Kaspersky just released an announcement about Operation ShadowHammer, a truly spectacular hack of ASUS’s update servers that, ultimately, only affects
[See the full post at: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it
Home » Forums » Newsletter and Homepage topics » ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it
- This topic has 31 replies, 11 voices, and was last updated 4 years, 6 months ago.
AuthorTopicwoody
ManagerViewing 10 reply threadsAuthorReplies-
T
AskWoody PlusI see the report on motherboard is suggesting this was likely delivered using the ccleaner Trojan as Asus were one of the targets.
1 user thanked author for this post.
-
anonymous
Guest -
woody
Manager -
anonymous
Guest
-
anonymous
GuestIs there a list of the MAC addresses being targeted? Would like to know if any of my clients were being targeted. Several of them have ASUS and never let me remove the update feature, which I considered useless bloatware c**p ware that does nothing but eats up your resources and network bandwidth.
WildBill
AskWoody PlusOnce you locate MAC (physical) addresses for your Ethernet, Wireless LAN & Wireless Wi-Fi devices (in a cmd.exe window, enter ipconfig /all), enter the connected ones here: https://shadowhammer.kaspersky.com/. I’m okay & the other 999,599 machines probably are, too. Woody’s right… once you get “Your device has not been targeted by ShadowHammer attack”, you basically get an ad for Kaspersky products. 3 out of 4 scams isn’t bad…
Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...-
anonymous
Guest -
anonymous
Guest
-
Speccy
AskWoody Lounger@WildBill:
You could have also just scrolled down the Kaspersky blog post up to where it reads:“Download an archive with the tool (.exe)”
(linking to https://kas.pr/shadowhammer)By clicking that sentence you would have downloaded a .zip file containing a tiny (74kb) shadowhammer.exe binary: that standalone tool may be executed offline to quickly and easily check all your local MAC addresses at once and either give you some piece of mind
GOOD Your machine is not affected
or give you reasons to be worried and ask for help, if the output is:
IMPORTANT It appears you have been targeted! Please send us an email to shadowhammer[at]kaspersky[dot]com
No need to type in your MAC addresses online. And no ads. 😉
-
ve2mrx
AskWoody Plus -
Speccy
AskWoody LoungerFair enough. You do not seem to trust Kaspersky. What about VirusTotal?
https://bit.ly/2CIAaL3
https://bit.ly/2uxfX6z
https://bit.ly/2HWyz80(URLs shortened for the sake of legibility: append a ‘+’ sign at the end of each link to preview it. Assuming you trust bit.ly for that. 🙂)
You’re right, it is always a matter of trust(ing something). I simply pointed out that the AV vendor also mentioned their own tiny standalone tool as an alternative way to check (if anyone’s interested).
Offline binary execution – which can be monitored and analyzed in a controlled environment (with security safeguards in place) – might be a better choice (if not safer, at least a little less risky) than putting real data into a website.
1 user thanked author for this post.
-
ve2mrx
AskWoody PlusI really don’t distrust Kaspersky for my personal use. But they won’t be my first choice.
I was only pointing the irony of trusting those who created the infection.
Of course, they are not blackhats, but the method used cannot be considered ethical. They DID breach Asus’s infrastructure and altered systems of non-consenting parties! I believe it’s against the law in many countries? So I now consider them greyhats.
My humble opinion,
Martin
-
Speccy
GuestBARIUM (the APT actor) created the infection and breached Asus’s infrastructure, not Kaspersky.
Kaspersky detected the attack pattern on their customers, from telemetry (KSN cloud protection) collected by their AV product – just like many other AV vendors (including US competitors) do. That’s just how cloud protection works – and you may not use it at all (in fact, to protect corporate secrets from industrial espionage many conscious sysadmins turn it off and/or redirect/restrict that kind of functionality/features to work with proprietary repositories behind DMZ isolated from external network connectivity and/or blocking all outbound traffic). -
ve2mrx
AskWoody Plus
-
-
anonymous
Guestanonymous
GuestAlex5723
AskWoody Plus..only affects 600 machines with specific hardcoded MAC addresses..Mostly it’s a publicity stunt for Kaspersky’s Security Analysts Summit in Singapore..
Kaspersky has already found 57,000 PCs infected, Symantec has found 13,000 infected PCs.. (Microsoft Defender has found none 🙁
So, it is not just 600 MAC addresses.
-
b
Manager(Microsoft Defender has found none 🙂
How do you know that?
Windows Defender Antivirus detects and removes this threat.
Backdoor:Win32/ShadowHammer!dhaWindows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
-
anonymous
Guest -
b
ManagerHow do you know that?
Symantec added detection late yesterday:
Trojan.Susafone Also Known As: ShadowHammer [Kaspersky]
So did Microsoft:
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
-
anonymous
Guest -
b
Manager@b
It was mentioned online that:
Symantec added in March 25Updated: March 25, 2019 6:28:22 PM Pacific Daylight Time (UTC-7)
MS Defender added in March 26.
You can see that from your links as well.
Definition available date: Mar 26, 2019 01:08 AM UTC
Microsoft updated 20 minutes earlier than Symantec (who had been fully aware three days earlier).
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
1 user thanked author for this post.
-
anonymous
GuestIsn’t the Asus Update service capable of updating UEFI itself? If so, of what use are any of the virus detection tools? Don’t those only check signatures of data in files? How do we know if shadowhammer has not modified UEFI? From what I read, UEFI on Asus motherboards writes specific executable code stored in UEFI as executable files in System32. Virus detection may remove these files from system32 but they would just be rewritten during the next boot.
-
anonymous
GuestIt does no good for me to have any Symantec product(Provided by my Cable providor) because the Cable providor did not provide instructions or an Image of Norton that I could install on all my machines. So I had to go and install 4 different Images which Symantec/Norton promptly uinstalled itself from 3 out of 4 of my laptops. If only My cable providor could have provided the proper Instructions to Install one image across all 4 of my laptops. Microsoft Security Essentials has got that check also, for the sophisticated backdoor. So I’ll run a SE scan next time I dust my ASUS laptop off to install security updates(April), once a month for years now as the laptop is at least 8 years old and of the Sandy Bridge generation.
-
-
-
Microfix
AskWoody MVPHaving built a few Asus motherboard based PC’s since the millennium, I’ve never used any of their software that came with the Mobo CD-ROM. Instead, I opted to download everything NEEDED from their FTP site at the time. Bios/ chipset/ drivers etc.. with no need for any of their utilities, have always done it that way.
My Win7 Asus laptop however, came with Asus stuff installed and was promptly removed on first or second usage. IIRC my thoughts were ‘I don’t need this junkware’ on my device.
Gut instinct or obsessive compulsive PC clean-up?
Habits eh..No problem can be solved from the same level of consciousness that created IT- AE1 user thanked author for this post.
b
ManagerASUS Releases Security Update for Live Update Software
ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ASUS article for more information. The article includes a security diagnostic tool that users can run on their device to determine whether it is affected. CISA also encourages users and administrators to review the ASUS FAQ page to confirm that their device has received the upgrade to version 3.6.8 of Live Update.
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
Anonymous
InactiveLike @Microfix, I’ve built many machines with Asus boards. The hardware products are solid, and I have no issues with them or Asus as a company. However, I banned AI suite and its related software utilities (which the insecure updating tool in question is part of) long ago when I realized how amateurish, buggy and generally ill conceived they were. I realized early on that the update tool was using an insecure connection, and that was just one sticking point for me. I immediately went back to doing my BIOS updates with a verified download and thumb drive.
Additionally, nothing says quality like an installation that breaks pretty much the moment after you install it, to the point where you have to manually clean it from your system to get rid of it, because it’s so screwed up that the uninstaller crashes when attempting an uninstall. This was my experience with the AI Suite editions (II and III) that I tried.
Additionally, one of the Asus staff members had to post a link to a tool on the ROG forums to clean up after the uninstaller. Because, even if you did manage to get it run, it left things behind (like service entries in the registry). Additionally, that tool was put up on a google drive account, not on an official Asus site. Nice of him to do that to help people, but at first glance, it just looks kind of janky. The link in the post is still active by the way.
https://rog.asus.com/forum/showthread/?95038-AI-Suite-3-cleaner
For me the solution wasn’t to update the tools, it was to eradicate them and never install them again. I stand by that recommendation for others.
anonymous
GuestI generally liked Asus hardware quite a lot. Every Asus thingie I’ve ever owned has been perfectly stable and performs exactly as expected, but their software and firmware is terrible. So terrible, in fact, I doubt I’ll buy another Asus product that requires drivers or firmware until they fix their software.
-
ve2mrx
AskWoody PlusI used to like Asus hardware. But once you get the box, your experience is unclear. The support policy is unclear regarding length of firmware and driver support (at least that’s my experience from past purchases).
I once bought a great (in spec) Wi-Fi adapter that had two driver updates and became unusable. Had to use RaLink drivers that had less features.
When I think Asus, I now think “Two years and you are on your own“.
Martin
1 user thanked author for this post.
-
AlexEiffel
AskWoody_MVP -
ve2mrx
AskWoody PlusThat’s not a simple question. I’ve been out of the system builder loop for too long to favor one brand above another on a part level. I’m open to Asus, but my key requirement is 5+ years of support as well as quality. I can often find better support with business-level machines.
However, on a machine level, I like Lenovo (Chinese? Built in Mexico) from recent experiences. I heard Dell has good long term support too, but I haven’t checked yet. As Windows 7 EOL nears, my shopping will speed up!
I have 3 new machines lining up so far, maybe more to come. Life as the Family Permanent Support Technician…
1 user thanked author for this post.
-
-
Viewing 10 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Strange problem after upgrade from Win10Pro 22H2 to Win11Pro 22H2
by
JohnH
1 hour, 31 minutes ago -
Return Full Context Menus to File Explorer
by
RetiredGeek
3 hours, 12 minutes ago -
Unusual Activity on Startup
by
Kenneth Stephens
7 hours, 3 minutes ago -
Windows Backup – incremental possible?
by
colin_thames
5 hours, 15 minutes ago -
New HD addition??
by
weendoggy
10 hours, 58 minutes ago -
Defcon 4 and Windows 11
by
cmar6
12 hours, 3 minutes ago -
Add-ins keep disappearing
by
hession
9 hours, 27 minutes ago -
MS-DEFCON 4: Is Windows 11 really a disaster?
by
Susan Bradley
1 hour, 10 minutes ago -
The Takahē is not extinct afterall
by
lylejk
20 hours, 52 minutes ago -
How to unbloc W10pro from moving to W11
by
hession
1 day, 10 hours ago -
Windows 11, Surface, and Windows Copilot
by
Will Fastie
13 hours, 50 minutes ago -
Why File Explorer keeps me on Windows
by
Josh Hendrickson
6 hours, 6 minutes ago -
Uninstalr — “World’s best cup of coffee”
by
Deanna McElveen
3 hours, 4 minutes ago -
Locked out of your refurbished computer?
by
Susan Bradley
2 hours, 48 minutes ago -
Thunderbird 115: Changing font size in the Message Panel
by
WCHS
1 day, 9 hours ago -
Lenovo ThinkPad not updating to Windows 11 22H2
by
Gordski
1 hour, 4 minutes ago -
Android Security
by
Magic66
1 day, 11 hours ago -
What happened to the manual?
by
Susan Bradley
1 day, 2 hours ago -
OK to Restore Files From a Possibly Hacked Computer?
by
kc27
2 days, 1 hour ago -
Startup loop after adding new user and installing File Explore Patch
by
PFC
3 days, 2 hours ago -
RoboCops comes to NYPD. You have the right to remain cyborg
by
Alex5723
3 days, 8 hours ago -
iOS 17 : New Safari Privat Search Engines
by
Alex5723
3 days, 9 hours ago -
Photos App running in background
by
Tom
2 days, 5 hours ago -
IPV6 Issue Win10 22H2 August Update
by
Win7and10
3 days, 7 hours ago -
Windows 11 Insider Preview build 23550 released to DEV
by
joep517
4 days, 7 hours ago -
Windows 11 Build 22621.2361 (22H2) released to Release Preview
by
joep517
4 days, 7 hours ago -
Lately I’ve been getting qr code spam attacks
by
Susan Bradley
4 days, 10 hours ago -
ghacks Wants Edge – FF Browser Update to View – hack/redirect
by
CraigS26
3 days, 8 hours ago -
iOS 17 : If your new iPhone gets stuck on the Apple logo when you transfer…
by
Alex5723
4 days, 18 hours ago -
Apple zero days out – September 2023
by
Susan Bradley
6 hours, 32 minutes ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.