back to article Asus: Yo dawg, we hear a million of you got pwned by a software update. So we got you an update for the update

Asus has released an update for its software update utility to rid about a million of its notebooks of a spyware-laden software update pushed to victims by its software update system. And breathe in. The Taiwanese PC giant on Tuesday published a fresh clean version of Live Update, which is a tool that keeps firmware driver …

  1. Roland6 Silver badge
    Pint

    >The hijacked tool was discovered in January by Kaspersky Lab

    Does this imply that US-based "state-sponsored" hackers were behind the creation of the backdoor...

    1. Anonymous Coward
      Anonymous Coward

      600

      Who wants only a specific MAC address, narrowed down to 600 likely computers?

      A crazy made ex/revenge or a state sponsor.

      Anon because the fun is in the chase.

      1. rmason

        Re: 600

        I'm not sure what you're driving at here.

        they had a pre-known list of MACs that were being purchased or had been purchased by their target.

        The hack was how they got whatever they wanted. They weren't interested in Joe Public who'd got an ASUS. They had specific targets, the method they used just happened to be a bit of a sledgehammer/crack a nut type thing.

        That said it's about the only way to just about guarantee that the machines in question shipped with the relevant malware installed., This way they knew they had them, and weren't dependent on a hack of somewhere obviously more secure than ASUS, or dependent on someone opening a hooky email etc.

        The units shipped pre compromised. Job done.

    2. rmason

      No, it implies ASUS ignored them for quite a long period of time.

      Kaspersky even offered to go visit and demo what they'd found, because they didn't believe them.

      It'll be interesting to see who else was nobbled, they won't be alone.

      1. Roland6 Silver badge

        >No, it implies ASUS ignored them for quite a long period of time.

        That is a different issue, my point was being mischievous, Kaspersky have form in detecting US state sponsored spyware..

  2. Anonymous Coward
    Anonymous Coward

    How did they know the 600 mac addresses in the first place? Somewhere along the supply chain someone must have obtained them and knew in advance what they were planning. Question is, what country did it and who has a history of doing things like this? My money is on Angola, the sweaters are just an elaborate cover for their nefarious activities.

    1. Magani
      Coat

      My money is on Angola, the sweaters are just an elaborate cover for their nefarious activities.

      No way. They'd only make a goat of themselves.

    2. paulll

      Oompa oompa, stick it up your jump-ah?

    3. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Updating the updater..

    ...would be great if it worked. But it doesn't, for me a least. The fix is to install the latest version of ASUS LiveUpdate (v3.6.8), but you don't seem to be able to download that version directly, only install an older version (3.4.3) and have it update itself, which fails. I'll probably settle for uninstalling everything ASUS..

    At least my MAC isn't on the list, which would be WAY more worrying!

  4. Snake Silver badge

    File dates

    It still amazes me that, in order to increase security, no one implements a system of auto-checking the timestamps on server files, as even a signed hacked file with the same MD5 will acquire a new timestamp once uploaded. It is a simple enough idea, yet here we are decades later and no one uses it.

    1. Wexford

      Re: File dates

      While agreeing with everything you've pointed out, this doesn't solve the problem if the source itself has been compromised, as appears to have been the case for ASUS.

      1. Snake Silver badge

        Re: File dates

        I'm not sure. The article mentions:

        "When about a million Asus laptops checked in automatically for software updates, they downloaded from Asus's systems the dodgy copy of Live Update, which was cryptographically signed using Asus's security certificate, and had the same file length as a previous legit version, so everything looked above board, and then installed it."

        (emphasis mine)

        If the source file was compromised I would think that there wouldn't have been a "previous legit version", as it would have been compromised from the very beginning.

    2. Anonymous Coward Silver badge
      Boffin

      Re: File dates

      timestamps (mtime/ctime) are trivial to manipulate. Easier even than manipulating the file length. On a *nix box, run `man touch` for a start (I know it sounds like a googlewhack, but it definitely isn't!)

      Even without things like the touch utility, someone with enough access to sign their own executable with the legit certificate and host it on the genuine server could probably adjust the system time of the target before planting the file and change it back after.

      Basically, do not trust timestamps.

      1. Snake Silver badge

        Re: File dates

        I'm not suggesting that it is a perfect solution, but it's better than what they have now, that being close to nothing. I know the Touch command but that assumes user command access, and this article does nothing to forward that agenda as HTTP injection or cracked FTP read/write access could have performed the same violations.

  5. paulll

    Is it just me or does the fact that it was possible to hide nearly 4kB of target addresses, let alone software to do something with the addresses, suggest that the updater is *awfully* bloaty for something punters are presumably expected to have running 24/7?

    1. Mongrel

      Is it just me or does the fact that it was possible to hide nearly 4kB of target addresses, let alone software to do something with the addresses, suggest that the updater is *awfully* bloaty for something punters are presumably expected to have running 24/7?

      Pre-installed software?! Bloaty!

      Next you'll be saying that the Popes' Catholic!!

    2. Halfmad Silver badge

      ASUS software has always been terrible, almost certainly outsourced as it receives infrequent updates at the best of times and stops supporting products fairly quickly (even top of the range mobos).

      I doubt any third party has ever really dug deep on it other than this attacker.

  6. Pen-y-gors Silver badge

    600 MAC addresses

    Presumably it should be fairly simple for ASUS to track the MAC addresses through the supply chain to identify who bought them? That might give a big clue as to who the culprits are. Must be pretty important to justify this amount of work. And which direction did they work from? Target has bought 600 ASUS machines - now - can we bribe someone to give us the MAC addresses? Now, can we infiltrate ASUS and hack their update server, on the off-chance it's vulnerable? This does not sound convincing.

    Or, are we dealing with a large/state player who has similar backdoors into everyone's update servers? Has anyone checked recently?

    1. Kurgan

      Re: 600 MAC addresses

      It should be quite simple, but I doubt they will do it, or tell the public. They don't want to upset a government agency and, for example, just for example... be banned from USA. Or China, maybe?

  7. Anonymous Coward
    Anonymous Coward

    Maybe I'm just jaded but I assume ASUS had no option and the software was planted by a nation state using laws that force them to comply (and ban them from admitting or reporting it).

    The most likely scenario is an embargoed nation who aren't allowed to buy the laptops, or software supplied with them.

    The nation state then sets up a company and sells the embargoed goods to the embargoed state.

    This company makes a show about wiping them and proving they are not compromised.

    Laptops delivered then download the spyware.

    Alternatively it could be that the 600 had spyware on them but were cleaned (sometimes those you spy on find out) and this is an attempt to re-implement the spyware.

    Either way we are unlikely to find out.

    1. Anonymous Coward
      Anonymous Coward

      So Australia then?

      Sorry, Joke icon is neither available, or relevant.

  8. Captain Scarlet Silver badge
    Paris Hilton

    small number of devices

    How is more than a million devices suddenly a "small number of devices"?

  9. DJSpuddyLizard

    "Now Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features "

    What, like a checksum?

  10. Conundrum1885 Bronze badge

    How specific is this thing?

    I have two Asus machines here, both running 7.

    This sounds a lot like the problem I once had with a BIOS upgrade, which for no apparent reason stopped the sound working.

    Everything else worked fine though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020