The company has issued instructions on how IT administrators can update affected products.
Adobe said a build server used to make legitimate software was not configured up to Adobe standards and was compromised. It had access to the Adobe code signing service, so the criminals could put in requests to have their malware certified as legitimate.
"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," the blog post says.
This is reminiscent of how Microsoft certificate signing was compromised as part of the Flame malware attack. That resulted in Microsoft revamping its certificate service and requiring an encryption upgrade that takes effect Oct. 9.
The malware discovered are known as pwdump7v7.1 and myGeeksmail.dll.
The first extracts password hashes from Windows operating systems. The second is a malicious ISAPI filter. An ISAPI filter is a file that can enhance the functionality of Microsoft's Internet Information Services. These filters can examine and modify data coming into and going out of IIS servers. Details about the two malicious utilities are available at the official Adobe security advisory.
A spokesperson for Adobe says in an email that it came across the samples from a single source that the company would not name.
Read more about wide area network in Network World's Wide Area Network section.