Adobe hacked, malware signed as Adobe

Fake Adobe utilities used to scoop Windows password hashes.
  • Liam Tung (CSO Online)
  • — 28 September, 2012 08:09

Adobe says “advanced persistent” hackers broke into its software development servers and compromised its code signing certificate procedures to pass off Windows malware as trusted Adobe products.

“We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate,” Brad Arkin, senior director, security, Adobe products and services said Thursday.

Adobe said two “malicious utilities” had been signed as coming from it. The first was “pwdump7 v7.1”, designed to extract password hashes from Windows machines, and the second was “myGeeksmail.dll”.

The hackers did not lift the private key from its digital key management repository, according to Arkin, but rather gained entry to servers in early July that were trusted to request signatures.

“Within minutes of the initial triage of the first sample, we decommissioned our signing infrastructure and began a clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases.”

Arkin stressed the breach “only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh”.

Adobe has provided a long list of products it recommends apply the update here, including Photoshop CS6 and Flash Player.

New certificates will be issued on October 4.

While attackers using fraudulently signed malware might have a big advantage over potential victims, Adobe believes the threat “does not present a general security risk” since the tools they gathered are more typically used in targeted attacks -- such as those that compromised it.

“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise,” said Arkin. 

The risks of sticking with Windows XP

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Web Security and Control

Protect your users on the web

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.