November 3, 2010

“Evilgrade,” a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles, recently received an upgrade of its own and is now capable of hijacking the update process of more than 60 legitimate programs.

Evilgrade’s creator, Francisco Amato of InfoByte Security Research, says that by targeting widely deployed programs that don’t properly implement digital signatures on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be downloading a package designed to compromise the security of their computer.

Software companies should include these signatures in all of their updates, so that a user’s computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with a cryptographic key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. But for whatever reason, many software vendors have overlooked this important security precaution, and have chosen not to sign their updates — or have implemented the signing verification process in a way that can be circumvented.

Among the software products that Amato says EvilGrade can compromise are iTunes, Java, Skype, Winamp — even security applications like Superantispyware, Sunbelt, and Panda Antirootkit (a longer list of vulnerable apps is available in the documentation).

The video above shows how Evilgrade works against even the latest version of Java — Java 6 Update 22.

As the release notes state, this tool is a cross-platform attack suite, meaning that it can be used to attack not only Windows systems, but any vulnerable update mechanism: The attacker need only supply platform-specific payloads designed to run on the targeted user’s operating system.

According to Amato, the only things an attacker needs to hijack the update process on a targeted computer is control over the network, and for the victim system to be running one of the 60+ applications targeted by Evilgrade. And as I noted in a blog post last week, there are several easy-to-use, open source tools that allow attackers to hijack wired and wireless networks and trick all of the systems on a local network into routing their traffic through the assailant’s computer.

As Evilgrade makes painfully clear, it’s generally a good idea to delay installing updates until you’re using a network you know, trust and hopefully control (such as your home network). Many more programs these days have auto-updaters built-in, and these features can help users stay up to date with the most recent and secure versions of these products. But when you’re computing on-the-go, it’s probably best to delay responding to an auto-update prompt. At the very least, make sure you initiated the process, to ensure that you are not simply responding to a bogus update prompt sent to you by an attacker who’s using the same network.


14 thoughts on “‘Evilgrade’ Gets an Upgrade

  1. Nathan

    Actually according to the docs you linked to; it apparently spoofs IE 6,7 & 8 updates, so even ms update must be messing up some where…

    Its also has a boatload of apps I use regularly; man that is scary to think how easily this can be subverted.

    Nathan

    1. BrianKrebs Post author

      Yeah. I’ve been trying to get in touch with Amato since he pinged me about this last week, but no dice. It looks like, however, that it’s only specific versions of IE (this goes for a few other apps specified on that list).

      1. Moike

        I’ve always been bothered by the initial WindowsUpdate steps by IE6 – connecting to a trusted zone without SSL, and executing who-knows-what? I’ve never traced it down to see the first time signatures are verified.

    2. Francisco Amato

      Hello all!
      The module winupdate.pm implement a fake webpage of windowsupdate.microsoft.com
      This was the webpage that it’s redirect on ” windows update.

      It isn’t a problem in the windows update process they sign all the binaries.
      In the last version of ie the directly open the windows update process.

      Thanks Brian for your post!

      1. Nathan

        Ah, that explains how it works; it subverts the process before you get to microsoft. It sees the request for winupdate; and passes you its page (which looks like MS’s) which then basically allows you to subvert the whole process. Nice.

        For pen-testing with a Nokia n900 you could walk into a office and take over their wireless network and publish all sorts of updates while talking to the receptionist about the weather…

        Nathan

  2. Maureen

    Once more: I love this blog.

    So, the lesson I’m getting from this is to not have any updates installed automatically… I use filehippo to alert me to updates and then I go download them from the websites I trust. Is that okay, or do you suggest something else or something more?

    I hope none of you gasped when you read “filehippo”. If so, tell me of a better way.

    Thanks.

    1. Tommy

      Hi Maureen,
      Been using both filehippo & majorgeeks RSS feed in firefox a long time and just have a quick look every few hours or so for any new updates. I never respond to update bubbles that pop up on screen and tend to remove any named update startups via ccleaner, also run secunia psi once a week just to be sure.

  3. Brian Fiori (AKA The Dean)

    Am I missing something here? Is Francisco Amato involved with a legit security research operation? He is the creator of this malicious program?

    I understand (but don’t always agree with) the practice of making exploits public to put pressure on the legit software makers to fix issues. Creating a program that actively compromises users’ machines…and then updating it, seem a bit outside of that arguably legitimate purpose.

    If Amato is legit, what are his reasons for creating this vile program?

    1. BrianKrebs Post author

      Hi Brian, thanks for reading, and for your provocative comment/question. I believe Amato is coming at this from the perspective of the penetration tester, as this tool and others like it can be used by those who get paid to break into networks to test their security.

      That said, almost all tools in network security can be used for good or bad purposes. Metasploit is a ready example, but there are countless others.

      The rationale for writing about and calling attention to these tools is to give readers a sense of the possible, and of the tools/weapons that the bad guys have at their disposal. If you do not know, for example, that updating your Java on an open wireless network or other network could open you up to attacks, then you would probably be unlikely to avoid doing so. Chances are, the update would be legit, but then again knowledge is half the battle.

      1. Brian Fiori (AKA The Dean)

        Thanks, Brian.

        I wasn’t questioning your rationale for writing about this. I completely get that.

        So, you are telling me Amato’s tool is meant for security researchers/network security testers? OK.

        Maybe I’m naive, but I think I would make the distribution of a tool like that very selective. Or devise another way to make sure it is deployed for the use intended. I understand no security is perfect, but it has to be better than none at all.

        1. Nikhil Mittal

          Hi Fiori,

          Yes you are talking naive here..do you _really_ think that you can make distribution of a tool selective ? (although such tools should not be distributed selectively IMHO)

          Also, what is the intended usage of such tool and how to ensure that?

          As Brian pointed out most of the security tools can be used both ways…There really is no solution to “ensure intended usage”.

  4. Simon

    This is rather innovative! Such a threat wasn’t well used until recently.

    I am impressed with this tool, and if had time I would find it interesting to see how it shows up in system logs.
    Anyhow widely accessible exploit that can exploit superantispyware without having anything else on the system first?

    (maybe anybody have a link to view the code of such an exploit?)

    Sounds pretty intense.

    Brian Fiori (AKA The Dean), the whole idea of publishing such a tool would be under full disclosure policy many security researchers adopt. Such a publishing while it could be used for malicious purposes is a must. Imagine if you had a city wall and you found a hole in the wall, If you told everybody maybe some 1 will try to smuggle goods using the hole but if nobody says anything the bad guys will keep a small circle of people knowing the secret and benefiting from it a lot more before it is found out. If this wasn’t being published this would be much worse as this is a new method of attack not used before by the mainstream malware creators, or it may have been used but it wasn’t popular.

  5. Thugs-chen

    One of the things I like about my O/S, Linux Mint, is that updates come through a single process via Mint’s Update Manager, which I initiate at my convenience, usually once every few days when I am not doing anything computationally intensive. Mozilla, Adobe, Oracle, as well as hundreds of other O/S and third party apps all come through this single updating process. Updates do not come at me at random from software vendors directly like they do on Windows. A key benefit is that the updates appear to have been vetted by at least one set of third-party eyes before they reach me. A negative, however, is that critical updates take longer to get to me; though I notice that the lagtime is getting shorter.

Comments are closed.