If you live on this planet, you must have definitely have heard of the new malware that is making use of a zero-day vulnerability in Adobe Reader.
This malware is called MiniDuke, and it is slowly but surely becoming the nightmare of any company:
- it is polymorphic – there are thousands of variants in the wild.
- it is using an exploit in a highly popular software product – Adobe Reader.
- it starts its actions once the operating system is rebooted, so it cannot be easily associated with an action which the user did just before the infection.
- the malware copies itself multiple times on the computer, so the cleaning it is rather complex.
- it makes connections to various Comand and Control (C&C) servers around the world, so it can’t be easily stopped just by shutting down of few of these servers.
- it can dynamically find other C&C servers using simple Google searches.
- it uses Twitter to spread links to other C&C servers.
- it obfuscates the downloads of the real payload containing the malware by downloading first GIF files (small icons)
All Avira users are protected and the malicious files are detected as
- EXP/MiniDukeGif.A – exploited GIF samples
- EXP/MiniDuke.A – exploited PDF samples
- TR/MiniDuke.A – the payload binaries
We were able to detect components used in MiniDuke in other malware dating from 2010. Due to the high complexity, the analysis of the samples continues and an update will be posted here.
Because of the huge number of exploit samples currently we’re working on a generic exploit detection for the PDF and GIF files.
An engine update was released adding the generic detection of the payload as “TR/Crypt.XPack.gen” and “TR/Dropper.gen”.