back to article Spyware sneaks into 'million-ish' Asus PCs via poisoned software updates, says Kaspersky

A million or so Asus personal computers may have downloaded spyware from the computer maker's update servers and installed it, Kaspersky Lab claims. Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, …

  1. livin' thing
    WTF?

    Telemetry to a level Microsoft can only dream of.

    1. Wine of Katzrin

      My solution is quite simple: before the new computer is connected to net I just plug-in install image, do an upgrade with option "do not preserve anything" - or at least "do not preserve applications". And voila, no preinstalled crapware present.

      Asus, Acer or Lenovo, all the same, HP is not much better.

  2. Jack of Shadows Silver badge

    I had to go back and revert my MAC addresses in order to check. It's one of the first things I change on a machine, along with anything else I can forge. Not on the list, apparently.

    1. Anonymous Coward
      Anonymous Coward

      @Jack

      Did you try repainting it ? This offers increased protection since most of the computers are grey, silver or black.

      1. HieronymusBloggs Silver badge

        Re: @Jack

        "Did you try repainting it ? This offers increased protection since most of the computers are grey, silver or black."

        I'm sure those targetted by this are now kicking themselves for leaving their computers the standard colour.

        MAC addresses are potentially traceable, in case you didn't know.

        1. Anomalous Cowturd
          Stop

          Re: @Jack

          > MAC addresses are potentially traceable, in case you didn't know.

          They are also incredibly easy to spoof. See Macchanger software, for one.

          1. fidodogbreath Silver badge

            Re: @Jack

            [MAC addresses] are also incredibly easy to spoof.

            They're easy to spoof to other devices on the network. Not sure they're as easy to hide from the machine itself (or privileged software running on it).

        2. Mpeler
          Coat

          Re: @Jack

          Repaint, and thin no more..

          1. TimMaher
            Pint

            Re: @Jack

            Yeth mathter.

            Get you crate of beer for that one @Mpeler team.

    2. Cynic_999 Silver badge

      The default MAC address is stored in ROM. If you change it to a locally-administered MAC it will affect what's sent on the packets on the wire, but will not stop malware running on your machine from reading the original factory-set MAC.

  3. fidodogbreath Silver badge

    Nation-state operation

    In a way, it reminds me of Stuxnet: a sophisticated attack, capable of breaching almost any Siemens PLC system in the world...but which only activated on a specific target.

    This isn't exactly the same, of course; but why would a criminal hacker infect millions of computers with a powerful backdoor that can compromise the system at the firmware level, but which only triggered against 600 specific users? Plus, it chose targets by MAC address, so the attacker needed to know in advance the MAC addresses of its targets.

    As Rain Man might say, "Definitely nation-state. Definitely. Definitely."

    1. DougS Silver badge

      Re: Nation-state operation

      We could probably figure out which nation state if we knew the location/ownership of those 600 MAC addresses. I'll take location = Iran and nation state = Israel at 3/1.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nation-state operation

        The bookies won't accept those odds.

      2. Sir Runcible Spoon Silver badge
        Facepalm

        Re: Nation-state operation

        This was almost certainly done with the co-operation (willingly or not) of the manufacturers involved.

        This points to one very particular nation state as the culprit.

    2. The Man Who Fell To Earth Silver badge
      Black Helicopters

      Re: Nation-state operation

      Maybe, maybe not. But if I were Asus, I'd be looking at it as an inside job. Even if Asus is pretty careless with who has access with their signing keys, the easiest path to those keys is through an employee.

      1. Orv Silver badge

        Re: Nation-state operation

        If it really is a nation-state attack, we have to consider that ASUS might have been in on it from the start.

        1. Patched Out

          Re: Nation-state operation

          This would certainly help explain ASUS' complacency in providing notification of this issue so that owners of ASUS computers/motherboards could take steps to remove this.

          As a long-time user of ASUS motherboards, I'm a little more than disturbed by their behavior after being notified by Kaspersky. Even though I don't use any of their auto-update tools, I will think twice before buying another motherboard from them.

    3. DCFusor Silver badge

      Re: Nation-state operation

      Kaspersky, who got into a fight with a certain nation-state because, at least IMO, their tools discovered its attack code, when no others did. Thus banned from that state, with bad vibes spread as widely as possible. Yet it picks up on this. As Spock would say "Interesting".

      And now this.

      I find it most informative that NO AV suite seems to pick up on any state actor's malware anymore.

      And we all know that any nation worth the name is creating and distributing it, no exceptions. You can't blame just one - it's a big club.

      Telling that kind of truth to power seems rather dangerous to a business these days.

      1. Sir Runcible Spoon Silver badge

        Re: Nation-state operation

        My thoughts exactly. Kind of narrows down the list somewhat doesn't it?

  4. JcRabbit

    Not at all surprised about Asus total lack of reaction to this. All you need to do is go to their forums (if you can even sign in or create an account there, such is the mess) to fully understand how unresponsive to issues they are.

    1. Anonymous Coward
      Anonymous Coward

      "Not at all surprised about Asus total lack of reaction to this. All you need to do is go to their forums (if you can even sign in or create an account there, such is the mess) to fully understand how unresponsive to issues they are."

      They've been shit at support, as of late. My ASUS ROG Z97 mobo still lacks a Spectre non-beta fix as of today.

      For a 150 bucks mobo, it's really bad ...

      1. Wade Burchette
        Facepalm

        They have updated their old motherboards to support AMD's new Zen 2 CPU's coming out. Priorities, priorities.

      2. Halfmad

        They've never had any interest in support of released hardware, if it's not the current product on offer they quickly forget about it and cut it from support in later versions of software; which in hindsight may actually be a blessing..

      3. Anonymous Coward
        Anonymous Coward

        150 bucks?

        You can spend 6 times more on a Samsung and still not get many / any updates and crap support.

        Or spend that amount and get an iPhone and receive lots of updates for a few years and pretty good online support.

    2. Halfmad

      If you have ever bought an ASUS motherboard you know how terrible their software is and how quickly they dump it and move on to the next model irrespective of whether the motherboard is still compatible with modern OS.

      ASUS are about sell, up-sell and forget. They have no interest in supporting or securing customer hardware. It's always been this way.

  5. Dr U Mour

    ?

    Why not just publish a list of affected macs/ first few bits of the mac addresses. Why do you need to tender yours to find out?

    1. fidodogbreath Silver badge

      Re: ?

      Why not just publish a list of affected macs/ first few bits of the mac addresses

      The first three bytes identify the manufacturer of the interface. In this case, they might be the same for all targets.

      Publishing the whole list would announce to the world that those interfaces belong to a high-value target -- or, at least, that they did at one time. One would expect that such targets have security people who've "retired" all their Asus machines by now; but have some pity for the poor sods who buy them used on eBay or Craigslist...

  6. Jay Lenovo Silver badge
    Black Helicopters

    Laptop Measles

    ASUS.. WSUS... still generally better to accept the vaccinations than risk doing nothing.

    ...but like an Apple iOS update, you probably should go first and let me know how it went.

    1. gerdesj Silver badge
      Linux

      Re: Laptop Measles

      ... or go Penguin powered.

      1. Teiwaz Silver badge

        Re: Laptop Measles

        ... or go Penguin powered.

        Penguin supporters should buy hardware from companies that don't pre-install windows or machines that don't have windows installed as that counts as a sale for Microsoft.

        Never going to get more attention from manufacturers if Linux users keep buying machines with windows installed.

        1. The Central Scrutinizer

          Re: Laptop Measles

          It's not that difficult to buy a machine without an OS on it.

          1. Yet Another Anonymous coward Silver badge

            Re: Laptop Measles

            >It's not that difficult to buy a machine without an OS on it.

            Well it did take 2 decades of justice department investigations in 30 countries to enable it - but not difficult really

          2. Anonymous Coward
            Anonymous Coward

            Re: Laptop Measles

            I bought a nice little Asus VivoPC without an OS. Great little machine, not quite sure the reason for all the ASUS haters here, they make some decent hardware, not the best, but better than Acer and some other marques that seem to fall apart quickly.

          3. doublelayer Silver badge

            Re: Laptop Measles

            "It's not that difficult to buy a machine without an OS on it."

            Really? I have not seen many machines not sold with an OS installed. Of course, when buying second-hand, there are many more options. However, for virtually all new machines, I see the following categories:

            1. Pre-installed with Windows

            2. Macs

            3. Your choice of Windows or Ubuntu (not many of these, but they're nice even when you are just going to delete the Ubuntu)

            4. Specifically built for Linux (they are usually great machines with a high price tag)

            5. Machines without an OS because they're ridiculously underpowered and the company wants to get them sold off fast to the anything-for-cheap crowd before people realize that. Running Linux on these is usually acceptable, but Windows won't like it and power users of Linux won't be that happy either.

            6. Machines without an OS because it is only part of a machine and they expect you to populate your own storage.

            I have rarely seen machines sold from their manufacturers without an operating system already installed, and that operating system is rarely Linux. I'm going to install whatever I want on it anyway, so I pretty much ignore what it already has unless I am buying it for a person who wants Windows.

            1. The Central Scrutinizer

              Re: Laptop Measles

              They're available, maybe not absolutely top end, but hardly cheap and nasty either. Depends what you need to do with it.

              Or you can just roll your own, as I'm sure many Reg readers would be capable of doing.

              1. fidodogbreath Silver badge

                Re: Laptop Measles

                Buying an OS-free machine won't help you if the firmware / PBE is compromised.

        2. Updraft102 Silver badge

          Re: Laptop Measles

          Penguin supporters should buy hardware from companies that don't pre-install windows or machines that don't have windows installed as that counts as a sale for Microsoft. Never going to get more attention from manufacturers if Linux users keep buying machines with windows installed.

          While I'd love to support the cause of free/libre software by preferentially buying from companies that don't preload Windows, I'm not willing to take it so far as to limit my own choices to that tiny subset. I'm talking about laptops here, as I've always built my own desktops and supplied my own OS for those. If a laptop with Windows on it is a better deal than one with Linux, for whatever reasons, I'll buy the Windows unit and put Linux on it. If it doesn't work (which has as yet never happened), I will return it to the store and get my money back, which is part of why I only buy from places with generous return policies.

          I'm not trying to stick it to Microsoft or be a part of a movement when I wipe Windows and install Linux. I'm looking for the best deal for myself, and since I am not Microsoft, that means no Windows 10, and along with that, no Windows 10 telemetry, no Windows 10 beta testing for free, and no Microsoft monetization. I won't be part of the 800 million or whatever claim MS makes (assuming it has any basis in reality) for the active number of Windows 10 devices, which is easy to count when you have telemetry that can't be turned fully off, even in enterprise editions.

          I won't be counted as one of the Windows users who visits any of the various pages whose analytics are tabulated to determine the share of the desktop market MS still holds. I'll continue to provide technical help and assistance to new Linux users the best I can (I've really only been using it for a couple of years myself). I'll keep poking holes in the claims of Linux haters when they haul out their tired, hasn't-been-true-in-years tropes about endless recompiling (I've never done this, not even once) and frustration and having to be a wizard with the command line, or when they say that Linux users never want to pay for anything. I'll continue to bash Windows 10 as long as it remains something that deserves bashing. I'll keep reporting bugs to Linux-related projects when I find them. Sadly, my coding skills have rusted to the point of uselessness, so I can't contribute in that way, but I do what I can. It will have to suffice.

  7. Anonymous Coward
    Anonymous Coward

    There's a computer that's been on my mind

    All the time, aSu-Su-Sussudio, oh, oh

    Now she don't even know my MAC-address

    But I think she likes me just the same, aSu-Su-Sussudio, oh, oh

    1. Alister Silver badge

      Thanks Phil...

  8. Blockchain commentard Silver badge

    How come Kaspersky took 6 months to find the problem? Great saying they found it now, but if it's been active since June, were they told to ignore it as well?

    1. Nick Kew Silver badge

      Something about responsible disclosure?

    2. aaaa
      Big Brother

      6 months to find...

      The article did say why. That the binary was legitimiately signed and has been downloaded from a whitelisted location.

      Reading between the lines I think you can say that it probably wasn't until one of the 600 MAC address affected PC's was installed with Kaspersky's software that the gig was up, because once the software activated, then anti-virus would quickly pick up on it - when it's dormant, there isn't any nefarious activity to detect...

    3. The Man Who Fell To Earth Silver badge
      Boffin

      delay

      Prior to signing my software, I'd find that every time I submitted a new exe to Virustotal, typically a half dozen of the shitty AV makers would flag it in some way. It was usually either the obscure AV or the "AI" AV that would false positive and not have mechanisms for reporting the false positive & submitting the file for their inspection (with the "AI" AV always claiming they have no false positives - which of course they "don't" because they don't allow anyone to report them to them.) Once I started code signing my binaries, magically all the false positives on Virustotal stopped and I've never had one since. That suggests to me that most AV makers automatically flag signed binaries as OK regardless of what it might have been flagged if it have been unsigned.

      1. Mahhn

        Re: delay

        Or the lazy ones flag auto everything unsigned, while the others detonate it to test.

  9. Ian Emery Silver badge

    I'd like to know

    Who else they say thaey have found running similar code.

    I have a Lenovo that is acting weird.

    Nothing important on there - and it is getting a full wipe and install ASAP, but it would be nice to know who else is screwed.

    1. Tom 64
      Coffee/keyboard

      Re: I'd like to know

      You can pretty much guarantee Lenovo are on that list. They even have a history of backdooring their customers themselves. If you have to suffer a Lenovo by corporate dictum, wipe the damn thing first.

      1. John Brown (no body) Silver badge

        Re: I'd like to know

        "If you have to suffer a Lenovo by corporate dictum, wipe the damn thing first."

        Corporate ones don't have any "fishy" consumer stuff on them and will have the corporate Windows image installed anyway. If corporates are handing out consumer grade kit with the default OEM install, then you probably don't really want to to be working for them. They are either incompetent or so short of cash they'll be bust soon anyway.

    2. don't you hate it when you lose your account
      Terminator

      A full wipe may not be enough

      If this puppy also updated the bios? Now that's not a pretty thought

      1. rmason Silver badge

        Re: A full wipe may not be enough

        That's exactly what it was. It's the ASUS application that deals with things like firmware, chipset and BIOS upgrades.

        If lenovo has been nobbled then their equivalent is "lenovo Vantage"

  10. redpawn Silver badge

    We know you want it,

    LOADS of freeee software and automatic updates. Slothful performance and reduced security are a small price to pay rather than to perform a clean install of Windows. Heavens, you might have to install some drivers to get those custom buttons to work. Too difficult! Besides, the vendor always has your best interests at heart, because the customer always comes first, just check on their web page.

  11. Ole Juul Silver badge

    Modern times

    "If you patch, there's a small chance you'll fall prey to a malicious update injected through the vendor. But if you don't patch, there's a close to 100% chance you'll be attacked over time."

    Wise words, but only for certain values of "over time", and operating system. I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years. I'll leave it to the reader to guess the OS, but ... just sayin'.

    1. fidodogbreath Silver badge

      Re: Modern times

      I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years.

      I'm guessing you work for either Equifax or the US Office of Personnel Management.

      1. deadlockvictim Silver badge

        Re: Modern times

        Let me guess, 25 years' ago was 1994, you have a top-of-the-line Powermac 8100/80 running System 7.1.2?

        1. Martin an gof Silver badge

          Re: Modern times

          top-of-the-line Powermac

          Nah, I reckon it's a RiscPC running RiscOS, though RO did have some updates after that.

          I have an RPC vintage about 1994. It's not connected to the internet 24/7 and pretty much only does email these days, but it does that remarkably well so long as I'm not sent something with a 20MB attachment :-(

          I believe Paul Vigay used to run his website from a RiscPC. While vigay.com is still up and running, I doubt it's still on the same hardware.

          M.

          1. skswales

            Re: Modern times

            #MeToo

            Though I did upgrade the OS ROMs in 1999. Still going...

      2. Hopalong

        Re: Modern times

        AIX 3 or even AIX PS/2 v1.3?

    2. aaaa
      Happy

      Re: Modern times

      But I don't think you'll be able to say that in 25 years time, about a PC you buy today.

    3. Waseem Alkurdi Silver badge

      Re: Modern times

      OS/2.

      1. Zippy´s Sausage Factory

        Re: Modern times

        OS/2, did you say?

        Excuse me while I get all nostalgic; I'm off to fire up my VM and play solitaire...

        1. Waseem Alkurdi Silver badge
          Joke

          Re: Modern times

          Hope it doesn't crash mid-game!

    4. Daddy Raccoon

      Re: Modern times

      Windows 95?

    5. jeffdyer

      Re: Modern times

      OpenVMS

      1. Yet Another Anonymous coward Silver badge

        Re: Modern times

        >OpenVMS

        There is stuff running on OpenVMS, with PDP11 emulation cards, running half the world

    6. eldakka Silver badge

      Re: Modern times

      I have a machine running here which has been connected to the internet 24/7 for about 10 years, and running an operating system that hasn't had any updates for (what in 2 months will be) 25 years.

      A sample size of one is statistically, and practically, meaningless.

      I've never been in a situation where I've needed a seatbelt.

      Does that mean no-one needs to wear seatbelts and that a seatbelt has never saved anyone's life?

      1. doublelayer Silver badge

        Re: Modern times

        And a sample of machines running things that are so outdated that practically no malware exists that could run on them let alone is being spread is also a poor sample. Machines running any number of operating systems are ridiculously vulnerable. Windows XP, for example, but you couldn't use the fact that it's old to exonerate it. You've found that niche where security through obscurity is working, and as long as whatever thing this is continues to work for you, you'll be fine. Unfortunately, there are many people, myself included, who need some of the things that were released in the past 25 years.

      2. Updraft102 Silver badge

        Re: Modern times

        The claim was that an unpatched system will have nearly 100% chance of being attacked in time, and an example was provided to the contrary.

        Most people don't have their computers "get" infected with malware. They infect them themselves, by their own actions, and they probably never know they did so.

        The idea that security is a passive thing, a quality that a given piece of software either has or does not have is not reality, and it doesn't help people to understand the real situation. The way that pundits like the 100% guy talk, you'd think that if you stay patched up, you can do anything you want, downloading "warez" from any shady source imaginable, and still be safe... or that if you missed last week's patch, you probably already have ten different kinds of malware, even if you have employed good security practices, never opening unknown email attachments, never downloaded from unverified sources, that kind of thing.

        Keeping patched is one thing that helps, but it's far from the only thing, or even the most important thing. The most important thing is not doing dumb stuff to get yourself infected!

        The seatbelt analogy is a good one, because it only makes riding in a car safer, not "safe." There is no such thing as "safe" in moving vehicles. Some cars protect their occupants better than others, but the biggest variable is the loose nut behind the wheel. Security fixes, like seat belts, only help once an accident (or attack) actually begins. It's better to not be in an accident than to survive one, and that's where the behaviour of the user comes into play, whether driving or computing. Not all accidents can be avoided (since the other drivers may not be as careful as you are), but a lot can, and that is a lot more effective than seat belts.

        The constant focus on security updates as the be-all and end-all of security tends to obscure this, and suggests that if you're fully patched, you're essentially immune to all malware. Those of us who know computers understand that this is not the case, but regular users, the ones the talking heads are preaching to with the advice to update early and often, don't always get it.

        Look how many people who didn't know about cars thought that having thrown a bottle of Slick 50 into their crankcase at some point means they no longer need oil! I actually met one such person in college, an otherwise intelligent hard science major who presumably should have recognized the farcical nature of the belief right off the bat, but she didn't.

        The "test" in the commercial (if it meant anything at all, which is highly questionable) only showed that the treated engine won't seize as quickly as the untreated engine when both were run without oil (with an impossibly tiny sample size of one test engine and one control engine), but people saw the Slick 50 engine not seizing and thought that meant it could keep running like that forever, oil free. Like my aforementioned acquaintance, many such people disregarded low oil levels or the oil pressure light, thinking that didn't apply to them anymore. Fortunately, the woman in my example was set straight before it got to a low oil pressure situation, but others were less lucky.

    7. eldakka Silver badge

      Re: Modern times

      Plan 9?

    8. Orv Silver badge

      Re: Modern times

      On the other hand I remember when it was impossible to install Windows 2000 and download the patches before it got infected by Code Red, unless you used an external firewall. ;)

  12. Anonymous Coward
    Anonymous Coward

    Same file length?

    "Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, even keeping the file length the same as the legit version"

    Who cares if the file length is the same?

    What is the shasum?

    1. Charles 9 Silver badge

      Re: Same file length?

      They altered the official hashes at the same time because it was posted as an actual update, when the hash is expected to be changed.

      Basically, this is a Perfect Imposter situation where the rogue software went through every hoop the official software does, making it impossible to spot until after the fact. All this smacks of an insider. Who else would have access to the signing key?

      1. Chairman of the Bored Silver badge

        Re: Same file length?

        ”All this smacks of an insider. Who else would have access to the signing key?"

        Indeed. Smart money says you are looking for the recently separated employee who has an extremely nice house, hot car, good liquor and no debt... Along with no visible means of support.

        One alternative explanation is that Asus' development environment has been pwned and modified for 'remote access'. If you're Asus' that is a pretty terrifying thought.

        1. Rich 11 Silver badge

          Re: Same file length?

          Smart money says you are looking for the recently separated employee who has an extremely nice house, hot car, good liquor and no debt...

          Or who shagged the wrong Natasha on a drunken weekend in Macau and doesn't want the photos sent to his family.

  13. Anonymous Coward
    Anonymous Coward

    Very prophetic

    Take a look at the very last comment on the ShadowPad reg link by commentard: "razorfishsl"

    Last we hear of this indeed!

  14. Anonymous Coward
    Anonymous Coward

    Missing from this article...

    is this crucial piece:

    "I should add that @kaspersky Lab researchers contacted ASUS Jan 31 and met w/ ASUS in person Feb 14. The company insisted the hack didn’t happen. When Kaspersky offered to help them with forensic to show it did, ASUS wanted them to sign NDA. The company went silent after that"

    — Kim Zetter (@KimZetter) March 25, 2019

    #source:

    https://www.bleepingcomputer.com/news/security/asus-live-update-infected-with-backdoor-in-supply-chain-attack/

    1. Aitor 1 Silver badge

      Re: Missing from this article...

      So maybe not a hack.

      I mean, they did it on purpose maybe?

  15. Zonker Zoggs

    All your Asus are belong to us

    1. TVU Silver badge

      "All your Asus are belong to us"

      ...says the People's Republic of China and NetSarang.

    2. Zippy´s Sausage Factory

      But what can we launch for great justice?

  16. Will Godfrey Silver badge
    Black Helicopters

    Hmmm

    I wonder if anyone has been trying to blackball Kaspersky in recent times.

  17. Anonymous South African Coward Silver badge
    Trollface

    ass-us?

  18. Anonymous South African Coward Silver badge

    How long before the ne'er-do-wells will manage to do the same to WSUS?

  19. Anonymous Coward
    Anonymous Coward

    Got cleaning to do when I get home tonight

    Dammit, I put in a new card and updated my asus software in December.

    Will be cleaning it out and running scans tonight :/

    Asus must be following the Googs lead, never notify after distributing malware......

  20. Anomalous Cowturd
    Black Helicopters

    Asus have coughed, at last.

    https://www.asus.com/News/hqfgVUyZ6uyAyJe1

    No mention of Kaspersky's involvement, or thanks.

    Tossers!

    1. Panjo

      Re: Asus have coughed, at last.

      Thank you - that's a helpful link, at least for these reasons:

      1) ASUS have a 'Security Diagnostic Tool' available on that page which can test if your machine is infected (I didn't fancy sending my mac address to Kaspersky)

      2) It points out that only the version of Live Update used for notebooks was affected

  21. andrew8665

    This is not the first time.

    I remember in the past ASUS being accused of do this before.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is not the first time.

      Well, it would be much harder to remember something they were accused of doing in the future.

      :)

  22. Anonymous Coward
    Anonymous Coward

    How did the bad actor identify the MAC addresses?

    So I'm wondering about how the bad actor here identified the MAC addresses it wanted to target. Sounds like the attack wasn't just limited to ASUS PCs, just that ASUS are the first to be publicly identified. Was this done entirely remotely, or was there some actual physical proximity to devices? Did they e.g. compromise a router which a target(s) had used and extract MAC addresses of users, or e.g. just place a WAP close to a target location and log the MAC addresses of devices than handshaked with it? Or was there some kind of a compromise in the supply chain of targeted devices? Confirmation of all the affected manufacturers would be very interesting.

    The use of the update server could indicate that the specific identity of targeted users might not have been known, so spear phishing etc. might not have been possible. Does this indicate a big fishing operation for a target/targets that are otherwise difficult to identify?

    Questions, questions, questions...

    1. anoco

      Re: How did the bad actor identify the MAC addresses?

      Well, the same person(group) that infected the BIOS also infected the server. It's very easy to assume that they also may have had access to the shipping process to make sure that such MAC would go to such country/region.

      However it was, without the list of victims we will never know the assailants, and how they did it. AFAIK, they could have a specific robot just manufacturing trojan mobos. AT&T did the same with their internet traffic.

      1. doublelayer Silver badge

        Re: How did the bad actor identify the MAC addresses?

        Six hundred devices is a rather small sample. It's unlikely that they had any desire or need to compromise the manufacturing situation. While it's theoretically possible that the machines were intercepted in shipping as you describe, the malware could just have been installed on them directly at that point. It could be placed at the BIOS level and made almost completely undetectable. The effort to break ASUS's update system and signing keys and the possibility that it would be revealed as it was makes it unlikely that there was any tampering with client hardware. My guess would be that the target's infrastructure was compromised and MAC addresses accessed from that. With the scale, and assuming that these devices were all one target, it is possible that whoever it is bought a bunch of machines at the same time. If that's the case, only ASUS would need to be compromised to access the target. The other possibility is that there are multiple targets here or one really big target, both of which would make the possibility of multiple compromise of manufacturers plausible.

    2. fidodogbreath Silver badge

      Re: How did the bad actor identify the MAC addresses?

      I'm wondering about how the bad actor here identified the MAC addresses it wanted to target

      Supply chain. MAC addresses are often printed and/or bar-coded on the outside of the computer box.

    3. Mystery Machine

      Re: How did the bad actor identify the MAC addresses?

      No idea about how soon a machine spews its MAC to a Wifi access point (assume this are wireless MACs) but it mightn't be supply chain if it's possible to get near the target (including local coffee shops, hotels etc) and harvest MAC addresses either passively or actively. To attackers this would be a numbers game because they'd only need to compromise one device (more is better but not tooo many) to get the access to the target environment. The attackers will have known 1) the target(s) use ASUS gear with LiveBollocks enabled and 2) they had access to the update servers for ASUS prior to kicking this off. However what is suprising is most corporates worth their salt wouldn't use consumer-focused vendor crapware to manage their infrastructure.

  23. Anonymous Coward
    Anonymous Coward

    Funny that - Kaspersky again

    This looks so focused, it appears a state activity, so Kaspersky did what it always does: detect, document and publish it.

    No wonder the US wants them gone - they're too good.

  24. Anonymous Coward
    Anonymous Coward

    for this: I'm not even mad, it was a beautiful piece of work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019