Hackers used ASUS update software to add back doors to PCs worldwide (Updated)

Updated March 26, 2019: ASUS has now released an updated version of the Live Update tool that patches the ShadowHammer vulnerability. The company also says it has "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means." The company has also released a tool that can diagnose whether your PC is affected.

ASUS's Live Update utility was compromised by hackers to install malware on PCs, according to a new report from security firm Kaspersky Labs (via Motherboard). The attack, which has been given the name "ShadowHammer," created a back door in the update software, allowing hackers to install malware on machines that had downloaded the compromised utility.

According to Kaspersky Labs, the attack targeted around 600 systems, with the devices' MAC addresses being hardcoded into the malware. That said, Kaspersky has identified 57,000 of its own customers have installed the compromised ASUS Live Update utility, and the full breadth of people that have downloaded it could be upwards of one million, according to the firm's estimates.

"The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," Kaspersky Labs said in a blog post. "The criminals even made sure the file size of the malicious utility stayed the same as that of the original one."

If installed on one of the pesently identified 600 target machines, the back door is then used to install malware on the affected device. If a machine is not among the targets, it simply does nothing, but the back door remains, potentially allowing attackers to compromise PCs further.

Kaspersky Labs says that it has found the same techniques were used "against software from three other vendors." The firm says that it has notified ASUS and the other unnamed companies about the attack, but investigations are still ongoing.

Symantec also confirmed the attack to Motherboard, noting that it identified 13,000 of its own customers who had been affected.

ASUS Live Update is used by the company to ensure users receive BIOS and driver updates, among other things. Though ASUS was alerted of the compromised software in January, a Kaspersky employee who met with ASUS in February told Motherboard that the company has been "largely unresponsive since then and has not notified ASUS customers about the issue."

CATEGORIES
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl