19
1
I heard that hackers can make you download their malicious software by telling you that they are an update of the operating system through Windows Update. Is it true? If yes, how can I protect myself?
user3787755
Posted 2014-08-15T10:18:12.327
Reputation: 229
31
It is nearly impossible for an ordinary hacker to send you something through the Windows Update system.
What you heard is different though. It's spyware that looks like it's Windows Update and tells you to install it. If you then click install a UAC prompt pops up asking for administrative privileges. If you accept that, it can install spyware. Do note that Windows Update will NEVER require you to pass an UAC elevation test. This is not required as the Windows Update service runs as SYSTEM, which has the highest privileges. The only prompt you'll get during Windows Update installations, is approving a license agreement.
EDIT: made changes to the post because the government may be able to pull this off, but I doubt as a normal citizen, you can protect against the government anyway.
LPChip
Posted 2014-08-15T10:18:12.327
Reputation: 42 190
50Really, "impossible"? Can we instead go with something more along the lines of "highly-highly unlikely/improbable"? – root – 2014-08-15T11:23:05.927
11@root I suppose if they'd fake WSUS and alter windows update in such way (which of course DOES require administrative privileges which they want to get anyway) windows update could get a windows update that is malicious. I haven't heard of any infection spread through this method though, and I doubt they would go this way because if they get administrative privileges they can just infect the machine with spyware the way they intend to do. – LPChip – 2014-08-15T13:00:12.757
7They used to do this all the time in XP. All you really have to do is modify the hosts file to redirect a request to a malicious website. – ps2goat – 2014-08-15T15:16:32.933
3Yes the update are signed, but collisions have been found and used in the wild. But unless your adversary is a nation state, you don't have anything to worry about. – toasted_flakes – 2014-08-15T22:05:59.763
9-1 because this answer is untrue. Even though it's very-very unlikely and @LPChip himself can't imagine it ever happening it has happened in real life – slebetman – 2014-08-16T03:41:30.327
It may be very hard, but certainly not impossible. It could even be easy for a hacker inside Microsoft. – Volker Siegel – 2014-08-16T13:49:37.267
There's no historical evidence yet as far as I know, but from what was leaked about the capabilities of various three letter agencies, we should expect that they are be able to distribute backdoors/rootkits that are signed with the appropriate Windows Update keys obtained directly from Microsoft. This would pass all the checks in the same way as the ordinary Windows updates. – Peteris – 2014-08-16T15:03:33.407
3Based on all comments, I've adjusted the post. Hope you all can sleep well again. – LPChip – 2014-08-16T15:17:09.263
8
Yes, it's true.
The Flame malware attacked user via flaw in the Windows updating process. It's creators found a security hole in the Windows updating system that allowed them to fool victims into thinking that their patch with contains malware is an authentic windows update.
What could the targets of the malware do to defend themselves? Not much. Flame went years being undetected.
However Microsoft now patched the security hole that allowed Flame to hide itself as a Windows update. That means hackers have either to find a new security hole, bribe Microsoft to give them the ability to sign updates or simply steal the signing key from microsoft.
An attacker additionally has to be in a position in the network to run a man-in-the-middle attack.
That means in practice this is only an issue that you have to worry about if you think about defending against nation state attackers like the NSA.
Christian
Posted 2014-08-15T10:18:12.327
Reputation: 1 750
This answer has not been proven. It was NOT signed by Microsoft it was signed by a certificate because the certificate that was used had the same signature – Ramhound – 2014-08-16T17:11:00.090
1@Ramhound : I don't claim in this answer that it was signed by Microsoft. I claim that it got a signature that made it look like it was signed by Microsoft due to security hole. They had a 0-day that Microsoft later patched. – Christian – 2014-08-16T17:21:29.827
2I was never distributed by Windows Update though – Ramhound – 2014-08-16T18:28:26.697
@Ramhound : I changed that sentence, are you happy with the new version? – Christian – 2014-08-16T20:17:36.527
2
Only ever use the Windows Update control panel to update Windows software. Never click-through on any site you cannot fully trust.
Tetsujin
Posted 2014-08-15T10:18:12.327
Reputation: 22 456
Thanks for your suggestion. I heard that it is possible to hackers to mask their malicious software as an official update of windwos and make windows update tell you that you have to download it. Is it true? – user3787755 – 2014-08-15T10:27:56.997
3Sounds like FUD to me - they'd not only have to get that malicious software onto Microsoft's servers, they'd have to manage to construct a KB article describing it... all without MS noticing – Tetsujin – 2014-08-15T10:36:37.617
4IF they stole the keys, then hijacked your DNS servers... then it could be done. Still very unlikely. – D Schlachter – 2014-08-15T14:22:01.230
2@DSchlachter that is well within the capabilities of most industrialized nations' spy corps. – Snowbody – 2014-08-16T05:22:21.117
2
Many of the answers have correctly pointed out that a flaw in the windows update process was used by the Flame Malware, but some of the important details have been generalized.
This post on a Microsoft technet 'Security Research and Defense Blog' titled : Flame Malware collision attack explained
... by default the attacker’s certificate would not work on Windows Vista or more recent versions of Windows. They had to perform a collision attack to forge a certificate that would be valid for code signing on Windows Vista or more recent versions of Windows. On systems that pre-date Windows Vista, an attack is possible without an MD5 hash collision.
"MD5 Collision Attack" = Highly technical cryptographic wizardry - that I certainly don't pretend to understand.
When Flame was discovered and publicly disclosed by Kaspersky on May 28th 2012, researchers found that it had been operating in the wild since at least March 2010 with the code base under development from 2007. Although Flame had several other vectors of infection, bottom line is that this one vulnerability existed for a several years before being discovered and patched.
But Flame was a "Nation State" level operation, and as already pointed out - there is very little an ordinary user can do to protect themselves from three letter agencies.
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
The project is hosted on Github. It is free and open source.
To quote the intended usage:
This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim's dns traffic)...
Translation: potentially anyone on the same (LAN) network as you or someone who can manipulate your DNS... still using the default user name and pass on your linksys router...?
Currently is has 63 different "modules" or potential software updates it attacks, with names like itunes, vmware, virtualbox, skype, notepad++, ccleaner, Teamviewer, etc etc. I should add that all of these vulns were patched by their respective vendors and none are for "current" versions, but hey - who does updates anyway...
Demonstration in this video
bob
Posted 2014-08-15T10:18:12.327
Reputation: 171
9You heard wrong windows updates are signed – Ramhound – 2014-08-15T10:34:05.757
5If you're really paranoid you can change your settings so that updates are not automatically downloaded (set to either "notify only" or "do nothing"), then manually go to "Windows Update" to load/install the changes. This assures that they come from Microsoft. – Daniel R Hicks – 2014-08-15T11:52:35.517
1
On a related note, malware has been known to hide behind trusted software to get past UAC prompts. For example, ZeroAccess would attach itself to an Adobe Flash Player installer so that the UAC prompt would look legitimate and you'd be like, "Oh it's just Flash updating again..." and click through.
– indiv – 2014-08-15T23:23:37.627Anecdotal but didn't Barnaby Jack demonstrate this some years ago, it was mentioned by Mudge in his Defcon talk last year - https://www.youtube.com/watch?v=TSR-b9y (starting around the 35 minute mark)
– JMK – 2014-08-16T07:16:44.107