News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

    Home Forums AskWoody blog ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

    This topic contains 31 replies, has 11 voices, and was last updated by  ve2mrx 4 months, 3 weeks ago.

    • Author
      Posts
    • #345094 Reply

      woody
      Da Boss

      Kaspersky just released an announcement about Operation ShadowHammer, a truly spectacular hack of ASUS’s update servers that, ultimately, only affects
      [See the full post at: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it]

      7 users thanked author for this post.
    • #345111 Reply

      T
      AskWoody Plus

      I see the report on motherboard is suggesting this was likely delivered using the ccleaner Trojan as Asus were one of the targets.

      https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

      1 user thanked author for this post.
    • #345110 Reply

      anonymous

      Ah, that’s the famous update utility that never managed to update anything anywhere I tried… Similar useless junk is one of the reasons why to wipe and reinstall any OEM-preinstalled computer right after purchase.

      • #345148 Reply

        woody
        Da Boss

        But.. but.. but.. one MEEEEELION machines.

        The Windows news cycle is so easily captured.

        2 users thanked author for this post.
      • #345493 Reply

        anonymous

        I kept it on one of my main stations to let it try and update once in a while.  I feel bad for the lil beggar.  Might be time to put it out of its misery.

    • #345144 Reply

      anonymous

      Is there a list of the MAC addresses being targeted? Would like to know if any of my clients were being targeted. Several of them have ASUS and never let me remove the update feature, which I considered useless bloatware c**p ware that does nothing but eats up your resources and network bandwidth.

    • #345158 Reply

      WildBill
      AskWoody Plus

      Once you locate MAC (physical) addresses for your Ethernet, Wireless LAN & Wireless Wi-Fi devices (in a cmd.exe window, enter ipconfig /all), enter the connected ones here: https://shadowhammer.kaspersky.com/. I’m okay & the other 999,599 machines probably are, too. Woody’s right… once you get “Your device has not been targeted by ShadowHammer attack”, you basically get an ad for Kaspersky products. 3 out of 4 scams isn’t bad…

      Windows 8.1, 64-bit, now in Group B!
      Wild Bill Rides Again...

      • #345238 Reply

        anonymous

        @wildbill

        I do not trust websites that ask for MAC address. There are too many tools that can be used to exploit it once it gets a users’  MAC address. This is why I asked for list.

        • #345495 Reply

          anonymous

          Out of curiosity, how can they be exploited?

      • #345562 Reply

        Speccy
        AskWoody Lounger

        @wildbill:
        You could have also just scrolled down the Kaspersky blog post up to where it reads:

        “Download an archive with the tool (.exe)”
        (linking to https://kas.pr/shadowhammer)

        By clicking that sentence you would have downloaded a .zip file containing a tiny (74kb) shadowhammer.exe binary: that standalone tool may be executed offline to quickly and easily check all your local MAC addresses at once and either give you some piece of mind

        GOOD
        Your machine is not affected

        or give you reasons to be worried and ask for help, if the output is:

        IMPORTANT
        It appears you have been targeted! Please send us an email to shadowhammer[at]kaspersky[dot]com

        No need to type in your MAC addresses online. And no ads. 😉

        • #345672 Reply

          ve2mrx
          AskWoody Plus

          For that, you need to trust the exe given from the infecting entity…

          Food for thought!

          • #346155 Reply

            Speccy
            AskWoody Lounger

            Fair enough. You do not seem to trust Kaspersky. What about VirusTotal?

            https://bit.ly/2CIAaL3
            https://bit.ly/2uxfX6z
            https://bit.ly/2HWyz80

            (URLs shortened for the sake of legibility: append a ‘+’ sign at the end of each link to preview it. Assuming you trust bit.ly for that. 🙂)

            You’re right, it is always a matter of trust(ing something). I simply pointed out that the AV vendor also mentioned their own tiny standalone tool as an alternative way to check (if anyone’s interested).

            Offline binary execution – which can be monitored and analyzed in a controlled environment (with security safeguards in place) – might be a better choice (if not safer, at least a little less risky) than putting real data into a website.

            1 user thanked author for this post.
            • #346195 Reply

              ve2mrx
              AskWoody Plus

              I really don’t distrust Kaspersky for my personal use. But they won’t be my first choice.

              I was only pointing the irony of trusting those who created the infection.

              Of course, they are not blackhats, but the method used cannot be considered ethical. They DID breach Asus’s infrastructure and altered systems of non-consenting parties! I believe it’s against the law in many countries? So I now consider them greyhats.

              My humble opinion,

              Martin

            • #346244 Reply

              Speccy

              BARIUM (the APT actor) created the infection and breached Asus’s infrastructure, not Kaspersky.
              Kaspersky detected the attack pattern on their customers, from telemetry (KSN cloud protection) collected by their AV product – just like many other AV vendors (including US competitors) do. That’s just how cloud protection works – and you may not use it at all (in fact, to protect corporate secrets from industrial espionage many conscious sysadmins turn it off and/or redirect/restrict that kind of functionality/features to work with proprietary repositories behind DMZ isolated from external network connectivity and/or blocking all outbound traffic).

            • #346297 Reply

              ve2mrx
              AskWoody Plus

              Oh, I mis-read it then. I stand corrected.

              Thanks!

    • #345264 Reply

      anonymous

      Kaspersky found the exploit. Mr. Woody, you are profiting each day by making fun of Microsoft’s problems. Irony…

    • #345236 Reply

      anonymous

      Is that a site that lists the MAC address? I do not want to give my MAC address to anyone. I might better change it just to be safe.

    • #345311 Reply

      Alex5723
      AskWoody Plus

      ..only affects 600 machines with specific hardcoded MAC addresses..Mostly it’s a publicity stunt for Kaspersky’s Security Analysts Summit in Singapore..

      Kaspersky has already found 57,000 PCs infected, Symantec has found 13,000 infected PCs.. (Microsoft Defender has found none 🙁

      So, it is not just 600 MAC addresses.

      • #345409 Reply

        b
        AskWoody Plus

        (Microsoft Defender has found none 🙂

        How do you know that?

        Windows Defender Antivirus detects and removes this threat.
        Backdoor:Win32/ShadowHammer!dha

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

        • #345436 Reply

          anonymous

          @b

          It was just recently add by MS defender. MS waited hours and hours before release it. Other Anti viruses had added it sooner once it was published

          • #345439 Reply

            b
            AskWoody Plus

            How do you know that?

            Symantec added detection late yesterday:

            Trojan.Susafone Also Known As: ShadowHammer [Kaspersky]

            So did Microsoft:

            Change log for definition version 1.291.346.0

            Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

            • #345460 Reply

              anonymous

              @b
              It was mentioned online that:
              Symantec added in March 25
              MS Defender added in March 26.

              You can see that from your links as well.

            • #345465 Reply

              b
              AskWoody Plus

              @b
              It was mentioned online that:
              Symantec added in March 25

              Updated: March 25, 2019 6:28:22 PM Pacific Daylight Time ‎(UTC-7)

              MS Defender added in March 26.

              You can see that from your links as well.

              Definition available date: Mar 26, 2019 01:08 AM UTC

              Microsoft updated 20 minutes earlier than Symantec (who had been fully aware three days earlier).

              Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

              1 user thanked author for this post.
            • #345536 Reply

              anonymous

              Isn’t the Asus Update service capable of updating UEFI itself? If so, of what use are any of the virus detection tools? Don’t those only check signatures of data in files? How do we know if shadowhammer has not modified UEFI? From what I read, UEFI on Asus motherboards writes specific executable code stored in UEFI as executable files in System32. Virus detection may remove these files from system32 but they would just be rewritten during the next boot.

            • #345538 Reply

              anonymous

              It does no good for me to have any Symantec product(Provided by my Cable providor) because the Cable providor did not provide instructions or an Image of Norton that I could install on all my machines. So I had to go and install 4 different Images which Symantec/Norton promptly uinstalled itself from 3 out of 4 of my laptops. If only My cable providor could have provided the proper Instructions to Install one image across all 4 of my laptops. Microsoft Security Essentials has got that check also, for the sophisticated backdoor.  So  I’ll run a SE scan next time I dust my ASUS laptop off to install security updates(April), once a month for years now as the laptop is at least 8 years old and of the Sandy Bridge generation.

    • #345367 Reply

      Microfix
      Da Boss

      Having built a few Asus motherboard based PC’s since the millennium, I’ve never used any of their software that came with the Mobo CD-ROM. Instead, I opted to download everything NEEDED from their FTP site at the time. Bios/ chipset/ drivers etc.. with no need for any of their utilities, have always done it that way.
      My Win7 Asus laptop however, came with Asus stuff installed and was promptly removed on first or second usage. IIRC my thoughts were ‘I don’t need this junkware’ on my device.
      Gut instinct or obsessive compulsive PC clean-up?
      Habits eh..

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      1 user thanked author for this post.
    • #345458 Reply

      b
      AskWoody Plus

      ASUS Releases Security Update for Live Update Software

      ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild.

      The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ASUS article for more information. The article includes a security diagnostic tool that users can run on their device to determine whether it is affected. CISA also encourages users and administrators to review the ASUS FAQ page to confirm that their device has received the upgrade to version 3.6.8 of Live Update.

      https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

    • #345511 Reply

      Anonymous

      Like @microfix, I’ve built many machines with Asus boards.  The hardware products are solid, and I have no issues with them or Asus as a company.  However, I banned AI suite and its related software utilities (which the insecure updating tool in question is part of) long ago when I realized how amateurish, buggy and generally ill conceived they were.  I realized early on that the update tool was using an insecure connection, and that was just one sticking point for me.  I immediately went back to doing my BIOS updates with a verified download and thumb drive.

      Additionally, nothing says quality like an installation that breaks pretty much the moment after you install it, to the point where you have to manually clean it from your system to get rid of it, because it’s so screwed up that the uninstaller crashes when attempting an uninstall.  This was my experience with the AI Suite editions (II and III) that I tried.

      Additionally, one of the Asus staff members had to post a link to a tool on the ROG forums to clean up after the uninstaller.  Because, even if you did manage to get it run, it left things behind (like service entries in the registry).  Additionally, that tool was put up on a google drive account, not on an official Asus site.  Nice of him to do that to help people, but at first glance, it just looks kind of janky.  The link in the post is still active by the way.

      https://rog.asus.com/forum/showthread.php?95038-AI-Suite-3-cleaner

      For me the solution wasn’t to update the tools, it was to eradicate them and never install them again.  I stand by that recommendation for others.

    • #345535 Reply

      anonymous

      I generally liked Asus hardware quite a lot. Every Asus thingie I’ve ever owned has been perfectly stable and performs exactly as expected, but their software and firmware is terrible. So terrible, in fact, I doubt I’ll buy another Asus product that requires drivers or firmware until they fix their software.

      • #345677 Reply

        ve2mrx
        AskWoody Plus

        I used to like Asus hardware. But once you get the box, your experience is unclear. The support policy is unclear regarding length of firmware and driver support (at least that’s my experience from past purchases).

        I once bought a great (in spec) Wi-Fi adapter that had two driver updates and became unusable. Had to use RaLink drivers that had less features.

        When I think Asus, I now think “Two years and you are on your own“.

        Martin

        1 user thanked author for this post.
        • #346301 Reply

          AlexEiffel
          AskWoody_MVP

          So Martin,

          What brand do you favor now?

          • #346309 Reply

            ve2mrx
            AskWoody Plus

            That’s not a simple question. I’ve been out of the system builder loop for too long to favor one brand above another on a part level. I’m open to Asus, but my key requirement is 5+ years of support as well as quality. I can often find better support with business-level machines.

            However, on a machine level, I like Lenovo (Chinese? Built in Mexico) from recent experiences. I heard Dell has good long term support too, but I haven’t checked yet. As Windows 7 EOL nears, my shopping will speed up!

            I have 3 new machines lining up so far, maybe more to come. Life as the Family Permanent Support Technician…

            1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.