Researchers hijack computer during software update

Buried in those malicious samples were hard-coded MD5 hash values that turned out to be unique MAC addresses for network adapter cards. MD5 is an algorithm that creates a cryptographic representation or value for data that is run through the algorithm. Every network card has a unique ID or address assigned by the manufacturer of the card, and the attackers created a hash of each MAC address it was seeking before hard-coding those hashes into their malicious file, to make it more difficult to see what the malware was doing.

The malware had unique MAC addresses it was seeking, though the actual number of targeted customers may be larger than this. The Kaspersky researchers were able to crack most of the hashes they found to determine the MAC addresses, which helped them identify what network cards the victims had installed on their machines, but not the victims themselves.

If it found a match to any of the targeted addresses, the malware reached out to asushotfix. Because only a small number of machines contacted the command-and-control server, this helped the malware stay under the radar. The command-and-control server that delivered the second-stage backdoor was registered May 3 last year but was shut down in November before Kaspersky discovered the attack. Because of this, the researchers were unable to obtain a copy of the second-stage backdoor pushed out to victims or identify victim machines that had contacted that server.

When he and other users clicked on their ASUS updater tool to get information about the update, the tool showed no recent updates had been issued from ASUS.

But because the file was digitally signed with an ASUS certificate and because scans of the file on the VirusTotal web site indicated it was not malicious, many accepted the update as legitimate and downloaded it to their machines. VirusTotal is a site that aggregates dozens of antivirus programs; users can upload suspicious files to the site to see if any of the tools detect it as malicious. Kamluk and Raiu said this may not be the first time the ShadowHammer attackers have struck.

ShadowPad targeted a Korean company that makes enterprise software for administering servers; the same group was also linked to the CCleaner attack. Although millions of machines were infected with the malicious CCleaner software update, only a subset of these got targeted with a second stage backdoor, similar to the ASUS victims. Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said.

A malicious file is then downloaded from the attacker's server onto the victim's computer. The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. Preferences Community Newsletters Log Out. Written by Elinor Mills , Contributor. Elinor Mills Contributor Full Bio. Two researchers from Israeli security firm Radware have worked out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.

My Profile Log Out. Join Discussion for: Researchers hijack computer during software Add Your Comment. Please review our terms of service to complete your newsletter subscription. A software update has been provided for Minecraft after the Log4Shell hack was used on a player in the game.

In other news, Apple will scan iPhone messages for nudity in an attempt to crackdown on child abuse. Android users are been warned about a dangerous scam that could see their bank accounts drained by hackers.

And, we revealed some of the strangest sights on Google Earth.