According to the report, the attack mainly targeted government-related organizations, including military and aerospace contractors, in Europe and in the US. The security firms said that the attacks started back in 2009 and peaked in autumn 2010. Talking to The H’s associates at heise Security, Seculert CTO Aviv Raff added that compromised computers, some of which had been infected for two years, were only discovered a few weeks ago.
A zero day hole in Adobe Reader was exploited to inject the msupdater.exe Trojan into systems; once injected, the Trojan did its best to look like a regular update process – for example, it used URLs in the
http://domain.com/microsoftupdate/getupdate/default.aspx?ID=... format. The malware also contained a “remote administration toolkit” that allowed the attackers to remotely monitor and control victims’ computers.
At the time of the attacks, these Trojans went undetected by most AV products, although signatures for exploits and spyware programs such as msupdater.exe have since become available. However, whether AV products will detect current spyware tools is doubtful.