Cosmu

Cosmu is a spyware program that uses any of several methods to infiltrate your PC, thereafter targeting passwords and other, potentially profitable data for misappropriation. While Cosmu scarcely is a new PC threat, the appearance of new versions, such as CosmicDuke, cause Cosmu to be an ongoing hazard for anyone who's interested in keeping their information personal, particularly for eastern Europeans. Removing Cosmu, or even finding Cosmu in the first place, is a task best relegated to anti-malware products.

The Cosmology of another Trojan Fusion

Cosmu is a large family of spyware programs that have seen various updates over time, with some of the newest versions including shared loader components with MiniDuke (a backdoor Trojan that may exploit Adobe PDF documents for its distribution). While Cosmu was the original user of this particular Trojan-installing component, its shared use with MiniDuke may indicate that the same persons are in charge of both Trojan families. Like MiniDuke, Cosmu's new versions may be installed via PDF exploits that simultaneously launch legitimate PDF files, which lends an appearance of harmlessness to the attack. Examples of droppers include Ukrainian gas reports and even photo images of Russian receipts.

Once Cosmu is aboard, Cosmu includes more than a few functions for collecting information, as malware experts quickly discovered:

• Cosmu may monitor the system clipboard for any copied, pasted and cut data.
• Cosmu may use a 'keylogger' component to record all keyboard input.
• Cosmu may take screenshots either randomly or as a reaction to determined triggers (such as a browser loading a bank website).
• Specialized spyware components of Cosmu even may target specific applications for account compromise, including instant messengers, e-mail clients and most Web browsers.

Other, general system information, up to and including cryptography-protected data, also may be stolen by Cosmu and uploaded to a third party-controlled server. Even all of this doesn't fully delineate Cosmu's potential attack options; Cosmu also may install other threats with payloads and functions not described in this article.

Backing Down from a Cosmic Trojan's Ride

European nations, particularly ones neighboring Russia, are at highest risk for Cosmu attacks. However, Cosmu also has been seen using distribution methods that target Polish and Turkish PC users. In any case, scanning files dutifully, using strong browser settings and keeping active anti-malware programs remain your most surefire defenses against Cosmu infections. Like MiniDuke, Cosmu's favoritism of PDF exploits also makes it important to update your Adobe software regularly, lest vulnerabilities be abused to your disadvantage.

After anti-malware products of your choice have uninstalled Cosmu, malware researchers also would recommend attending to personal information that may have been compromised. In cases of broad spyware like Cosmu, this means changing passwords and security questions that Cosmu's developers could use to compromise your accounts. However, PC users who bother to practice good security habits are unlikely to be bothered by Cosmu, which doesn't use the highly creative techniques pioneered by other threats to thwart typical security solutions (as can be seen with the Havex RAT, for example).

Technical Details