⚠ ASUS Update Server was spreading malware

slawa · March 26, 2019, 2:28am

That’s as bad as it can get. Hackers gained access to update server and could sign their malware with ASUS signature key. Two things that should never happen.

Some people on reddit spotted that suspicious update, but could not tell what it was doing. It was signed by ASUS, so most decided it should be fine.

hansioux · March 26, 2019, 5:26am

only happened to ASUS laptops with Windows? not my business then…

All my ASUS runs Linux.

slawa · March 26, 2019, 5:29am

Yes only Windows and if you kept preinstalled ASUS Live Update.

IbisWtf · March 26, 2019, 5:40am

Is there a way to check if a laptop has that malware? I bought mine in the middle of 2018 and can’t remember any dodgy looking ASUS update.

slawa · March 26, 2019, 6:05am

Trojan was targeting specific MAC addresses. Not everyone was infected who installed the update.

You can check if you were a target by entering the MAC address manually:

Or use Kaspersky tool to check it for you:
https://kas.pr/shadowhammer

IbisWtf · March 26, 2019, 6:05am

Thanks, when I get home I’ll do the manual check thingy.

slawa · March 26, 2019, 6:10am

cmd then getmac /v /fo list

MAC Address = Physical Address

1553580744723

slawa · March 27, 2019, 12:15am

ASUS response:

Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip

bdog · March 27, 2019, 1:40am

What if the diagnostic tool is infected also?

Taiwan_Luthiers · March 27, 2019, 1:47am

This thing sounded like a government operation or something

urodacus · March 27, 2019, 1:52am

Chinese government?

Taiwan_Luthiers · March 27, 2019, 2:11am

Don’t assume that because a government launches cyberattack that it must be the Chinese. The US government does that too… just ask Snowden.

slawa · May 20, 2019, 12:33am

ASUS routers hacked to spread malware through man-in-the-middle attacks.

bdog · May 20, 2019, 1:22am

Wow, did I read that correctly? ASUS Web Storage.exe, as part of its self-upgrade process, downloads over http(!) a json file containing a link to an arbitrary binary, and executes it, no questions asked on your PC…

slawa · May 20, 2019, 1:32am

yes

The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.