»Do you have ASUSA? Your device may have been infected! – Niebezpiecznik.pl –


For several months, users of ASUS branded equipment have received malicious updates. Direct from the producer! But it was not ASUS that infected its customers and criminals who took control of ASUSA's official update server and silently modified the new versions of the software that ASUS was automatically loading its customers with the equipment they bought, including laptops .

The attack was detected by Kaspersky, which did not detect the attack

Malicious software that the researchers gave the name to ShadowHammer, arrived at ASUS customer equipment through the application ASUS Live Update Utilitywhich is installed by default by the manufacturer. In other words, if you bought an ASUS laptop, it is probably in the background that this application will be in it. It connects regularly to the Internet and downloads and installs updates on the user's computer, such as a new software version, drivers or BIOS / UEFI.

January 29 Kaspersky employees have realized that updates downloaded by ASUS hardware, while signed with the company's correct certificate, are malicious. Analyzes were made and it was determined that infected updates were being transmitted to ASUS client devices from June to November 2018. Directly from the official servers of the producer: liveupdate01s.asus[.]com and liveupdate01.asus[.]with.

Kaspersky Antivirus (as well as other antivirus) initially they did not detect this malicious code (this is how effective antivirus are …), but when the company realized what it lacked, it asked with the appropriate signature of its customers and it was discovered that what ASUSA customers installed malware is among Kasperki's customers until 57,000. This means that, in fact, the victims will be much, much more.

Kaspersky has prepared this graph (based on the data only of its own and the "protected" customers).

Russia is high because Kaspersky is popular there. This does not mean that after adding the remaining victims, which Kasperski does not own, the proportions will be the same.

Symantec, which confirmed the attack by the deputy journalist, reported that there are 13,000 victims among its customers. In the same article there is a link to Reddit, where 9 months ago the ASUS laptops owners suspected ASUSFourceUpdater.exethat something is wrong. But as neither VirusTotal nor Malwarebytes raised objections, the topic "died of natural death."

How is it possible that the antivirus has lost the ShadowHammer?

We always say antiviruses respond to known threats and are quite weak in detecting malicious software that someone will cleverly prepare (and not difficult). In the case of this attack, the malicious code attached to real updates was fairly quiet and, most of all, because it was not detected for a long time – it almost did not connect to the network. Although he infected hundreds of thousands of victims, he did bad things only for the chosen ones. He determined the chosen ones based on the ad-hoc list of MAC addresses.

Make sure you are a victim!

Kaspersky analyzed 200 samples (they had different lists of goals) and compiled the list 600 MAC addresses devices attacked by the attacker. Researchers have created a website where you can enter your MAC and see if you were in the list – just click here.

If someone was on this list, the ShadowHammer backdoor was connecting to the domain:

asushotfix.com (subscriptions: May 3, 2018)
IP: 141.105.71[.]116

and reinforced another variant of the malicious code. Unfortunately, there are at least several Poles who were infected with the second stage of the attack. Thanks to the courtesy of Cisco, whose solutions are used in some Polish networks, we can show the number of DNS queries over the ones mentioned above. the last 30 days. Not much, but – Cisco devices do not see all the DNS traffic in Poland, and we're only talking about the last 30 days, and the height of the attack fell in June-November 2018.

It remains a mystery as criminals have determined the MAC addresses of their victims. Did they catch them thanks to the moles? Or maybe the ASUS client victims had other spyware on their networks?

If you do not find connections to the domain above in your records, this does not mean that you are not infected. Here are the check sums of the failed UPS installer. Check what your have:


ASUS is silent

Although ASUS received a tip from Kasperski on January 31, 2019, it has not yet informed its customers so far, and even worse, it has not canceled the certificates signed by the software by the criminals. What's more, ASUS continues to use them …

Continuous attack on CCleanera?

Two years ago, we wrote about Niebezpiecznik about the attack on CCleaner, which is very similar to what happened at ASUS. In addition, ASUS itself was the victim of an attack on CCleanera! Is this the same group? Kaspersky thinks so and points out that the actions behind the people behind ShadowHammer are very similar to the group in which ESET worked (which attacked the "players") and the actions of the group that Microsoft dubbed Barium.

If you have laptops (and other ASUS devices), we feel compassion. It is reassuring that not all infected were an active target. If you do not have laptops and ASUS devices then you have little reason to be happy. The fact that now none of the anti-virus is crying, as you can see above, does not mean that someone else has hacked it;)

We would write a tip in style – it's best not to save important things on computers connected to the Internet, but … every one of Danger's editors who tried to write this sentence here, died of so much laughter …

Read too:


Source link