Two security companies today released a joint report describing an ongoing series of attacks against government contractors that have been occurring since at least early 2009. According to the vendors Seculert and Zscaler, attackers are sending firms phishing e-mails with fake invitations to conferences, often in the form of PDF files that exploit flaws in Adobe Reader. The file installs what the vendors call an "MSUpdater" Trojan that poses as a legitimate Windows Update process. In reality, the Trojan is a remote access tool that can steal information from a company's network for as long as the breach remains undiscovered.

"Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks," the report states, without identifying specific attack targets.

The vendors believe the attacks are either state-sponsored or perpetrated by a high-profile group of attackers, but haven't yet been able to determine their identities, Seculert CTO Aviv Raff tells Ars.

One spear-phishing attack using the method described was launched against a US-based defense technology company in September 2010, with an e-mail containing a PDF invitation to the International Conference Series on Intelligent Sensors, Sensor Networks, and Information Processing. "Clearly, it is a highly targeted attack on that global defense technology company," Seculert and Zscaler write. "The attachment allegedly exploited Adobe Reader vulnerabilities and dropped a few executable files, among which is 'msupdater.exe'."

A zero-day vulnerability within Adobe Reader at that time allowed the attack, and was patched by Adobe in October 2010. But the MSUpdater attackers simply latch on to new zero-day vulnerabilities as they occur and exploit them until they are closed and newer ones come along, Raff says. Some cases have involved Microsoft Excel files, but Raff says the attacks mainly use PDFs and exploit Adobe vulnerabilities.

Both Seculert and Zscaler say they have observed these attacks recently targeting their own customers. Zscaler writes in its own analysis that the attacks are sophisticated and can go undetected for long periods of time. Once a Trojan is installed, the target machines begin communicating with the attackers' command and control server. Despite the presence of a centralized command and control server, creating a botnet does not appear to be the attackers' goal. Instead, they are stealing information and controlling specific targets.

"The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox," Zscaler writes. "The Trojan functionality is decrypted at run-time, and includes expected functionality, such as downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection."

To be clear, one reason Seculert is reporting on the attack is to publicize its own FogSense service, which is designed to run long-term analytics to identify threats such as these. Seculert says that "if your organization encounters this type of advanced threat, it will most likely be persistent and bound to exist undetected for a long period of time in your network, as well as most probable to happen again in the future."