New Malware Overwrites Software Updaters 78
itwbennett writes "Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."
Irony: Adobe and Java updaters targeted (Score:5, Insightful)
I've always filed the original forms of both these aggressive updaters under malware anyway...
Re: (Score:1, Insightful)
How is that ironic?
Re:Irony: Adobe and Java updaters targeted (Score:5, Funny)
Adobe installers are pernicious, sneaky, and they will attempt to install things you don't want. When an installer that acts like malware gets replaced with real malware, that could be classified as 'totally ironic' on the Morrisette Irony Scale.
Re:Irony: Adobe and Java updaters targeted (Score:4, Funny)
... on the Morrisette Irony Scale.
I've got one of those. Mine goes to 10.
Re: (Score:1)
Re: (Score:2)
See http://www.imdb.com/title/tt0088258/ [imdb.com] even.
Well that doesn't mean much (Score:2, Funny)
Seeing as how 'a black fly in your chardonnay' is classified as 'pretty darn ironic' on the Morrisette Scale, I think her scale might be broken.
Re: (Score:1)
Re: (Score:1)
I don't know why people keep saying "Ironic" is not ironic, so I went off to wikipedia:
(1) That song was released in 1996. 14 years ago! Man time flies by fast. I was still just a college kid.
(2) Wikipedia says, "Two situations that Morissette describes in the song are arguably examples of cosmic irony: events that, as the Oxford English Dictionary puts it, appear "as if in mockery of the fitness or rightness of things", such as "a death row pardon..... two minutes too late".
(3) I always figured Moriset
Re:Well that doesn't mean much (Score:4, Funny)
I'm surprised since I thought her songs had achieved higher popularity than that, considering how much I heard them played on the radio.
Yes. Ironic, isn't it? :P
Re: (Score:2)
You misspelled her name. How completely Morissette Ironic!
Re:Irony: Adobe and Java updaters targeted (Score:4, Insightful)
I've always filed the original forms of both these aggressive updaters under malware anyway...
Agreed.
I always disable automatic updating on everything I can... And then I'll manually check it once a month or so.
I realize I'm probably missing some updates, and probably vulnerable to some threats... But I just hate logging in to my computer and getting bombarded with four or five different update notices.
Re: (Score:1)
But I just hate logging in to my computer and getting bombarded with four or five different update notices.
If you actually perform the update, they go away. I've never encountered your "problem" and I've never seen any crapware installed by Adobe's updater set to automatic.
Re: (Score:2)
I dont have that installed but chances are it can be turned of in the services area for windows os. A reboot would probably be required.
That's a Good Idea (Score:3, Insightful)
Re: (Score:2)
You do have to wonder why it would want to do this. If it already has the box rooted, why not just do what it wants? If it doesn't how did it overwrite an application? In OS X you have to type in an admin pw for it to update, but I don't think it could overwrite an application without being root, so I don't know why it would care.
Re: (Score:2)
Because, instead of registering yourself to run by using the registry, you're substituting your payload for a program already set to run. It makes less noise and requires actually scanning the running processes instead of scanning the Windows registry and filenames of running processes. It's also easier for new virus writers to do.
And to contradict this entire thread: GP is missing the point, too. The malware isn't looking for further user interaction. Just a hook on startup to get going and doing its
Re: (Score:2)
if a program can overwrite the updater in general, it could probably overwrite selectively, so it claims to be an already installed higher version number or newer patch than the what the real software is likely to produce in the next few months. Six months, a year or so later, the real updates overlap the malware and replace it, which effectively erases the malware, but it's usually had enough time to do whatever the designer wanted in the interm. The more the target software adheres to a predictable update
I'm torned (Score:5, Funny)
On the one hand, it's malware, on the other hand it replaces software from Adobe.
I can't decide if it's an enhancement or not.
Re:I'm torned (Score:4, Funny)
So... malware disguising itself as malware? Brilliant!
Re:I'm torned (Score:4, Funny)
Re: (Score:2)
If you have an Adobe application, you must think having it is better than not (or else, what is it doing there). I keep the reader around because it can do the most complicated pdfs better than any other reader. Annoying that this is how the pdf standard is... I keep a copy of word around for the same reason.
Re: (Score:1, Interesting)
OSS Alts Exist for reading PDF's that don't have this pushy update system. That's the problem is that when you launch any adobe produce, it launches the updater, which is the problem(Executable redirect). ;
Re: (Score:2)
I don't deny that OSS alternatives exist. However, there are pdf documents that they don't layout correctly--so I need acrobat reader. Sometimes even LaTeX can break them and jstor is really likely to.
Re:I'm torned (Score:4, Interesting)
I completely neutered my copy of Adobe. I removed all the plug-in DLLs that did stuff I don't need or care about, or that were a security threat: accessibility, web linking, etc. I shut off Javascript execution in the preferences panel. And I disabled and removed everything related to Adobe Updater. If I feel like updating it, I will. (Hint: I don't.)
I can still view ordinary documents without trouble. I can't "use" a form in the way that some companies have replaced their web browsers with Adobe front ends, but that's OK by me -- it's not required for my day job, and I certainly don't have to give fools like that my personal business.
As a bonus, Adobe Reader launches much faster than before.
Re: (Score:2)
Would you be willing to share the process you used to do that?
Re: (Score:3, Informative)
I started by opening the Program Files\Adobe\Reader x.x\ folder. You'll see a folder called plug_ins. Make a new folder called "unwanted_plug_ins". Open the original plug_ins folder and you'll see a bunch of .API files (they're just renamed DLLs.)
I picked through them by name, and got rid of the obvious ones first: SendMail.API, ReadOutLoud.API, weblink.API, etc. I just dragged them to the "unwanted" folder. I then opened Adobe Reader and did some simple viewing tests with an existing PDF to make sure
Re:I'm torned - going offtopic (Score:2, Insightful)
I completely neutered my copy of Adobe.
Just curious, instead of going to all that trouble, why wouldn't something like Foxit be simpler and easier with similar results?
Re: (Score:2)
Or you could have simply installed another PDF reader!
Did you buy an iPhone and jail-broke it, by any chance? ;)
Re: (Score:3, Insightful)
Re:I'm torned (Score:4, Informative)
This is slashdot*. "Reading" has absolutely nothing to do with any post, any comment, any moderation, or any action or decision here whatsoever.
You must be new here.
*Yes, I am kicking you into a pit as I yell that.
Even TFA admits nothing new (Score:4, Informative)
The only way you can tell if you are infected (Score:5, Funny)
If your copy of AdobeUpdater.exe runs reliably without unexplained crashing, you are probably running the malware version.
Adobe was removed 3 years ago (Score:3, Interesting)
What difference will that make to my general new-fangled-interweb experience?
Enquiring minds need to know...
Re:Adobe was removed 3 years ago (Score:4, Funny)
Re: (Score:3, Insightful)
You're going to stop using Java because you just heard about someone making malware that pretends to be the updater ...
If you're going to stop using any software package that has been used as a facade for a malware infection that you probably just need to stop using your computer now, I don't know of an OS that hasn't been attacked with a fake dialog trying to trick a user.
Re: (Score:3, Funny)
I don't know of an OS that hasn't been attacked with a fake dialog trying to trick a user.
From the comments I see here regularly, apparently Linux and OS X.
Re: (Score:3, Funny)
I have never seen a fake Linux dialog. I've had my browser in Linux display fake *Windows* dialogs. They tend to be fairly...obvious.
Re: (Score:2)
It's still a fake dialog trying to trick the user. In your case, it just didn't succeed.
Re: (Score:2)
damn fake dialogs! (Score:2)
Me neither, and sometimes I even fall prey to it.
# sudo apt-get install malware
Password:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
cool-benign-app-1.1
After this operation, 1.6MB of additional disk space will be used.
Do you want to continue? [Y/n]? y
I did that and got infected. WTF?! I'll never use cool-benign-app ag
Re: (Score:2)
What dialogs? Real men don’t need no stinkin” GUIs!
Yes, I’m posting this, by holding an acoustic coupler like a telephone and whistling. Now get off my line!
i had a bout of paranoia where i imagined this (Score:5, Interesting)
about a month ago, while going through the motions of updating java one day (clicking on all those security warnings, running the little interface), i thought: to hack a system, why not just copy this stupid little interface and have the user gleefully click through all of the little security warnings?
and now my fleeting paranoia is reality: you can't trust the updaters anymore
which makes this news from two days ago all the more prescient:
http://it.slashdot.org/article.pl?sid=10/03/24/189248 [slashdot.org]
"Microsoft To Distribute Third-Party Patches"
furthermore, i despise the fact that just because i have quicktime and adobe and java installed, i have to always have these useless potentially bogus processes constantly running in the background doing nothing but waiting for their once monthly updates
it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft
now microsoft is responsible for a secure update process, you don't have to worry about 9 different third party update mechanisms and have them constantly running, and finally, the big fat shiny nail in the coffin: you don't have to worry about this malware posing as an updater
a negative being: now you're pretty much sending microsoft a manifest of all of your installed software every time you get an update, but i see no way around that without this new hack entering the picture
Re: (Score:2, Troll)
You mean after at least 15 years of popup ups on web pages trying to appear to be desktop applications for 'cleaning your registry' or 'defragmenting your system' ... that you JUST NOW realized they might actually do it with real desktop apps ....
Seriously? Is this your first day on the Internet?
believe it or not (Score:1, Flamebait)
there's a difference between a pop up in a browser frame and a modal dialog box from an application
and, get this, you can actually see the difference
and, i hope i'm not getting too far ahead of you here, it matters in terms of what kind of attack vector you are dealing with
have i totally blown your mind yet? ;-P
Re: (Score:3, Informative)
Not to 90% of users there isn't.
Re: (Score:1)
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
But then how would the apps use their fancy new updater with the "purchase premium version" and other nonsense advertisements for toolbars and other bullshit?
Re: (Score:1)
I think they should. They should also all require signing by Microsoft and the software vendor, which can be revoked by Microsoft and locally by system administrators.
I for one, would welcome Steam as an integrated part of Windows 8.
Wow, if they did that, I would have an actual use for that TPM chip that's sitting on my motherboard.
Re:i had a bout of paranoia where i imagined this (Score:4, Informative)
By the way, that article title was bullshit, it was about a 3rd party product that integrates with Microsoft's own WSUS server (used to distribute and control patching of Microsoft software) and uses it's api to distribute third party patches. It costs money, a decent amount of money. MS is not taking on the task of distributing 3rd party patches. You can read my comment on that story if you want to learn more about Secunia's product, I beta tested it. It's bad enough the editors do their best to pass on ignorance and misinformation, please don't help them.
Re: (Score:2)
furthermore, i despise the fact that just because i have quicktime and adobe and java installed, i have to always have these useless potentially bogus processes constantly running in the background doing nothing but waiting for their once monthly updates
it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft
I think it makes more sense for these apps to STFU and not run at all, unless another program calls them. THEN it can update, or better yet, j
Re: (Score:2)
I think it makes more sense for these apps to STFU and not run at all, unless another program calls them. THEN it can update, or better yet, just have an updater run on boot then shut itself the hell off until you need the app.
Or someone should introduce their programmers to crontab and Scheduled Tasks, as those were invented to do exactly that while using the least resources as possible.
Re: (Score:1)
it makes much better sense to have ALL software updated through one repository which, obviously, has to be microsoft
Yes of course - why waste time finding exploits in individual update services when it's so much easier to just go ahead and infect everything at once.
Re: (Score:2)
about a month ago, while going through the motions of updating java one day (clicking on all those security warnings, running the little interface), i thought: to hack a system, why not just copy this stupid little interface and have the user gleefully click through all of the little security warnings?
Because by the time you've overwritten the updater software and you're displaying a UI you're already running code on the system. A prerequisite to your idea is that the system already be hacked. So no, it can't help you hack a system.
Basically, a virus will not let you know what it's doing. And your autoupdate services are either already running malicious code or they won't go out and download bad stuff. You're perfectly safe going through dialogs and letting Java update itself.
Re: (Score:2)
Correctly written these updaters would use essentially no resources at all while loaded, unfortunately that is not the case.
You could have 50 of them running and not doing anything, but no, can't do that can we?
Thiefs! (Score:1, Funny)
They have stolen my idea! Can I patent malware?
Re: (Score:3, Interesting)
"Can I patent malware?"
Interesting question.
Maybe if all of this was patented, the person with the patents could then sue the snot out of all the people using this malware (the distributors of it) and ask for subpoenas to get them IDed so that they could be reported to the Feds for prosecution.
Wait. Bad idea. Putting something like that in the hands of Patent Trolls would be the end of Civilization as we know it...and we all know the additional costs of Malware would simply be passed on to the customer.
Oh, for the good old days... (Score:5, Interesting)
I used to sit there and think, "well, if I were a criminal, I'd do this, that and the other" (this that and the other being stuff like replacing updaters, faking out security software so it couldn't update, having multiple processes that "watchdogged" each other, yada yada). Nowadays, they're doing that shit and a whole lot more I never thought of.
Once your system is comprised, it's pretty much never a good idea to trust it until its been completely rebuilt from the ground up.
I'm currently in the middle of doing this for a friend. Whatever the heck he had was so dug in that I had him replace the hard drive, reinstall a fresh OS, patch up, reinstall apps from disk, and now I'm restoring his user data from the original drive (carefully with auto-run disabled) mounted from a USB enclosure.
Re: (Score:1)
Yes. I think that the people who design modern malware need to burn in a special circle of hell. The persistence of a lot of this software is staggering to say the least...
Re: (Score:1)
You had him *replace* a harddrive because of malware?
Re: (Score:2, Informative)
Check the HPA (host protected area) of the drive. I'd wager it's hiding in there.
Who cares? You're already compromised (Score:3, Interesting)
I don't get it. If your system has had Administrator-owned files replaced with malicious versions, then your system has already been compromised! Game over. It's already too late.
Adobe (Score:4, Insightful)
That's why I love Linux (Score:2)
One central updater.. for everything! Plus its Linux, so its not like there's malware there anyway.
I did notice one time though that the Ubuntu updater did update Firefox and a bunch of things stopped working. I had to reboot to clear it. I tracked it down to a library that had been updated, that apparently was confusing ld or something. Would have been nice to have been warned...
Anyway, the fact that there is only one updater is a win for Linux.
A really good strategy (Score:2)
That is a really good strategy as lots corporate device control polices will have exceptions for those sorts of things. Now admins should be using hashes to check those but we all know they just trust the name because its a pain to update their policy evertime an updater gets updated.
I'm surprised it took so long (Score:2)
When Microsoft introduced Windows Update there was a lot of speculation that it would be compromised and used as an infection vector. That threat never seemed to materialize. I always thought that the 3rd party apps like Adobe, Java, etc would be more vulnerable due to the fact that they run on the local machine.
At the rate it takes Microsoft to adjust, we should have a centralized patch management system by 2020.
Re: (Score:2)