Government

Malware poses as software updates: Why the FBI is warning travelers

Those "critical update" notices you get, especially while traveling, may not be what you think. Michael Kassner gets the low-down on this serious threat as well as the Evilgrade platform.

As someone who writes about IT security, I like to think I can recognize digital trouble when I see it. Recent events suggest that's not the case.

Case in point

Last week, I received a call from a company vice president traveling in Sweden. "Yes sir, how can I help?" I asked after mandatory discussion on the likelihood of a new football stadium for the Vikings. "Just wanted to check," he replied. Bless him. "TeamViewer is asking to update. Should I allow it?"

I was about to say sure. But, I stopped short. Why hadn't my computer mentioned anything about updating? I've been using TeamViewer all day. In what some would call a "CYA" move -- I prefer "discretion is the better part of valor" -- I told the vice president to wait until he got back; something seemed wrong.

What's up?

After I got off the phone, I tried to update TeamViewer on several notebooks that haven't been used recently -- all were up-to-date.

Okay, something's funky.

None of my IT cohorts were aware of any issues. Fortunately, friend and fellow journalist, Brian Krebs was. His post: FBI: Updates Over Public ‘Net Access = Bad Idea pointed me in the right direction. In the post, Brian referred to this FBI E-Scam and Warning newsletter:

"Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product."

My gamble to have the vice president wait was fortunate indeed. The FBI alert continues:

"If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available."

Sure sounds like what happened to the vice president. If that's not bad enough, Brian mentioned something equally troubling in his post:

"Bear in mind that false update prompts don't have to involve pop-ups. I've written about Evilgrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles."

Evilgrade

Evilgrade takes it a step further. If applications have permission to auto-update, it's possible for Evilgrade to hijack the auto-update feature, install malware instead of an official update, and the user is none the wiser.

Francisco Amato, the creator of Evilgrade mentions how the attack starts:

"This framework comes into play when the attacker is able to redirect traffic in one of the following ways: DNS tampering, DNS Cache Poisoning, ARP spoofing, Wi-Fi Access Point impersonation, or DHCP hijacking."

Remember the FBI alert referring to hotel Internet connections? Attack tools like Evilgrade are the reason. Unlike company networks, public networks at hotels and cafes -- particularly ones with open-access -- aren't secure, thus perfect for setting up one of the above attacks.

Vulnerable applications

Surprisingly, a way to defeat malware like Evilgrade already exists -- digital signatures. And some companies already use them extensively. For example, if a Microsoft-based computer does not receive the correct digital signature with an update, a window similar to the following slide will pop-up.

Unfortunately, not all app developers integrate digital signatures. And just our luck, the bad guys know which they are. Notice that TeamViewer is on the list:

  • iTunes
  • Java
  • Opera
  • Quicktime
  • Safari
  • Skype
  • Teamviewer
  • Vmware
  • Winamp

If curious, the Readme.txt for Evilgrade has a more comprehensive list of vulnerable applications. Amato also created a YouTube video demonstrating how Evilgrade works.

What to do?

About a year ago, Brian came up with his "Three Basic Rules for Online Safety," it might be a good time to review the first rule: If you didn't go looking for it, don't install it! Brian explains:

"If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor's website."

Final thoughts

I got lucky this time. I still need to thoroughly scan the vice-president's notebook -- even though he didn't allow the update. The notebook was under attack and the second wave might have been Evilgrade.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

59 comments
Ocie3
Ocie3

It seems odd that Skype is on the list since it became a Microsoft subsidiary late last year.

Gisabun
Gisabun

Noticed on the list that one of the biggest culprits is Apple. I guess it adds to the notion that Apple products aren't so secure. I use TeamViewer. It will tell you when there is an update [as far as I know the only way] with a message to the right of the Help menu.

Who Am I Really
Who Am I Really

or do these just popup before any browser is even opened? eg. where I am located, when you go to certain fast food joints that offer free wifi you have to open your browser first then attempt to make the connection which then opens a new tab in the browser window to the "Terms of Service" page where you click OK you agree to the ToS, before you can get on the network to access the web _ _ if these popups do come through the browser, would; A> disabling the the browsers plug ins help in lower the chance of seeing one of these popups eg. disabling, the Reader, QuickTime, etc. plug ins and B> would using Firefox with NoScript help as well?

RipVan
RipVan

By the way, do you know that the "update" button at the top of the article doesn't work? I clicked it many times, but all it did was load a picture... On a serious note, the last few articles were very technical. I like ones like this that I can forward to my kids to let them know the many surreptitious ways people are going after them. As much as I try to tell them, it is always better when they get it from someone else. I have suspected activity like this in the past, and your advice was great. "Just wait until you are in your own familiar surroundings."

lassiter12
lassiter12

BTW, this happens both at home and at my son's house, both on wi-fis with security.

lassiter12
lassiter12

I've lately been getting blitz attacks on my Gateway with XP. Windows pop up as fast as I can close them. They all are wanting to upgrade or add-on for Windows. My anti-malware keeps popping up to question them. They seem related to this discussion. About half the time if I x them out or deny them about a dozen times they quit, but I have had to force shutdown to stop them. Fortunately, when the computer comes back up no harm has been done.

dblethen
dblethen

When automatic updates were first used, I always wondered - what would stop someone from mimicing a legitimate automatic update request? It took me a long time to trust automatic updates. It is an odd question, but why is this only coming up now and why mostly with just unsecured public wireless (besides the obvious nature of public wireless)?

wyattharris
wyattharris

I haven't seen it in the wild yet but I sent out alerts to my flock or users. Thanks for the heads up.

ezrydr84
ezrydr84

I click on the link to read ???Three Basic Rules for Online Safety,??? - Krebs' web site is throwing security certificate errors in IE. Oh the irony.... Great info though! :)

mfa
mfa

I see that Windows Update is on Evilgrade's list, suggesting that Patch Tuesday would be a dandy time to try an attack.

jkameleon
jkameleon

Well, that's irresponsible to say the least. It speaks volumes about the vendors of the above software.

Michael Kassner
Michael Kassner

Which surprised me. I'm trying to find out what that's all about.

JCitizen
JCitizen

they download with web pages, and reside in the temp folders until the unsuspecting click on the pop-up and eventually compromise the system using social engineering. Of course some of these don't even wait for that if you have a vulnerable flash or PDF reader version. Also of course, it isn't unusual for a temp file to simply ask for help from the evil doers, and download attacks from bad IPs independent of browser downloads. (edited) Yes NoScript should go a long way toward mitigating this. I'm not sure if loading a page can result in stealth files that are not blocked by No Script.

Michael Kassner
Michael Kassner

Yep, researching the previous two articles made my head hurt. But, we got through it. I hope was to make everyone more aware of those issues.

Gisabun
Gisabun

Pop-ups and Wi-fi security have no direct relation.You just click on a bad link and malware is on your system. You need something like OpenDNS which will block sites that contain malware when reported and verified.

JCitizen
JCitizen

ever - this will help 85% of the problem. I know it is difficult to tell if you are not paranoid or well experienced. But the harmless way to end those is to use task manager; then immediately run CCleaner to dump the temp file it is coming from.

ultimitloozer
ultimitloozer

You should make sure after these events to do a full scan on the affected system with at least 2 scanners. Frequently clicking on anything - including the little x in the corner - will cause the package to be installed on the machine. I've had to clean up client machines after these events in the past and I would assume that it is still popular.

Michael Kassner
Michael Kassner

You ask a great question. I suspect now, because the bad guys have developed that right set of tools -- Evilgrade -- to pull it off. Also, Wi-Fi is the easiest way to jump in the middle and capture all of the victim's traffic.

Michael Kassner
Michael Kassner

It is a clever idea. I have asked my Android partner, William Francis, about how this would affect mobile devices. We are looking into it.

NickNielsen
NickNielsen

I [u]am[/u] getting warnings that "some data on this page has not been encrypted", though.

Michael Kassner
Michael Kassner

I mentioned it to Brian and passed your comment along as well.

Michael Kassner
Michael Kassner

That part confuses me. Supposedly MS uses digital certificates, but various MS products are on the list. If you know of any more details, I would be appreciative to learn them.

JCitizen
JCitizen

that Microsoft's poor relationship with vendors may have something to do with it.

Michael Kassner
Michael Kassner

I am looking into which developers indeed use digital signatures -- as well as how much effort is required to implement them.

Who Am I Really
Who Am I Really

wondering about the "stealth files" you mention; > is it possible for "these files" to get out of the browsers cache / temp folders etc.? - if it's not possible (yet) then it shouldn't be a problem as I've always configured Firefox to trash everything on exit so they should hopefully disappear on browser close also I configure it so everything is trashed when using "clear recent history"

Michael Kassner
Michael Kassner

I linked the source code for Evilgrade in hope that someone would be able to tell us how it works.

seanferd
seanferd

It's fine if you are using it for pure DNS, but you have no way to be sure that you will actually use the servers of your choice in foreign networks without testing. Further, only Enterprise class OpenDNS service blocks anything but Conficker and IR zero-day exploits - which OpenDNS does in fact block by default without signing up and configuring a Dashboard. The point about WiFi is that the WiFi network is easily abused by the person controlling it, and mobile users willy-nilly accept any connection they are offered.

Michael Kassner
Michael Kassner

Blocking the site is reactive and EvilGrade uses the genuine auto-updater, so I'm not sure OpenDNS would help. It might.

Michael Kassner
Michael Kassner

Evilgrade uses the apps auto-updater, so the popup will not be suspicious.

wyattharris
wyattharris

Update: After sending the word out, I get a response from the CEO who is out of town today. "Are you talking about this pop-up I keep getting for updates?" I remoted in and sure enough he is getting prompted for Quicktime updates that don't exist. Pretty aggressive too, he said it's been pinging a few times every hour. I'll get more info when he's back home.

Michael Kassner
Michael Kassner

In Chrome the HTTPS is red and crossed out. I asked Brian, but he is one busy guy.

doug.cronshaw@baesystems
doug.cronshaw@baesystems

.. for some time. I am still supporting Windows XP Pro SP3, and one of the systems with that on did not signal that the May 2012 SB updates were available until 24 hours after they had been released to the general public (despite connection to the internet during that time). Worse still, Windows Update on the same (and other Windows XP) systems continues to nag that some SB patches need to be applied after the patches have been performed. That nag will persist even after one or more explicit executions of Windows Update or Microsoft Update. [This malfunction has been present on all the Windows XP Pro SP3 systems that I support for the better part of a year. It is suspected to have been introduced by some other SB patch performed during that time, or because the Windows XP version of the Windows Update and Microsoft Update products haven't been properly updated to take account of other SB patches since the malfunction started.] As for MS's use of digital certificates for SB patches, I haven't seen any evidence of that use on fully up-to-date versions of Windows XP Pro SP3. (That may, of course, be because all the patches that I apply do have suitable digital certificates.)

JCitizen
JCitizen

who's symptoms suggested that the PC was redirected to a fake Microsoft update site. There were two incidents on this same machine. One used a window that was not obviously Internet Explorer, this one looked just like the built in updater for Windows 7. The other one was an obvious fake, as it used IE9, and the update page looked like an XP update cycle. The convincing update was concerning, because it downloaded what looked like a lot of legitimate updates, but one of them marked 1033 was suspicious, and trouble soon followed. Maybe this was just a typical DNScache attack, but I still felt like MS had some compromised certificates in the deal. I'm not sure if MS ever admitted to this, but I see many suggestive comments to the problem on several forums. Needless to say a lot of updates were reported as failed on the legitimate updater. It wouldn't be the first time a major root certificate was kifed.

Gisabun
Gisabun

More like lazy assed developers who don't give a crap about security. You can't blame Microsoft for everything!

jkameleon
jkameleon

Everybody can do that, with Microsoft's permission or without it. A couple of calls to Crypto API, and that's it.

Who Am I Really
Who Am I Really

"Those files wait until a reboot or shutdown to inject into the startup folder so they can survive to the next session" on my systems, "Those files ..." would have to survive a browser close, or a "clear recent history" in the current session I set up Firefox to store absolutely nothing at close and/or clear recent history thus I have no cookies, cache, LSO, DOM storage, DL history, site history, etc. that can survive beyond the current session which is why I asked previously if "Those files ..." were capable of being downloaded to anywhere outside of the standard cache locations.

JCitizen
JCitizen

Unless using the application update is more efficient. With the exception of my browsers and my AV/AM, I don't let a lot update automatically either. However - this is a honey pot, so I can't find out how good my defenses are if I don't take a chance on those factors you relate. My clients won't do what you do, so I run the minefield in anticipation of what they will do. So far, with extensive blended defenses, I've been pretty successful. Michael has been a big help with the solutions that run best even if in an infected environment. With the right tools, even the "stealth" attacks can be monitored. In the case of No Script; I'm not sure if it can always tell if everything that downloads with a page is a script, especially with the new Zeus variants. I hope I'm wrong. Those files wait until a reboot or shutdown to inject into the startup folder so they can survive to the next session. They can be active during the session in man-in-the middle attempts, keylogging, screen capture, etc. I would think that would be detected as a script, but then I'm no expert on code. Of course running CCleaner can dump temp files so they have no ability to install, if that is the word to be used. I find CCleaner is way more thorough than using the system cleaner. Also, of course that won't help what is already running is session, that could manipulate files and do everything previously mention in the session. Since running a task manager or a sysinternals type program, is not practical, I prefer pure behavioral heuristics to detect them. The free ones(some that are kernel based) are Comodo Firewall's Defense+, WinPatrol, or Threatfire. I haven't tested the PCTools product yet. I've tried Online Armor Premium, and Emisoft Anti-malware suite without success - it ripped the guts out of IE9 on my machine. However the paid solution of Emisoft's Mamutu is God's gift to computing as far as I'm concerned! Even the government and DRM spies can't get past it!! :O The problem is, that you eventually have to allow some scripts to use a site, and no site is invulnerable to infection. So really you are back to square one. Avast scans everything on the page to see if it is a dangerous script - everything else it allows. It has been 100% reliable so far, and amazingly it hasn't slowed down my site usability. Only once in a blue moon do I get an inactive page control, so I reload the page to activate it. I suspect this is because of momentary SQL injection, or other similar attack, which only loads a bad control every five or so page loads. These are the things that drive web-masters and managers crazy. This, from what I read about the problem, that is. It can be difficult to catch the culprits in the server data base operations.

dblethen
dblethen

You have raised some helpful points. You are obviously in a Windows environment (no complaints, just observation). Any experience with Linux (Fedora)? yum -update requires a lot of trust for installing updates, but the alternatives seem quite time consuming.

Who Am I Really
Who Am I Really

everything is set to manual or disabled I don't allow updates of anything automatically Flash, Acrobat Reader, etc doesn't get any permissions to do anything update related when it's time to update Flash I remove it first, then get the offline installer to install the newer version every other app I install, I disable the check for updates if it has the capability to check for updates even the add-ons for Firefox are set to be checked manually and only while on a trusted network (namely: home, or office, never on "public networks") do I check Firefox itself is also set to not look for updates automatically windows update is set to DL & notify only then I check the KB numbers first thing after I get the notification balloon (and I get a little grumpy when I get the balloon for out of band updates, good thing those are rare though) it looks like a lot of work but it really isn't it's actually less work than letting everything go automatic, and having things foisted upon me while in the middle of doing something else it stinks to have a bunch of things open and be forced to close the browser or windows or both etc. especially the junk windows update pulls if the group policies aren't changed to disable the install updates and shut down from the shutdown menu no security model is perfect, and I can see how maybe the "Possible exception(s)" could catch someone off guard though so we do our best, and I have yet to get a system infected through my own web activities have had many infected systems handed to me from DOS to win7 but never any of my own one day it could happen, never say never and in that case my tool of first choice would be last month's Backup Exec full system drive image

Michael Kassner
Michael Kassner

What if Evilgrade takes over one of your app's auto-updater and it's one you let bypass NoScript?

NickNielsen
NickNielsen

My home wireless is running a NAT. I wouldn't be a bit surprised to find that the others are also. I hadn't even thought of that...but I hadn't taken the time, either.

Michael Kassner
Michael Kassner

I'm trying to piece together why that was happening. Were the Wi-Fi devices also DHCP servers?

NickNielsen
NickNielsen

Shortly after I started using OpenDNS on my work laptop, I noticed I was unable to access the web from several wifi networks I had been using with no problems before (including my home wifi :0 ). Others gave me no problem. Resetting my DNS settings to automatic fixed the problem. So much for that idea...

JCitizen
JCitizen

convincing enough to goad me to already obey other posters advice here, by updating independently of the popup. However, I violated my rule the other day when QuickTime popped up on the standard account to offer updating. I was surprised, as that one doesn't usually work on restricted accounts. I used to be able to beat the auto-updaters by using File Hippo update checker. But it stopped working on limited accounts in the pro versions of Vista. Thanks for the rep - that is some scary sh*t!

Michael Kassner
Michael Kassner

I would appreciate any information that you would want to pass along.

JCitizen
JCitizen

bugging him. I don't email him very often though. [_]3

doug.cronshaw@baesystems
doug.cronshaw@baesystems

... you'll probably recall that Microsoft's security patches are covered by security bulletin notifications with designations like MS12-035.

Gisabun
Gisabun

Have you ever thought that some of these issues are from the computer themselves? I have 2 XP systems. No complaints. Updates are generally installed on the same day. SB? Soundblaster? Spock's Beard? San Bernadino? St. Bernard?

Michael Kassner
Michael Kassner

I am trying to figure out what SB stands for. Please help.

jkameleon
jkameleon

My point was that users don't need to understand digital signatures in order to make upgrades safely. That's software vendor's job. You don't need to understand how ABS works in order to push the brake pedal either.

Michael Kassner
Michael Kassner

You referred to everyone, making it seem that everyone should understand digital signing and ABS. To me that is completely different from using equipment with the aforementioned technology built into it.

jkameleon
jkameleon

.. but that's doesn't mean that car vendors can put unreliable brakes into their cars.

Michael Kassner
Michael Kassner

I'm betting that many of us would consider it rocket science. I always think of how my dad would try and figure it out. That puts a whole different perspective on it.

Editor's Picks