (612270)

      about a month ago, while going through the motions of updating java one day (clicking on all those security warnings, running the little interface), i thought: to hack a system, why not just copy this stupid little interface and have the user gleefully click through all of the little security warnings?

      Because by the time you've overwritten the updater software and you're displaying a UI you're already running code on the system. A prerequisite to your idea is that the system already be hacked. So no, it can't help you hack a system.

      Basically, a virus will not let you know what it's doing. And your autoupdate services are either already running malicious code or they won't go out and download bad stuff. You're perfectly safe going through dialogs and letting Java update itself.

    • by Bigjeff5 (1143585)

      Correctly written these updaters would use essentially no resources at all while loaded, unfortunately that is not the case.

      You could have 50 of them running and not doing anything, but no, can't do that can we?

  • Thiefs! (Score:1, Funny)

    by Anonymous Coward

    They have stolen my idea! Can I patent malware?

    • Re: (Score:3, Interesting)

      by Anachragnome (1008495)

      "Can I patent malware?"

      Interesting question.

      Maybe if all of this was patented, the person with the patents could then sue the snot out of all the people using this malware (the distributors of it) and ask for subpoenas to get them IDed so that they could be reported to the Feds for prosecution.

      Wait. Bad idea. Putting something like that in the hands of Patent Trolls would be the end of Civilization as we know it...and we all know the additional costs of Malware would simply be passed on to the customer.

  • by DigitalSorceress (156609) on Friday March 26, 2010 @02:51PM (#31630464)

    I used to sit there and think, "well, if I were a criminal, I'd do this, that and the other" (this that and the other being stuff like replacing updaters, faking out security software so it couldn't update, having multiple processes that "watchdogged" each other, yada yada). Nowadays, they're doing that shit and a whole lot more I never thought of.

    Once your system is comprised, it's pretty much never a good idea to trust it until its been completely rebuilt from the ground up.

    I'm currently in the middle of doing this for a friend. Whatever the heck he had was so dug in that I had him replace the hard drive, reinstall a fresh OS, patch up, reinstall apps from disk, and now I'm restoring his user data from the original drive (carefully with auto-run disabled) mounted from a USB enclosure.

    • by Anonymous Coward

      Yes. I think that the people who design modern malware need to burn in a special circle of hell. The persistence of a lot of this software is staggering to say the least...

    • by spedrosa (44674)

      You had him *replace* a harddrive because of malware?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Check the HPA (host protected area) of the drive. I'd wager it's hiding in there.

  • by WD (96061) on Friday March 26, 2010 @03:03PM (#31630634)

    I don't get it. If your system has had Administrator-owned files replaced with malicious versions, then your system has already been compromised! Game over. It's already too late.

  • Adobe (Score:4, Insightful)

    by dandart (1274360) on Friday March 26, 2010 @03:38PM (#31631150)
    Now if that's not an excuse to get away from Adobe Reader, what is? This [slashdot.org]?
  • One central updater.. for everything! Plus its Linux, so its not like there's malware there anyway.

    I did notice one time though that the Ubuntu updater did update Firefox and a bunch of things stopped working. I had to reboot to clear it. I tracked it down to a library that had been updated, that apparently was confusing ld or something. Would have been nice to have been warned...

    Anyway, the fact that there is only one updater is a win for Linux.

  • That is a really good strategy as lots corporate device control polices will have exceptions for those sorts of things. Now admins should be using hashes to check those but we all know they just trust the name because its a pain to update their policy evertime an updater gets updated.

  • When Microsoft introduced Windows Update there was a lot of speculation that it would be compromised and used as an infection vector. That threat never seemed to materialize. I always thought that the 3rd party apps like Adobe, Java, etc would be more vulnerable due to the fact that they run on the local machine.

    At the rate it takes Microsoft to adjust, we should have a centralized patch management system by 2020.

  • I'm tired of malware being differentiated just because it comes from a commercial entity. When you're replacing things that are practically system components (assuming most people have adobe pdf reader installed) then as far as I'm concerned this is a trojan, not some innocent advertising software.

    Companies that make this software are getting too easy a ride on this and should be taken to court the same way someone who writes an Internet Worm would.

10 to the 12th power microphones = 1 Megaphone

Working...