• ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

    Home » Forums » Newsletter and Homepage topics » ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it


    Kaspersky just released an announcement about Operation ShadowHammer, a truly spectacular hack of ASUS’s update servers that, ultimately, only affects
    [See the full post at: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it]

    7 users thanked author for this post.
    Viewing 10 reply threads
    • #345111

      I see the report on motherboard is suggesting this was likely delivered using the ccleaner Trojan as Asus were one of the targets.


      1 user thanked author for this post.
    • #345110

      Ah, that’s the famous update utility that never managed to update anything anywhere I tried… Similar useless junk is one of the reasons why to wipe and reinstall any OEM-preinstalled computer right after purchase.

      • #345148

        But.. but.. but.. one MEEEEELION machines.

        The Windows news cycle is so easily captured.

        2 users thanked author for this post.
      • #345493

        I kept it on one of my main stations to let it try and update once in a while.  I feel bad for the lil beggar.  Might be time to put it out of its misery.

    • #345144

      Is there a list of the MAC addresses being targeted? Would like to know if any of my clients were being targeted. Several of them have ASUS and never let me remove the update feature, which I considered useless bloatware c**p ware that does nothing but eats up your resources and network bandwidth.

    • #345158

      Once you locate MAC (physical) addresses for your Ethernet, Wireless LAN & Wireless Wi-Fi devices (in a cmd.exe window, enter ipconfig /all), enter the connected ones here: https://shadowhammer.kaspersky.com/. I’m okay & the other 999,599 machines probably are, too. Woody’s right… once you get “Your device has not been targeted by ShadowHammer attack”, you basically get an ad for Kaspersky products. 3 out of 4 scams isn’t bad…

      Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
      Wild Bill Rides Again...

      • #345238


        I do not trust websites that ask for MAC address. There are too many tools that can be used to exploit it once it gets a users’  MAC address. This is why I asked for list.

      • #345562

        You could have also just scrolled down the Kaspersky blog post up to where it reads:

        “Download an archive with the tool (.exe)”
        (linking to https://kas.pr/shadowhammer)

        By clicking that sentence you would have downloaded a .zip file containing a tiny (74kb) shadowhammer.exe binary: that standalone tool may be executed offline to quickly and easily check all your local MAC addresses at once and either give you some piece of mind

        Your machine is not affected

        or give you reasons to be worried and ask for help, if the output is:

        It appears you have been targeted! Please send us an email to shadowhammer[at]kaspersky[dot]com

        No need to type in your MAC addresses online. And no ads. 😉

        • #345672

          For that, you need to trust the exe given from the infecting entity…

          Food for thought!

          • #346155

            Fair enough. You do not seem to trust Kaspersky. What about VirusTotal?


            (URLs shortened for the sake of legibility: append a ‘+’ sign at the end of each link to preview it. Assuming you trust bit.ly for that. 🙂)

            You’re right, it is always a matter of trust(ing something). I simply pointed out that the AV vendor also mentioned their own tiny standalone tool as an alternative way to check (if anyone’s interested).

            Offline binary execution – which can be monitored and analyzed in a controlled environment (with security safeguards in place) – might be a better choice (if not safer, at least a little less risky) than putting real data into a website.

            1 user thanked author for this post.
            • #346195

              I really don’t distrust Kaspersky for my personal use. But they won’t be my first choice.

              I was only pointing the irony of trusting those who created the infection.

              Of course, they are not blackhats, but the method used cannot be considered ethical. They DID breach Asus’s infrastructure and altered systems of non-consenting parties! I believe it’s against the law in many countries? So I now consider them greyhats.

              My humble opinion,


            • #346244

              BARIUM (the APT actor) created the infection and breached Asus’s infrastructure, not Kaspersky.
              Kaspersky detected the attack pattern on their customers, from telemetry (KSN cloud protection) collected by their AV product – just like many other AV vendors (including US competitors) do. That’s just how cloud protection works – and you may not use it at all (in fact, to protect corporate secrets from industrial espionage many conscious sysadmins turn it off and/or redirect/restrict that kind of functionality/features to work with proprietary repositories behind DMZ isolated from external network connectivity and/or blocking all outbound traffic).

            • #346297

              Oh, I mis-read it then. I stand corrected.


    • #345264

      Kaspersky found the exploit. Mr. Woody, you are profiting each day by making fun of Microsoft’s problems. Irony…

    • #345236

      Is that a site that lists the MAC address? I do not want to give my MAC address to anyone. I might better change it just to be safe.

    • #345311

      ..only affects 600 machines with specific hardcoded MAC addresses..Mostly it’s a publicity stunt for Kaspersky’s Security Analysts Summit in Singapore..

      Kaspersky has already found 57,000 PCs infected, Symantec has found 13,000 infected PCs.. (Microsoft Defender has found none 🙁

      So, it is not just 600 MAC addresses.

      • #345409

        (Microsoft Defender has found none 🙂

        How do you know that?

        Windows Defender Antivirus detects and removes this threat.

        Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

        • #345436


          It was just recently add by MS defender. MS waited hours and hours before release it. Other Anti viruses had added it sooner once it was published

          • #345439

            How do you know that?

            Symantec added detection late yesterday:

            Trojan.Susafone Also Known As: ShadowHammer [Kaspersky]

            So did Microsoft:

            Change log for definition version 1.291.346.0

            Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

            • #345460

              It was mentioned online that:
              Symantec added in March 25
              MS Defender added in March 26.

              You can see that from your links as well.

            • #345465

              It was mentioned online that:
              Symantec added in March 25

              Updated: March 25, 2019 6:28:22 PM Pacific Daylight Time ‎(UTC-7)

              MS Defender added in March 26.

              You can see that from your links as well.

              Definition available date: Mar 26, 2019 01:08 AM UTC

              Microsoft updated 20 minutes earlier than Symantec (who had been fully aware three days earlier).

              Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

              1 user thanked author for this post.
            • #345536

              Isn’t the Asus Update service capable of updating UEFI itself? If so, of what use are any of the virus detection tools? Don’t those only check signatures of data in files? How do we know if shadowhammer has not modified UEFI? From what I read, UEFI on Asus motherboards writes specific executable code stored in UEFI as executable files in System32. Virus detection may remove these files from system32 but they would just be rewritten during the next boot.

            • #345538

              It does no good for me to have any Symantec product(Provided by my Cable providor) because the Cable providor did not provide instructions or an Image of Norton that I could install on all my machines. So I had to go and install 4 different Images which Symantec/Norton promptly uinstalled itself from 3 out of 4 of my laptops. If only My cable providor could have provided the proper Instructions to Install one image across all 4 of my laptops. Microsoft Security Essentials has got that check also, for the sophisticated backdoor.  So  I’ll run a SE scan next time I dust my ASUS laptop off to install security updates(April), once a month for years now as the laptop is at least 8 years old and of the Sandy Bridge generation.

    • #345367

      Having built a few Asus motherboard based PC’s since the millennium, I’ve never used any of their software that came with the Mobo CD-ROM. Instead, I opted to download everything NEEDED from their FTP site at the time. Bios/ chipset/ drivers etc.. with no need for any of their utilities, have always done it that way.
      My Win7 Asus laptop however, came with Asus stuff installed and was promptly removed on first or second usage. IIRC my thoughts were ‘I don’t need this junkware’ on my device.
      Gut instinct or obsessive compulsive PC clean-up?
      Habits eh..

      No problem can be solved from the same level of consciousness that created IT- AE
      1 user thanked author for this post.
    • #345458

      ASUS Releases Security Update for Live Update Software

      ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild.

      The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ASUS article for more information. The article includes a security diagnostic tool that users can run on their device to determine whether it is affected. CISA also encourages users and administrators to review the ASUS FAQ page to confirm that their device has received the upgrade to version 3.6.8 of Live Update.


      Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

    • #345511

      Like @Microfix, I’ve built many machines with Asus boards.  The hardware products are solid, and I have no issues with them or Asus as a company.  However, I banned AI suite and its related software utilities (which the insecure updating tool in question is part of) long ago when I realized how amateurish, buggy and generally ill conceived they were.  I realized early on that the update tool was using an insecure connection, and that was just one sticking point for me.  I immediately went back to doing my BIOS updates with a verified download and thumb drive.

      Additionally, nothing says quality like an installation that breaks pretty much the moment after you install it, to the point where you have to manually clean it from your system to get rid of it, because it’s so screwed up that the uninstaller crashes when attempting an uninstall.  This was my experience with the AI Suite editions (II and III) that I tried.

      Additionally, one of the Asus staff members had to post a link to a tool on the ROG forums to clean up after the uninstaller.  Because, even if you did manage to get it run, it left things behind (like service entries in the registry).  Additionally, that tool was put up on a google drive account, not on an official Asus site.  Nice of him to do that to help people, but at first glance, it just looks kind of janky.  The link in the post is still active by the way.


      For me the solution wasn’t to update the tools, it was to eradicate them and never install them again.  I stand by that recommendation for others.

    • #345535

      I generally liked Asus hardware quite a lot. Every Asus thingie I’ve ever owned has been perfectly stable and performs exactly as expected, but their software and firmware is terrible. So terrible, in fact, I doubt I’ll buy another Asus product that requires drivers or firmware until they fix their software.

      • #345677

        I used to like Asus hardware. But once you get the box, your experience is unclear. The support policy is unclear regarding length of firmware and driver support (at least that’s my experience from past purchases).

        I once bought a great (in spec) Wi-Fi adapter that had two driver updates and became unusable. Had to use RaLink drivers that had less features.

        When I think Asus, I now think “Two years and you are on your own“.


        1 user thanked author for this post.
        • #346301

          So Martin,

          What brand do you favor now?

          • #346309

            That’s not a simple question. I’ve been out of the system builder loop for too long to favor one brand above another on a part level. I’m open to Asus, but my key requirement is 5+ years of support as well as quality. I can often find better support with business-level machines.

            However, on a machine level, I like Lenovo (Chinese? Built in Mexico) from recent experiences. I heard Dell has good long term support too, but I haven’t checked yet. As Windows 7 EOL nears, my shopping will speed up!

            I have 3 new machines lining up so far, maybe more to come. Life as the Family Permanent Support Technician…

            1 user thanked author for this post.
    Viewing 10 reply threads
    Reply To: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: