Symantec Protects Against Files Misusing Adobe Code Signing Certificate

On September 27, Adobe posted a blog stating that the company is investigating the inappropriate use of an Adobe code signing certificate for the Windows operating system.  Symantec is aware of this issue and has added protection to detect any unauthorized file signed by the Adobe certificate in question as Trojan.Abe. We are currently aware of two utilities totaling three files that appear to come from one particular source signed by this certificate. One is a password dump tool that is available publicly and another is an ISAPI filter that redirects internet traffic on a Web server that, to our knowledge, is not publicly available. Details of the files are listed below:

PwDump7.exe

MD5 hash: 130F7543D2360C40F8703D3898AFAC22

Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

libeay32.dll

MD5 hash: 095AB1CCC827BE2F38620256A620F7A4

Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

myGeeksmail.dll

MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A

Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

We believe these files are only used in highly targeted attacks and the number of users at risk is extremely small. As stated above, Symantec products protect against any type of files that may have been signed by the certificate. Symantec customers are advised to ensure that their file definitions are up-to-date.

More details about the incident can be found on Adobe’s security advisory.