New malware overwrites software updaters

IDG News Service - For the first time security researchers have spotted a type of malicious software that overwrites update functions for other applications, which could pose additional long-term risks for users.

The malware, which infects Windows computers, masks itself as an updater for Adobe Systems' products and other software such as Java, wrote Nguyen Cong Cuong, an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog.

BKIS showed screen shots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available.

Users can inadvertently install malware on computers if they open malicious e-mail attachments or visit Web sites that target specific software vulnerabilities. Adobe's products are one of the most targeted by hackers due to their wide installation base.

After this particular kind of malware gets onto a machine, it opens a DHCP (Dynamic Host Configuration Protocol) client, a DNS (Domain Name System) client, a network share and a port in order to received commands, BKIS said.

Malware that poses as an updater or installer for applications such as Adobe's Acrobat or Flash are nothing new, said Rik Ferguson, senior security advisor for Trend Micro.

Decent security software should detect the malware, but those people who do become infected could be worse off even if the malware is removed, Ferguson said.

"They will lose the auto-updating functionality of whatever software is affected even after the malware is cleaned up," Ferguson said. "That could of course leave them open to exploitation further down the line if critical vulnerabilities don't get patched as a result."

That means that users would need to manually download the software again, which they may be unlikely to do if they don't know the effect of the malware.