'MiniDuke' malware takes aim at Euro governments via Adobe

CNET [27/02/13]

According to security researcher Kaspersky Lab, the malware made its way onto infected computers through PDFs.

Make sure you update your Adobe Reader.
Make sure you update your Adobe Reader.
(Credit: Screenshot by Lance Whitney/CNET) [SOURCE: http://news.cnet.com]
A new attack is targeting European governments through flaws exploited in Adobe's Reader software, according to security researchers.

Kaspersky Lab and CrySys Lab today detailed a new malicious program in the wild, called "MiniDuke," that has been attacking government entities and institutions across Europe. Government entities in the Ukraine, Portugal, Romania, and others have been targeted, according to the security researcher.

MiniDuke finds its way to infected computers through PDFs. The malicious hackers -- who Kaspersky believes might have been dormant for some time because of the technique's similarity to those from the late-1990s -- have developed very believable and seemingly real PDFs. Once the file is downloaded to a computer, the exploit, which was written in Assembler and is only 20KB in size, takes advantage of unpatched flaws in Reader versions 9, 10, and 11.

Once the downloaded program is running on the computer, it creates a unique identifier and encrypts any communication it might have with its creators. It also has mechanisms built in that attempt to fool antivirus and security professionals into believing it's innocuous.

After all of the checks and safeguards are in place, the software connects to Twitter to look for tweets on premade accounts, according to Kaspersky. Those tweets contain tags with encrypted URLs for backdoors that can send it commands and open up other backdoors through GIF files.

The backdoors are especially malicious. Once running on the computer, they can allow the hackers to access files, move them, remove them, or make directories.

The hackers were exploiting bugs Adobe patched in an update last week that would cause its programs to crash and allow an attacker to gain control over an infected computer. Adobe acknowledged a week prior to the update that the flaws allowed attackers to exploit its software, but didn't provide further details on the nature of those attacks.

However, according to Kaspersky, the attacks are still active and the last MiniDuke update came down on February 20, indicating that the hackers might have found a workaround for the patches.

It's not clear what the hackers are looking to steal, but that they've attacked government entities provides some insight.

CNET has contacted Adobe for comment on the hack. We will update this story when we have more information.

No comments:

Post a Comment