As someone who writes about IT security, I like to think I can recognize digital trouble when I see it. Recent events suggest that’s not the case.

Case in point

Last week, I received a call from a company vice president traveling in Sweden. “Yes sir, how can I help?” I asked after mandatory discussion on the likelihood of a new football stadium for the Vikings. “Just wanted to check,” he replied. Bless him. “TeamViewer is asking to update. Should I allow it?”

I was about to say sure. But, I stopped short. Why hadn’t my computer mentioned anything about updating? I’ve been using TeamViewer all day. In what some would call a “CYA” move — I prefer “discretion is the better part of valor” — I told the vice president to wait until he got back; something seemed wrong.

What’s up?

After I got off the phone, I tried to update TeamViewer on several notebooks that haven’t been used recently — all were up-to-date.

Okay, something’s funky.

None of my IT cohorts were aware of any issues. Fortunately, friend and fellow journalist, Brian Krebs was. His post: FBI: Updates Over Public ‘Net Access = Bad Idea pointed me in the right direction. In the post, Brian referred to this FBI E-Scam and Warning newsletter:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product.”

My gamble to have the vice president wait was fortunate indeed. The FBI alert continues:

“If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

Sure sounds like what happened to the vice president. If that’s not bad enough, Brian mentioned something equally troubling in his post:

“Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written about Evilgrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles.”


Evilgrade takes it a step further. If applications have permission to auto-update, it’s possible for Evilgrade to hijack the auto-update feature, install malware instead of an official update, and the user is none the wiser.

Francisco Amato, the creator of Evilgrade mentions how the attack starts:

“This framework comes into play when the attacker is able to redirect traffic in one of the following ways: DNS tampering, DNS Cache Poisoning, ARP spoofing, Wi-Fi Access Point impersonation, or DHCP hijacking.”

Remember the FBI alert referring to hotel Internet connections? Attack tools like Evilgrade are the reason. Unlike company networks, public networks at hotels and cafes — particularly ones with open-access — aren’t secure, thus perfect for setting up one of the above attacks.

Vulnerable applications

Surprisingly, a way to defeat malware like Evilgrade already exists — digital signatures. And some companies already use them extensively. For example, if a Microsoft-based computer does not receive the correct digital signature with an update, a window similar to the following slide will pop-up.

Unfortunately, not all app developers integrate digital signatures. And just our luck, the bad guys know which they are. Notice that TeamViewer is on the list:

  • iTunes
  • Java
  • Opera
  • Quicktime
  • Safari
  • Skype
  • Teamviewer
  • Vmware
  • Winamp

If curious, the Readme.txt for Evilgrade has a more comprehensive list of vulnerable applications. Amato also created a YouTube video demonstrating how Evilgrade works.

What to do?

About a year ago, Brian came up with his “Three Basic Rules for Online Safety,” it might be a good time to review the first rule: If you didn’t go looking for it, don’t install it! Brian explains:

“If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s website.”

Final thoughts

I got lucky this time. I still need to thoroughly scan the vice-president’s notebook — even though he didn’t allow the update. The notebook was under attack and the second wave might have been Evilgrade.