Spyware sneaks into 'million-ish' Asus PCs via poisoned software updates, says Kaspersky A million or so Asus personal computers may have downloaded spyware from the computer maker's update servers and installed it, Kaspersky Lab claims. Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, …
My solution is quite simple: before the new computer is connected to net I just plug-in install image, do an upgrade with option "do not preserve anything" - or at least "do not preserve applications". And voila, no preinstalled crapware present.
Asus, Acer or Lenovo, all the same, HP is not much better.
"Did you try repainting it ? This offers increased protection since most of the computers are grey, silver or black."
I'm sure those targetted by this are now kicking themselves for leaving their computers the standard colour.
MAC addresses are potentially traceable, in case you didn't know.
In a way, it reminds me of Stuxnet: a sophisticated attack, capable of breaching almost any Siemens PLC system in the world...but which only activated on a specific target.
This isn't exactly the same, of course; but why would a criminal hacker infect millions of computers with a powerful backdoor that can compromise the system at the firmware level, but which only triggered against 600 specific users? Plus, it chose targets by MAC address, so the attacker needed to know in advance the MAC addresses of its targets.
As Rain Man might say, "Definitely nation-state. Definitely. Definitely."
This would certainly help explain ASUS' complacency in providing notification of this issue so that owners of ASUS computers/motherboards could take steps to remove this.
As a long-time user of ASUS motherboards, I'm a little more than disturbed by their behavior after being notified by Kaspersky. Even though I don't use any of their auto-update tools, I will think twice before buying another motherboard from them.
Kaspersky, who got into a fight with a certain nation-state because, at least IMO, their tools discovered its attack code, when no others did. Thus banned from that state, with bad vibes spread as widely as possible. Yet it picks up on this. As Spock would say "Interesting".
And now this.
I find it most informative that NO AV suite seems to pick up on any state actor's malware anymore.
And we all know that any nation worth the name is creating and distributing it, no exceptions. You can't blame just one - it's a big club.
Telling that kind of truth to power seems rather dangerous to a business these days.
"Not at all surprised about Asus total lack of reaction to this. All you need to do is go to their forums (if you can even sign in or create an account there, such is the mess) to fully understand how unresponsive to issues they are."
They've been shit at support, as of late. My ASUS ROG Z97 mobo still lacks a Spectre non-beta fix as of today.
For a 150 bucks mobo, it's really bad ...
If you have ever bought an ASUS motherboard you know how terrible their software is and how quickly they dump it and move on to the next model irrespective of whether the motherboard is still compatible with modern OS.
ASUS are about sell, up-sell and forget. They have no interest in supporting or securing customer hardware. It's always been this way.
Why not just publish a list of affected macs/ first few bits of the mac addresses
The first three bytes identify the manufacturer of the interface. In this case, they might be the same for all targets.
Publishing the whole list would announce to the world that those interfaces belong to a high-value target -- or, at least, that they did at one time. One would expect that such targets have security people who've "retired" all their Asus machines by now; but have some pity for the poor sods who buy them used on eBay or Craigslist...
... or go Penguin powered.
Penguin supporters should buy hardware from companies that don't pre-install windows or machines that don't have windows installed as that counts as a sale for Microsoft.
Never going to get more attention from manufacturers if Linux users keep buying machines with windows installed.
"It's not that difficult to buy a machine without an OS on it."
Really? I have not seen many machines not sold with an OS installed. Of course, when buying second-hand, there are many more options. However, for virtually all new machines, I see the following categories:
1. Pre-installed with Windows
2. Macs
3. Your choice of Windows or Ubuntu (not many of these, but they're nice even when you are just going to delete the Ubuntu)
4. Specifically built for Linux (they are usually great machines with a high price tag)
5. Machines without an OS because they're ridiculously underpowered and the company wants to get them sold off fast to the anything-for-cheap crowd before people realize that. Running Linux on these is usually acceptable, but Windows won't like it and power users of Linux won't be that happy either.
6. Machines without an OS because it is only part of a machine and they expect you to populate your own storage.
I have rarely seen machines sold from their manufacturers without an operating system already installed, and that operating system is rarely Linux. I'm going to install whatever I want on it anyway, so I pretty much ignore what it already has unless I am buying it for a person who wants Windows.
Penguin supporters should buy hardware from companies that don't pre-install windows or machines that don't have windows installed as that counts as a sale for Microsoft. Never going to get more attention from manufacturers if Linux users keep buying machines with windows installed.
While I'd love to support the cause of free/libre software by preferentially buying from companies that don't preload Windows, I'm not willing to take it so far as to limit my own choices to that tiny subset. I'm talking about laptops here, as I've always built my own desktops and supplied my own OS for those. If a laptop with Windows on it is a better deal than one with Linux, for whatever reasons, I'll buy the Windows unit and put Linux on it. If it doesn't work (which has as yet never happened), I will return it to the store and get my money back, which is part of why I only buy from places with generous return policies.
I'm not trying to stick it to Microsoft or be a part of a movement when I wipe Windows and install Linux. I'm looking for the best deal for myself, and since I am not Microsoft, that means no Windows 10, and along with that, no Windows 10 telemetry, no Windows 10 beta testing for free, and no Microsoft monetization. I won't be part of the 800 million or whatever claim MS makes (assuming it has any basis in reality) for the active number of Windows 10 devices, which is easy to count when you have telemetry that can't be turned fully off, even in enterprise editions.
I won't be counted as one of the Windows users who visits any of the various pages whose analytics are tabulated to determine the share of the desktop market MS still holds. I'll continue to provide technical help and assistance to new Linux users the best I can (I've really only been using it for a couple of years myself). I'll keep poking holes in the claims of Linux haters when they haul out their tired, hasn't-been-true-in-years tropes about endless recompiling (I've never done this, not even once) and frustration and having to be a wizard with the command line, or when they say that Linux users never want to pay for anything. I'll continue to bash Windows 10 as long as it remains something that deserves bashing. I'll keep reporting bugs to Linux-related projects when I find them. Sadly, my coding skills have rusted to the point of uselessness, so I can't contribute in that way, but I do what I can. It will have to suffice.
The article did say why. That the binary was legitimiately signed and has been downloaded from a whitelisted location.
Reading between the lines I think you can say that it probably wasn't until one of the 600 MAC address affected PC's was installed with Kaspersky's software that the gig was up, because once the software activated, then anti-virus would quickly pick up on it - when it's dormant, there isn't any nefarious activity to detect...
Prior to signing my software, I'd find that every time I submitted a new exe to Virustotal, typically a half dozen of the shitty AV makers would flag it in some way. It was usually either the obscure AV or the "AI" AV that would false positive and not have mechanisms for reporting the false positive & submitting the file for their inspection (with the "AI" AV always claiming they have no false positives - which of course they "don't" because they don't allow anyone to report them to them.) Once I started code signing my binaries, magically all the false positives on Virustotal stopped and I've never had one since. That suggests to me that most AV makers automatically flag signed binaries as OK regardless of what it might have been flagged if it have been unsigned.
"If you have to suffer a Lenovo by corporate dictum, wipe the damn thing first."
Corporate ones don't have any "fishy" consumer stuff on them and will have the corporate Windows image installed anyway. If corporates are handing out consumer grade kit with the default OEM install, then you probably don't really want to to be working for them. They are either incompetent or so short of cash they'll be bust soon anyway.
LOADS of freeee software and automatic updates. Slothful performance and reduced security are a small price to pay rather than to perform a clean install of Windows. Heavens, you might have to install some drivers to get those custom buttons to work. Too difficult! Besides, the vendor always has your best interests at heart, because the customer always comes first, just check on their web page.
"If you patch, there's a small chance you'll fall prey to a malicious update injected through the vendor. But if you don't patch, there's a close to 100% chance you'll be attacked over time."
Wise words, but only for certain values of "over time", and operating system. I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years. I'll leave it to the reader to guess the OS, but ... just sayin'.
I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years.
I'm guessing you work for either Equifax or the US Office of Personnel Management.
top-of-the-line Powermac
Nah, I reckon it's a RiscPC running RiscOS, though RO did have some updates after that.
I have an RPC vintage about 1994. It's not connected to the internet 24/7 and pretty much only does email these days, but it does that remarkably well so long as I'm not sent something with a 20MB attachment :-(
I believe Paul Vigay used to run his website from a RiscPC. While vigay.com is still up and running, I doubt it's still on the same hardware.
M.
I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years.
A sample size of one is statistically, and practically, meaningless.
I've never been in a situation where I've needed a seatbelt.
Does that mean no-one needs to wear seatbelts and that a seatbelt has never saved anyone's life?
And a sample of machines running things that are so outdated that practically no malware exists that could run on them let alone is being spread is also a poor sample. Machines running any number of operating systems are ridiculously vulnerable. Windows XP, for example, but you couldn't use the fact that it's old to exonerate it. You've found that niche where security through obscurity is working, and as long as whatever thing this is continues to work for you, you'll be fine. Unfortunately, there are many people, myself included, who need some of the things that were released in the past 25 years.
The claim was that an unpatched system will have nearly 100% chance of being attacked in time, and an example was provided to the contrary.
Most people don't have their computers "get" infected with malware. They infect them themselves, by their own actions, and they probably never know they did so.
The idea that security is a passive thing, a quality that a given piece of software either has or does not have is not reality, and it doesn't help people to understand the real situation. The way that pundits like the 100% guy talk, you'd think that if you stay patched up, you can do anything you want, downloading "warez" from any shady source imaginable, and still be safe... or that if you missed last week's patch, you probably already have ten different kinds of malware, even if you have employed good security practices, never opening unknown email attachments, never downloaded from unverified sources, that kind of thing.
Keeping patched is one thing that helps, but it's far from the only thing, or even the most important thing. The most important thing is not doing dumb stuff to get yourself infected!
The seatbelt analogy is a good one, because it only makes riding in a car safer, not "safe." There is no such thing as "safe" in moving vehicles. Some cars protect their occupants better than others, but the biggest variable is the loose nut behind the wheel. Security fixes, like seat belts, only help once an accident (or attack) actually begins. It's better to not be in an accident than to survive one, and that's where the behaviour of the user comes into play, whether driving or computing. Not all accidents can be avoided (since the other drivers may not be as careful as you are), but a lot can, and that is a lot more effective than seat belts.
The constant focus on security updates as the be-all and end-all of security tends to obscure this, and suggests that if you're fully patched, you're essentially immune to all malware. Those of us who know computers understand that this is not the case, but regular users, the ones the talking heads are preaching to with the advice to update early and often, don't always get it.
Look how many people who didn't know about cars thought that having thrown a bottle of Slick 50 into their crankcase at some point means they no longer need oil! I actually met one such person in college, an otherwise intelligent hard science major who presumably should have recognized the farcical nature of the belief right off the bat, but she didn't.
The "test" in the commercial (if it meant anything at all, which is highly questionable) only showed that the treated engine won't seize as quickly as the untreated engine when both were run without oil (with an impossibly tiny sample size of one test engine and one control engine), but people saw the Slick 50 engine not seizing and thought that meant it could keep running like that forever, oil free. Like my aforementioned acquaintance, many such people disregarded low oil levels or the oil pressure light, thinking that didn't apply to them anymore. Fortunately, the woman in my example was set straight before it got to a low oil pressure situation, but others were less lucky.
"Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, even keeping the file length the same as the legit version"
Who cares if the file length is the same?
What is the shasum?
They altered the official hashes at the same time because it was posted as an actual update, when the hash is expected to be changed.
Basically, this is a Perfect Imposter situation where the rogue software went through every hoop the official software does, making it impossible to spot until after the fact. All this smacks of an insider. Who else would have access to the signing key?
”All this smacks of an insider. Who else would have access to the signing key?"
Indeed. Smart money says you are looking for the recently separated employee who has an extremely nice house, hot car, good liquor and no debt... Along with no visible means of support.
One alternative explanation is that Asus' development environment has been pwned and modified for 'remote access'. If you're Asus' that is a pretty terrifying thought.
is this crucial piece:
"I should add that @kaspersky Lab researchers contacted ASUS Jan 31 and met w/ ASUS in person Feb 14. The company insisted the hack didn’t happen. When Kaspersky offered to help them with forensic to show it did, ASUS wanted them to sign NDA. The company went silent after that"
— Kim Zetter (@KimZetter) March 25, 2019
#source:
https://www.bleepingcomputer.com/news/security/asus-live-update-infected-with-backdoor-in-supply-chain-attack/
Thank you - that's a helpful link, at least for these reasons:
1) ASUS have a 'Security Diagnostic Tool' available on that page which can test if your machine is infected (I didn't fancy sending my mac address to Kaspersky)
2) It points out that only the version of Live Update used for notebooks was affected
So I'm wondering about how the bad actor here identified the MAC addresses it wanted to target. Sounds like the attack wasn't just limited to ASUS PCs, just that ASUS are the first to be publicly identified. Was this done entirely remotely, or was there some actual physical proximity to devices? Did they e.g. compromise a router which a target(s) had used and extract MAC addresses of users, or e.g. just place a WAP close to a target location and log the MAC addresses of devices than handshaked with it? Or was there some kind of a compromise in the supply chain of targeted devices? Confirmation of all the affected manufacturers would be very interesting.
The use of the update server could indicate that the specific identity of targeted users might not have been known, so spear phishing etc. might not have been possible. Does this indicate a big fishing operation for a target/targets that are otherwise difficult to identify?
Questions, questions, questions...
Well, the same person(group) that infected the BIOS also infected the server. It's very easy to assume that they also may have had access to the shipping process to make sure that such MAC would go to such country/region.
However it was, without the list of victims we will never know the assailants, and how they did it. AFAIK, they could have a specific robot just manufacturing trojan mobos. AT&T did the same with their internet traffic.
Six hundred devices is a rather small sample. It's unlikely that they had any desire or need to compromise the manufacturing situation. While it's theoretically possible that the machines were intercepted in shipping as you describe, the malware could just have been installed on them directly at that point. It could be placed at the BIOS level and made almost completely undetectable. The effort to break ASUS's update system and signing keys and the possibility that it would be revealed as it was makes it unlikely that there was any tampering with client hardware. My guess would be that the target's infrastructure was compromised and MAC addresses accessed from that. With the scale, and assuming that these devices were all one target, it is possible that whoever it is bought a bunch of machines at the same time. If that's the case, only ASUS would need to be compromised to access the target. The other possibility is that there are multiple targets here or one really big target, both of which would make the possibility of multiple compromise of manufacturers plausible.
No idea about how soon a machine spews its MAC to a Wifi access point (assume this are wireless MACs) but it mightn't be supply chain if it's possible to get near the target (including local coffee shops, hotels etc) and harvest MAC addresses either passively or actively. To attackers this would be a numbers game because they'd only need to compromise one device (more is better but not tooo many) to get the access to the target environment. The attackers will have known 1) the target(s) use ASUS gear with LiveBollocks enabled and 2) they had access to the update servers for ASUS prior to kicking this off. However what is suprising is most corporates worth their salt wouldn't use consumer-focused vendor crapware to manage their infrastructure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
