Using software updates to spread malware

Itzik Kotler and Tomer Bitton of Radware

(Credit: Elinor Mills/CNET News)

LAS VEGAS--Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.

About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.

Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network.

With the tool, an attacker can scan a Wi-Fi network for computers checking for new updates via HTTP (Hyper Text Transport Protocol). If the system detects a computer sending a software update request, the tool replies before the app update server can respond, Kotler said.

Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said. A malicious file is then downloaded from the attacker's server onto the victim's computer.

The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.

"You have to assume when on a public infrastructure that the infrastructure can be attacked," he added.

There is also the possibility that someone could spread an "airborne virus" via software updates that uses victim machines to attack and infect other machines on a network, according to Kotler.

[rewanman]

"People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said." Why on earth would anyone use the wifi to update anything. It's amazing the level of trust people have in the system. But lets face it most people are clueless in that manner.

[monkeyfun14]

95% of the population who isn't a security nut.

[dennisheadley]

I think that its more to the point that they are saying that you should be careful to not let your computer update when on a public wifi network, as in turn off automatic updates and only do them when you know you are on a trusted network. I am not sure as I haven't used it much, but do browsers like chrome even let you turn it off? I thought i read where google decided that they didn't need to let people decide if they wanted to update or not and it does so at anytime you are connected to the internet. I am sure that allot of other programs also automatically check when connected and also that people choose the setting that says something like "check for updates, download and install without asking me" so they don't get annoying pop-ups.

[timber2005]

So what about a university wireless network? You think people should just not update anything when that might be their only dorm or classroom connection? Some don't have wired connections. It's public... it's secure... but there isn't an alternative.

Why would people have assumed it was bad before now. At least I hadn't heard of it.

[play7]

YES. too many times people don`t understand its like running in public naked.....

[sargess25]

by monkeyfun14 August 1, 2009 5:41 PM PDT
95% of the population who isn't a security nut.


....or still using Windows ME, just like yourself

[Mindstrike]

I am in an area just barely ahead of the stone age and my only other option is dial up. What solution is there?

[monkeyfun14]

@sargess25


If you can't stay relevent and stop trolling for one comment don't post at all.

[Lerianis3]

Easy answer to this problem: AUTHENTICATION! Too many of these things have NO authentication to make sure that the updates are coming from a 'trusted source'.

[pentest]

"95% of the population who isn't a security nut."

So Windows users?

[SwissJay]

Duh! Anything that involves downloading data (whether executable or not) to a PC should be protected by digital signatures. Anything else is half-a$$, sorry to say!

[01Phyxius]

Solution: Encrypted proxy. Done.

[mbenedict]

No, an encrypted proxy doesn't secure communications "end-to-end" (only to the proxy), and doesn't validate the update payload. You're still subject to man-in-the-middle attack upstream of the proxy.

Only digital signatures can reliably validate the payload*, assuming the keys have not been compromised.

* well manually verifying a secure hash could work too, but very few people actually check hashes on programs they download.

[play7]

Also if you allow othersto view your on skype network( other then friends ) this will expose you. Just turn it off...I glade I dont you skpye these days.

[PhoneJam]

The hackers go a step further by using the remote management feature to deface the root certificate folder on a compromised computer so that the machine cannot detect signed certificates from the phished versions. The choice is left to the user to determine what certificates are good or not based on the alert action buttons that an anti-virus or anti-malware software issues in real time.

[AppleSuxLeo]

Well gee willakers..you mean to tell me that hotel WIFI aint secure , Earl ???

[Hokulea]

What a can of worms. There are some apps, like Flash for instance, where the user has little or no control over the update process. There are also apps that "phone home" as soon as they are launched.

Just one more reason to stay away from public WiFi networks.

[Lerianis3]

Bull. In every single case on my computers, I have had to update the Flash thing MANUALLY. It has never 'auto-updated' itself and I have never seen a computer where it has done that.

[pentest]

Yeah, connect through Ethernet on a campus network, then you will be safe.

/sarcasm

[marswat]

" Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network. "

Excuse me for asking this , but why are they releasing a tool that ENABLES the attack? Isn't that like giving your car keys to the thief..should they not be locking it away in a safe and releasing a fix?

[mbenedict]

Google "full disclosure"... endless debate about this already.

[pentest]

No, it is like making a slim jim, or lock picks. Both have legitimate and illegitimate uses. Just like security audit software.

[sargess25]

it's plain and simple, quit using Windows and any M$ product/services and all these problems will disappear at once. it'll improve your computing experience immeasurably, try it and see.

[Otto Holland]

No ignorant, this is not the case as I see you can't read. Why do you use a computer if your understanding is so far fetch? The article clearly states; Microsoft Internet Explorer is NOT affected HERE is the part you were dumb enough to over look:The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.

Get back to your kiddy games and leave articles like these alone. Persons like you are the first ones to get hacked because you are simply dumb.

[monkeyfun14]

Hey genius...

Vista and Win 7 are immune to viruses and drivebys as is OSX.

Any OS can be attacked with malware if a idiot is using it open your damn eyes and you will realize that there is about 6 or 7 malware programs for OSX and more are being developed.

[sargess25]

by monkeyfun14 August 2, 2009 8:02 AM PDT
Hey genius...

Vista and Win 7 are immune to viruses and drivebys as is OSX.

lol thus speaketh the CNET über troll. Hey you my want to repost that when you're not stoned, lol priceless!

[monkeyfun14]

@sargess

Find me a Vista virus that gets through UAC

[sargess25]

by UBER TROLL monkeyfun14 August 2, 2009 9:03 AM PDT
@sargess

"Find me a Vista virus that gets through UAC"

lol, you mentioned UAC? man you really are out of your depth, as they if you're in a hole stop digging (or trolling in your case). Pity you can't afford a Mac, but then again ....

[monkeyfun14]

@sargess25


Apparently you couldn't find one this is shown by instead of you answering my question you resorting to insults.

You've failed.

[monkeyfun14]

@sargess

Also don't judge my financial status based on me not wanting a Mac.

I think I can well enough afford a Mac considering I have a loaded 2010 Mustang sitting in my driveway..

[pentest]

"Vista and Win 7 are immune to viruses and drivebys"


Really? I guess that demo given by a friend at a local security con last week didn't really show a drive by on Vista?

You are a total moron if you think that Vista or 7 are immune to driveby's. The vast majority of the Fista exploits require NO user intervention.

[monkeyfun14]

@pentest

Then put your money where your mouth is and show me one.

[pentest]

Monkey fun, MS doesn't pay its shills well enough to have a new mustang, let alone a driveway.

Go look on cert for the many examples of Vista malware that requires no user intervention. AS for 7 read this and cry:

http://netsecurity.about.com/b/2009/02/04/modified-uac-in-windows-7-exposes-potential-security-issues.htm
http://www.osnews.com/story/21085/Editorial_Windows_7_s_UAC_Is_Broken_and_Insecure

The white listing makes elevation of privileges trivial, thus drive-by's will increase even more then they did with Vista, whose memory protections were completely broken 2 years ago and are not fixable by a patch because it is a architectural flaw.

Windows 7 is better then say 98, but Windows remains a security nightmare.

[stufried]

I wish Windows or a third party vendor created a program which allowed us to choose what connections we should allow automatic updates on. I sometimes have to tether my notebook when roaming outside the US and have to remember to set all my update settings to manual for fear that someone will push a 100 meg update and use my monthly outside the US data quota on one update.

[Lerianis3]

Never going to happen, I am sorry to say. The best thing to do would be for these companies to STOP trying to put that limitation on the amount that you can use for data.

[hansschmucker2]

The kind of attack described in the article won't work for Firefox, as
it checks for updates using SSL and demands a valid certificate
(look at https://aus2.mozilla.org/update/3/Firefox/3.6a1pre/20090729045158/WINNT_x86-msvc/en-US/nightly/Windows_NT%206.1/default/default/update.xml?force=1
for and example of such update data).

While the actual update data is pushed unencrypted, the signed update
description includes a hash value that the update data is checked
against, so in order to get another binary to install, you'd need it
to have the same hash value, which is at best as likely as somebody
guessing the certificate itself.

[pentest]

It is not impossible, just difficult.

[hansschmucker2]

Well, nothing is impossible given enough time and money, but it would involve cracking the hash algorithm and that's about as difficult (and time-consuming) as it gets.

[hansschmucker2]

Concerning Chrome: Found a document about how the Google Updater implements encryption: http://omaha.googlecode.com/svn/wiki/cup.html . I haven't worked through it and looked at how everything works, but at least we know that it uses SSL, which at least tells us they thought about the problem, even if we don't know how successful they were at solving it.

(Hopefully somebody with a better knowledge of encryption can give us a summary)

[plamormick]

Pardon my ignorance, but wouldn't a better solution be for platform for OS companies to prohibit the use of http based update routines?

[hansschmucker2]

Not that simple. Since there's no universal update mechanism on most operating systems, application developers have developed their own programs and the OS is not really intelligent enough to tell an updater from a normal application. Besides, there are good reasons to use http for some of the data (speed, easier to use mirrors, ...), or even custom schemes like P2P and if the updater is intelligent enough to verify the data it gets through such untrusted channels, there's not really a problem. What we're talking about here are "bad apples". Applications that were not developed with enough care.

[Mindstrike]

If a couple of you guys put your heads together maybe a creative solution could be found. Unfortunately you are all so busy playing "poser" and "look at me" you waste everyones time and the rest of us have to wade through your garbage to get to anything meaningful. ...And I am sure someone will have to comment on how stupid this post is! I already know. For a bunch of computer geeks you all seem childish to me: What good are brains if you are too stupid to use them? Somebody throw out a practical, adaptable by everyone, solution and lets all talk about why it will or why it won't work.
Stop worrying about what you think everyone else thinks about you. Have a drink and solve the problem.

[hansschmucker2]

There's really a pretty bad signal-to-noise ratio here.

Truth is, we don't know how to deal with it. Creating a solution is by far harder than talking about how much smarter you are than everybody else.

The problem is that we have to deal with thousands of legacy applications. Even if we introduced a centralized update facility à la Linux, then those applications would still behave like they always did. There's no way to force an application to use a provided update facility.

Then there's the problem of applications actually needing their own system. A centralized update facility could not possibly support everything that application developers want and since their old update programs would continue to work, why would those developers want to use it? Maybe the developer has his own routines for load balancing which the standard update system doesn't support? And suddenly we're back at square one: People still writing their own flawed update systems.

[crazykevin70]

Its plain and simple, Do not use wi-fi to do any updates, The men said it above in simple english.

DO NOT USE WI-FI FOR UPDATES, WAIT UNTIL YOUR HOME AND SECURE.

Duh!!!!!

[hansschmucker2]

Auto-update is the magic word ;) . There may be applications on your system that you're not even aware of (or at least you're not aware that they do auto-updates). Forget to turn off one (assuming that all of them even allow you to do that) and that's it. One fake update is pushed automatically, altering your certificate it and as those guys put it: "GAME OVER".

[Mindstrike]

I live in an area that only has the option of Wi Fi or dial up. And dial up is worthless and impossible to use for downloads. Now what? I know...I'm screwed.

[hansschmucker2]

Currently you pretty much are, Mindstrike. The sad truth is that there's little you can do, other than disabling autoupdate (assuming that's even possible) for applications with a flawed update system (assuming there's even a way for you to find out) and manually downloading from a secure source (assuming the developer offers secure downloads).

You see the problem: assuming, assuming, assuming.

[monkeyfun14]

@Mindstrike

Chances are not many are going to exploit this and a firewall will quickly protect you.

[pentest]

This sort of attack can be pulled off on a wired network. It is not difficult to pull off ARP poisoning. Whether or not SSL is used to transmit updates is irrelevant as that vast majority of people just accept any and all certificate warnings anyway. All this amounts to a very specific use for a man in the middle attack.

The difference in difficulty level between attacking via wired and wireless is so small as to be non-existent.

[hansschmucker2]

People do, update mechanisms don't (or at least they shouldn't)

[clbod]

Someone help me here please. These guys are "releasing" a tool to deliberately infiltrate internet communicatrions? Does this mean that it is being made available to the wider population for anybody's use?

[faizfaidzin]

how to know if my blog is protected? my blog http://teknik-baru.blogspot.com

[Vegaman_Dan]

It's easy. Just go to CNET's main page, click on the contact us option, and then choose advertising. Then you can pay to advertise your offerings on CNET instead of spamming the comments section.

[Garken]

Some of you are missing the point. This is not a drive by, it's an interception. Almost all software gives you the option to turn off auto updates. Chrome i'm not sure about, but I don't trust Google anyway. The simple fact is to just not let your computer auto update anything, set it to ask permission first and then you have control when you are out of your network.