Posted by: Robert Westervelt
malware, Rogue Antivirus, scareware
If victims are tricked, the Trojan downloads other malicious files designed to enable attackers to remotely steal data.
TrendLabs engineers have discovered a new trick that uses a phony Adobe update to install a Trojan on victim’s machines.
An unsuspecting victim can fall prey to the trick by visiting a website hosting the malicious code. The engineers, part of Trend Micro’s research team discovered cybercriminals using the scheme to push a Trojan, Troj_Faykdobe, onto victims machines.
“This malware bears identical icons and version details to an Adobe update, which enables it to bypass antivirus software and system analysts, and to trick users into believing that it is legitimate,” wrote Oscar Abendan of Trend’s technical communications team in the TrendLabs Malware Blog.
Analysis of the Trojan was conducted by TrendLabs threat response engineer, Jessa De La Torre. According to De La Torre, the Trojan drops other malware that terminates certain processes and contacts a remote server for orders. It can be controlled by cybercriminals remotely to steal account credentials and other data unknowingly from the victim.
The Trojan does not appear to affect users of Microsoft Vista or Windows 7. It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Back in October, the notorious Koobface botnet spread on Facebook using a template spoofing Adobe’s Flash updater embedded within a fake YouTube page. Like the attack technique above, cybercriminals are using legitimate websites to host their malicious code.
The technique of spoofing update utilities has long been used and is growing in popularity as part of the rogue antivirus trend. The scareware uses coding to appear is if it is part of Windows malware threat detection.