Anti-Malware Research

How to Target a Collection Tool – MiniDuke

The 2012 sample of MiniDuke is now fully analyzed and the results are in, revealing a surprisingly simple and effective way to target a spy e-threat while avoiding “collateral damage” and thus premature detection.

Bitdefender anti-malware researcher Marius Tivadar has the provided the details:The 2012 version of MiniDuke uses CVE-2011-2462 , a vulnerability which was being exploited in the wild as early as December 2011. The sample is, as mentioned, from 2012 05 14.

It comes packed with an invitation to a conference, in .pdf format. The conference was real, and started about a month after; the people whose signatures and contact data are contained in the invitation are real and they really can be contacted at the specified addresses and phone numbers. However, the invitation as a whole is a hoax, making use of very domain-specific language, but also of a photo lifted from a UN website, which has nothing to do with the conference or its eventual attendees.

The trick used to prevent unwitting third parties from opening the malicious .pdf and becoming infected themselves is really quite simple – the file is password-protected. Presumably, instructions to retrieve the password were contained in the e-mail. Without the proper password, the file is perfectly innocuous, in that it can be passed around from system to system with no danger of infection.

“There was much research and thought which went into creating this fake. Even just getting the contact details of the people involved can’t have been an easy task. As to how the attackers managed to convincingly impersonate or indeed compromise the purported senders’ e-mail server, we are not sure yet. We have contacted the affected organization though and are trying to track down an e-mail sample” explained Mr. Tivadar.

About the author

Razvan STOICA

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

2 Comments

Click here to post a comment
  • IV GOT TO HAND IT TO YOU GUYS,THAT TOOK SOME “STINKIN THINKIN”TO COME UP WITH THAT,AND FROM WHAT YOU JUST TOLD ME,THAT FORM OF APT, IS WIDESPRED AND IS IN USE AS MENY FORMS AS WELL COM, APTS. ID LIKE MORE INFO ON HOW TO GUARD MY COMPUTERS FROM THIS LATEST HASERD.I WILL KEEP AN OPEN EYE FOR ANY THING THAT RESEMABLS THIS ,AND IF I FIND A FAKE OR THINK IT MAY BE ILL SUBMITT THE E-MAIL…DONALD J

  • Lol ? Limewire is kinda safe if u look to Torrentz Sites and stuff I got my PC chrasht 2times, 2 times 100 EUR Payed to resatinll windows ..Seriously, if see a title like: FREE ANTIVIRUS FREE 100% SAFE FREE NO VIRUS , Thats a virus dude, And if u download on Torrents sites always check how big it is, If like 80% of all titles is like 1.3-1.4GB and 2 of them are 100Mb or diffrent then 1.3-1.4GB , Thats also a Virus,,So, be carefull