ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it

Topic

New Reply

Kaspersky just released an announcement about Operation ShadowHammer, a truly spectacular hack of ASUS’s update servers that, ultimately, only affects
[See the full post at: ASUS Live Update utility cracked – sophisticated backdoor installed on a million machines, but you don’t need to worry about it]

7 users thanked author for this post.

Microfix, abbodi86, lurks about, wdburt1, PhotM, Fritz

Reply | Quote

Replies

I see the report on motherboard is suggesting this was likely delivered using the ccleaner Trojan as Asus were one of the targets.

https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

1 user thanked author for this post.

WildBill

Reply | Quote

Ah, that’s the famous update utility that never managed to update anything anywhere I tried… Similar useless junk is one of the reasons why to wipe and reinstall any OEM-preinstalled computer right after purchase.

Reply | Quote

But.. but.. but.. one MEEEEELION machines.

The Windows news cycle is so easily captured.

2 users thanked author for this post.

JCCWsusser, WildBill

Reply | Quote

I kept it on one of my main stations to let it try and update once in a while.  I feel bad for the lil beggar.  Might be time to put it out of its misery.

Reply | Quote

Is there a list of the MAC addresses being targeted? Would like to know if any of my clients were being targeted. Several of them have ASUS and never let me remove the update feature, which I considered useless bloatware c**p ware that does nothing but eats up your resources and network bandwidth.

Reply | Quote

Once you locate MAC (physical) addresses for your Ethernet, Wireless LAN & Wireless Wi-Fi devices (in a cmd.exe window, enter ipconfig /all), enter the connected ones here: https://shadowhammer.kaspersky.com/. I’m okay & the other 999,599 machines probably are, too. Woody’s right… once you get “Your device has not been targeted by ShadowHammer attack”, you basically get an ad for Kaspersky products. 3 out of 4 scams isn’t bad…

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

@WildBill

I do not trust websites that ask for MAC address. There are too many tools that can be used to exploit it once it gets a users’  MAC address. This is why I asked for list.

Reply | Quote

Out of curiosity, how can they be exploited?

Reply | Quote

@WildBill:
You could have also just scrolled down the Kaspersky blog post up to where it reads:

“Download an archive with the tool (.exe)”
(linking to https://kas.pr/shadowhammer)

By clicking that sentence you would have downloaded a .zip file containing a tiny (74kb) shadowhammer.exe binary: that standalone tool may be executed offline to quickly and easily check all your local MAC addresses at once and either give you some piece of mind

GOOD
Your machine is not affected

or give you reasons to be worried and ask for help, if the output is:

IMPORTANT
It appears you have been targeted! Please send us an email to shadowhammer[at]kaspersky[dot]com

No need to type in your MAC addresses online. And no ads. 😉

Reply | Quote

For that, you need to trust the exe given from the infecting entity…

Food for thought!

Reply | Quote

Fair enough. You do not seem to trust Kaspersky. What about VirusTotal?

https://bit.ly/2CIAaL3
https://bit.ly/2uxfX6z
https://bit.ly/2HWyz80

(URLs shortened for the sake of legibility: append a ‘+’ sign at the end of each link to preview it. Assuming you trust bit.ly for that. 🙂)

You’re right, it is always a matter of trust(ing something). I simply pointed out that the AV vendor also mentioned their own tiny standalone tool as an alternative way to check (if anyone’s interested).

Offline binary execution – which can be monitored and analyzed in a controlled environment (with security safeguards in place) – might be a better choice (if not safer, at least a little less risky) than putting real data into a website.

1 user thanked author for this post.

ve2mrx

Reply | Quote

I really don’t distrust Kaspersky for my personal use. But they won’t be my first choice.

I was only pointing the irony of trusting those who created the infection.

Of course, they are not blackhats, but the method used cannot be considered ethical. They DID breach Asus’s infrastructure and altered systems of non-consenting parties! I believe it’s against the law in many countries? So I now consider them greyhats.

My humble opinion,

Martin

Reply | Quote

BARIUM (the APT actor) created the infection and breached Asus’s infrastructure, not Kaspersky.
Kaspersky detected the attack pattern on their customers, from telemetry (KSN cloud protection) collected by their AV product – just like many other AV vendors (including US competitors) do. That’s just how cloud protection works – and you may not use it at all (in fact, to protect corporate secrets from industrial espionage many conscious sysadmins turn it off and/or redirect/restrict that kind of functionality/features to work with proprietary repositories behind DMZ isolated from external network connectivity and/or blocking all outbound traffic).

Reply | Quote

Oh, I mis-read it then. I stand corrected.

Thanks!

Reply | Quote

Kaspersky found the exploit. Mr. Woody, you are profiting each day by making fun of Microsoft’s problems. Irony…

Reply | Quote

Is that a site that lists the MAC address? I do not want to give my MAC address to anyone. I might better change it just to be safe.

Reply | Quote

..only affects 600 machines with specific hardcoded MAC addresses..Mostly it’s a publicity stunt for Kaspersky’s Security Analysts Summit in Singapore..

Kaspersky has already found 57,000 PCs infected, Symantec has found 13,000 infected PCs.. (Microsoft Defender has found none 🙁

So, it is not just 600 MAC addresses.

Reply | Quote

Alex5723 wrote:

(Microsoft Defender has found none 🙂

How do you know that?

Windows Defender Antivirus detects and removes this threat.
Backdoor:Win32/ShadowHammer!dha

Reply | Quote

@b

It was just recently add by MS defender. MS waited hours and hours before release it. Other Anti viruses had added it sooner once it was published

Reply | Quote

How do you know that?

Symantec added detection late yesterday:

Trojan.Susafone Also Known As: ShadowHammer [Kaspersky]

So did Microsoft:

Change log for definition version 1.291.346.0

Reply | Quote

@b
It was mentioned online that:
Symantec added in March 25
MS Defender added in March 26.

You can see that from your links as well.

Reply | Quote

anonymous wrote:

@b
It was mentioned online that:
Symantec added in March 25

Updated: March 25, 2019 6:28:22 PM Pacific Daylight Time ‎(UTC-7)‎

anonymous wrote:

MS Defender added in March 26.

You can see that from your links as well.

Definition available date: Mar 26, 2019 01:08 AM UTC

Microsoft updated 20 minutes earlier than Symantec (who had been fully aware three days earlier).

1 user thanked author for this post.

warrenrumak

Reply | Quote

Isn’t the Asus Update service capable of updating UEFI itself? If so, of what use are any of the virus detection tools? Don’t those only check signatures of data in files? How do we know if shadowhammer has not modified UEFI? From what I read, UEFI on Asus motherboards writes specific executable code stored in UEFI as executable files in System32. Virus detection may remove these files from system32 but they would just be rewritten during the next boot.

Reply | Quote

It does no good for me to have any Symantec product(Provided by my Cable providor) because the Cable providor did not provide instructions or an Image of Norton that I could install on all my machines. So I had to go and install 4 different Images which Symantec/Norton promptly uinstalled itself from 3 out of 4 of my laptops. If only My cable providor could have provided the proper Instructions to Install one image across all 4 of my laptops. Microsoft Security Essentials has got that check also, for the sophisticated backdoor.  So  I’ll run a SE scan next time I dust my ASUS laptop off to install security updates(April), once a month for years now as the laptop is at least 8 years old and of the Sandy Bridge generation.

Reply | Quote

Having built a few Asus motherboard based PC’s since the millennium, I’ve never used any of their software that came with the Mobo CD-ROM. Instead, I opted to download everything NEEDED from their FTP site at the time. Bios/ chipset/ drivers etc.. with no need for any of their utilities, have always done it that way.
My Win7 Asus laptop however, came with Asus stuff installed and was promptly removed on first or second usage. IIRC my thoughts were ‘I don’t need this junkware’ on my device.
Gut instinct or obsessive compulsive PC clean-up?
Habits eh..

Windows - commercial by definition and now function...

1 user thanked author for this post.

Reply | Quote

ASUS Releases Security Update for Live Update Software

ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ASUS article for more information. The article includes a security diagnostic tool that users can run on their device to determine whether it is affected. CISA also encourages users and administrators to review the ASUS FAQ page to confirm that their device has received the upgrade to version 3.6.8 of Live Update.

https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software

Reply | Quote

Like @Microfix, I’ve built many machines with Asus boards.  The hardware products are solid, and I have no issues with them or Asus as a company.  However, I banned AI suite and its related software utilities (which the insecure updating tool in question is part of) long ago when I realized how amateurish, buggy and generally ill conceived they were.  I realized early on that the update tool was using an insecure connection, and that was just one sticking point for me.  I immediately went back to doing my BIOS updates with a verified download and thumb drive.

Additionally, nothing says quality like an installation that breaks pretty much the moment after you install it, to the point where you have to manually clean it from your system to get rid of it, because it’s so screwed up that the uninstaller crashes when attempting an uninstall.  This was my experience with the AI Suite editions (II and III) that I tried.

Additionally, one of the Asus staff members had to post a link to a tool on the ROG forums to clean up after the uninstaller.  Because, even if you did manage to get it run, it left things behind (like service entries in the registry).  Additionally, that tool was put up on a google drive account, not on an official Asus site.  Nice of him to do that to help people, but at first glance, it just looks kind of janky.  The link in the post is still active by the way.

https://rog.asus.com/forum/showthread/?95038-AI-Suite-3-cleaner

For me the solution wasn’t to update the tools, it was to eradicate them and never install them again.  I stand by that recommendation for others.

Reply | Quote

I generally liked Asus hardware quite a lot. Every Asus thingie I’ve ever owned has been perfectly stable and performs exactly as expected, but their software and firmware is terrible. So terrible, in fact, I doubt I’ll buy another Asus product that requires drivers or firmware until they fix their software.

Reply | Quote

I used to like Asus hardware. But once you get the box, your experience is unclear. The support policy is unclear regarding length of firmware and driver support (at least that’s my experience from past purchases).

I once bought a great (in spec) Wi-Fi adapter that had two driver updates and became unusable. Had to use RaLink drivers that had less features.

When I think Asus, I now think “Two years and you are on your own“.

Martin

1 user thanked author for this post.

AlexEiffel

Reply | Quote

So Martin,

What brand do you favor now?

Reply | Quote

That’s not a simple question. I’ve been out of the system builder loop for too long to favor one brand above another on a part level. I’m open to Asus, but my key requirement is 5+ years of support as well as quality. I can often find better support with business-level machines.

However, on a machine level, I like Lenovo (Chinese? Built in Mexico) from recent experiences. I heard Dell has good long term support too, but I haven’t checked yet. As Windows 7 EOL nears, my shopping will speed up!

I have 3 new machines lining up so far, maybe more to come. Life as the Family Permanent Support Technician…

1 user thanked author for this post.

AlexEiffel

Reply | Quote