Trojan masquerading as Windows updater targets defense contractors


Security researchers say they've uncovered a remote access Trojan masquerading as a Microsoft (NASDAQ: MSFT) operating system updater targeting U.S. and foreign defense, aero- and geo- space contractors.

In a joint paper published Jan. 31, security firms Zscaler and Seculert say they both observed in 2010 Internet traffic to a malicious command and control servers trying to appear as though it were related to Microsoft's Windows Update.  

In the paper, they dub the Trojan the "MSUpdater," adding that its spread has been aided by phishing emails with infected .pdf attachment that take advantage of zero day exploits in Adobe Reader. Infected emails have been sent since at least spring 2009, according to data in the paper.

Its operators have favored conference-related subjects as phishing lure. For example, one message used an attachment related to the International Conference on Intelligence Sensors, Sensors Networks and Information Processing. Other malicious attachments reference the IEEE Aerospace Conference and the International Conference and Communications System Software and Middleware.

The Trojan is virtual machine aware, meaning that it is coded to detect whether it is running in a virtualized environment. That makes its detection difficult, since malware analysis is typically done on virtual machines. Once downloaded onto a machine, using the file name msupdater.exe, the Trojan will run in the computer's memory as a common process, often svchost.exe, the paper says.

In a blog post, Zscaler researchers say the combination of the Trojan file name and the HTTP paths used to reach the command and control server (often something like /microsoftupdate/getupdate/default.aspx) combine to keep the infection under the radar.  

For more:
- download the paper, "The'MSUpdater' Trojan and Ongoing Targeted Attacks" (.pdf)
- go to the Zscaler blog post
- go to a Seculert blog post about the Trojan

Related Articles:
Keyloggers and Trojan horses on SSA workstations 
China suspected in Operation Shady RAT hacks 
DHS takes control of DIB cybersecurity pilot