⚠ ASUS Update Server was spreading malware

That’s as bad as it can get. Hackers gained access to update server and could sign their malware with ASUS signature key. Two things that should never happen. :man_facepalming:

Some people on reddit spotted that suspicious update, but could not tell what it was doing. It was signed by ASUS, so most decided it should be fine.

only happened to ASUS laptops with Windows? not my business then…

All my ASUS runs Linux.

1 Like

Yes only Windows and if you kept preinstalled ASUS Live Update.

Is there a way to check if a laptop has that malware? I bought mine in the middle of 2018 and can’t remember any dodgy looking ASUS update.

Trojan was targeting specific MAC addresses. Not everyone was infected who installed the update.

You can check if you were a target by entering the MAC address manually:

Or use Kaspersky tool to check it for you:
https://kas.pr/shadowhammer

2 Likes

Thanks, when I get home I’ll do the manual check thingy.

cmd then getmac /v /fo list

MAC Address = Physical Address

1553580744723

ASUS response:

https://www.asus.com/News/hqfgVUyZ6uyAyJe1

Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip

1 Like

What if the diagnostic tool is infected also?

This thing sounded like a government operation or something

Chinese government?

Don’t assume that because a government launches cyberattack that it must be the Chinese. The US government does that too… just ask Snowden.

ASUS routers hacked to spread malware through man-in-the-middle attacks.

Wow, did I read that correctly? ASUS Web Storage.exe, as part of its self-upgrade process, downloads over http(!) a json file containing a link to an arbitrary binary, and executes it, no questions asked on your PC…

yes :rofl:

The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.

1 Like