>The hijacked tool was discovered in January by Kaspersky Lab
Does this imply that US-based "state-sponsored" hackers were behind the creation of the backdoor...
Asus has released an update for its software update utility to rid about a million of its notebooks of a spyware-laden software update pushed to victims by its software update system. And breathe in. The Taiwanese PC giant on Tuesday published a fresh clean version of Live Update, which is a tool that keeps firmware driver …
I'm not sure what you're driving at here.
they had a pre-known list of MACs that were being purchased or had been purchased by their target.
The hack was how they got whatever they wanted. They weren't interested in Joe Public who'd got an ASUS. They had specific targets, the method they used just happened to be a bit of a sledgehammer/crack a nut type thing.
That said it's about the only way to just about guarantee that the machines in question shipped with the relevant malware installed., This way they knew they had them, and weren't dependent on a hack of somewhere obviously more secure than ASUS, or dependent on someone opening a hooky email etc.
The units shipped pre compromised. Job done.
How did they know the 600 mac addresses in the first place? Somewhere along the supply chain someone must have obtained them and knew in advance what they were planning. Question is, what country did it and who has a history of doing things like this? My money is on Angola, the sweaters are just an elaborate cover for their nefarious activities.
This post has been deleted by its author
...would be great if it worked. But it doesn't, for me a least. The fix is to install the latest version of ASUS LiveUpdate (v3.6.8), but you don't seem to be able to download that version directly, only install an older version (3.4.3) and have it update itself, which fails. I'll probably settle for uninstalling everything ASUS..
At least my MAC isn't on the list, which would be WAY more worrying!
It still amazes me that, in order to increase security, no one implements a system of auto-checking the timestamps on server files, as even a signed hacked file with the same MD5 will acquire a new timestamp once uploaded. It is a simple enough idea, yet here we are decades later and no one uses it.
I'm not sure. The article mentions:
"When about a million Asus laptops checked in automatically for software updates, they downloaded from Asus's systems the dodgy copy of Live Update, which was cryptographically signed using Asus's security certificate, and had the same file length as a previous legit version, so everything looked above board, and then installed it."
If the source file was compromised I would think that there wouldn't have been a "previous legit version", as it would have been compromised from the very beginning.
timestamps (mtime/ctime) are trivial to manipulate. Easier even than manipulating the file length. On a *nix box, run `man touch` for a start (I know it sounds like a googlewhack, but it definitely isn't!)
Even without things like the touch utility, someone with enough access to sign their own executable with the legit certificate and host it on the genuine server could probably adjust the system time of the target before planting the file and change it back after.
Basically, do not trust timestamps.
I'm not suggesting that it is a perfect solution, but it's better than what they have now, that being close to nothing. I know the Touch command but that assumes user command access, and this article does nothing to forward that agenda as HTTP injection or cracked FTP read/write access could have performed the same violations.
Is it just me or does the fact that it was possible to hide nearly 4kB of target addresses, let alone software to do something with the addresses, suggest that the updater is *awfully* bloaty for something punters are presumably expected to have running 24/7?
Pre-installed software?! Bloaty!
Next you'll be saying that the Popes' Catholic!!
Presumably it should be fairly simple for ASUS to track the MAC addresses through the supply chain to identify who bought them? That might give a big clue as to who the culprits are. Must be pretty important to justify this amount of work. And which direction did they work from? Target has bought 600 ASUS machines - now - can we bribe someone to give us the MAC addresses? Now, can we infiltrate ASUS and hack their update server, on the off-chance it's vulnerable? This does not sound convincing.
Or, are we dealing with a large/state player who has similar backdoors into everyone's update servers? Has anyone checked recently?
Maybe I'm just jaded but I assume ASUS had no option and the software was planted by a nation state using laws that force them to comply (and ban them from admitting or reporting it).
The most likely scenario is an embargoed nation who aren't allowed to buy the laptops, or software supplied with them.
The nation state then sets up a company and sells the embargoed goods to the embargoed state.
This company makes a show about wiping them and proving they are not compromised.
Laptops delivered then download the spyware.
Alternatively it could be that the 600 had spyware on them but were cleaned (sometimes those you spy on find out) and this is an attempt to re-implement the spyware.
Either way we are unlikely to find out.
Biting the hand that feeds IT © 1998–2020