Monday, March 25th 2019

Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers

In a chilling reminder of just why system software should always be manually updated and never automatically, Vice Motherboard citing Kaspersky Labs reports that hackers have compromised the Live Update servers of ASUS, making them push malware to thousands of computers configured to fetch and install updates automatically. These include not just PC motherboards, but also pre-builts such as notebooks and desktops by ASUS. Smartphones and IoT devices by ASUS are also affected. Hackers have managed to use valid ASUS digital certificates to masquerade their malware as legitimate software updates from ASUS.

Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.
Source: Vice Motherboard
Add your own comment

43 Comments on Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers

#2
eidairaman1
The Exiled Airman
Exact reason Auto updates are atrocious

I never used such software and never will
Posted on Reply
#3
Super XP
eidairaman1 said:
Exact reason Auto updates are atrocious

I never used such software and never will
People rely on auto updates or they would never update anything on there PC. lol
Posted on Reply
#4
Crackong
Hope they fix this issue before x570 motherboards, otherwise I might have to consider other brands.
Posted on Reply
#5
eidairaman1
The Exiled Airman
Crackong said:
Hope they fix this issue before x570 motherboards, otherwise I might have to consider other brands.
Others can be affected...

Simple dont use that crap.
Posted on Reply
#6
FreedomEclipse
~Technological Technocrat~
eidairaman1 said:
Exact reason Auto updates are atrocious

I never used such software and never will
But how about operating systems?
Posted on Reply
#7
moproblems99
The real disgusting part of this is that they continued to use the compromised signing cert for at least a month after being notified. Not only that, they other certs haven't been revoked yet...

This one was also part of a broader attack which is quite interesting because they already knew the MAC addresses for their targets and had a second stage that was triggered if you were on of their targets. Also not the first time ASUS was popped and didn't tell anyone. They were sued by the FTC for having crap software riddled with vulnerabilities that they knew about for over a year being doing anything.
Posted on Reply
#8
Apocalypsee
eidairaman1 said:
Exact reason Auto updates are atrocious

I never used such software and never will
Same here. Never believed in such things ESPECIALLY BIOS updates. And I haven't use ASUS hardware since 2014 (last was Maximus VII Ranger)
Posted on Reply
#9
TesterAnon
And this is why you don't use OEM bloatware in your PC.
Posted on Reply
#10
R-T-B
eidairaman1 said:
Exact reason Auto updates are atrocious

I never used such software and never will
Auto updates are actually a pretty good idea and CAN be made to be safe. Issues like we see here can be rectified by signing updates, usually. And actually controlling access to the private keys, naturally.

I'm guessing ASUS had an unsigned distribution server. Incredibly negligent. And why opaque systems like this are bad.

My earlier comments trying to exhonerate ASUS here did not fully comprehend the situation. This is downright stupid but then that's kind of what I expect from ASUS when it comes to mobo drivers/software.

EDIT:

moproblems99 said:
The real disgusting part of this is that they continued to use the compromised signing cert for at least a month after being notified. Not only that, they other certs haven't been revoked yet...
Oh good god. It's not even unsigned, but they were notified and just did nothing to prevent imminent catastrophe?

Even when it was as simple as revoking a cert DIGITALLY? LIKE THEY DID NOT EVEN HAVE TO LEAVE THE OFFICE?

That's even worse than being stupid. That's like being smart enough to know better, but too lazy to care and don't want to type the command to fix everything because you just ate 20 king size butterfinger candy bars and are in a food coma and then when you wake up a month later still doing nothing because you don't want to stain the neato custom ivory keyboard something-or-another you spent all your customers cash on with your lazyass choclate stained fingers.

For god sakes ASUS, WTF!
Posted on Reply
#11
metalfiber
Kaspersky is most likely the hacker and the cure. They've needed something to get back on their feet since the U.S. government has labeled Kaspersky a national security risk.
Posted on Reply
#12
ShurikN
Another thing to put on my "NEVER BUY ASUS" list. Makes looking for components so much easier...
Posted on Reply
#13
Bones
One reason why my newest build won't have an Asus board in it - That and the very fact they've been slipping as of late with things like under performing boards and other assorted issues.

Up until now I've always prefered Asus but with the recent stuff and now this too, can't really say they are a preferrence for new builds to me anymore.
Posted on Reply
#14
the54thvoid
It'd be good to know what boards are affected and if you can find out what was done. I used the windows Asus AI suite updater (call it auto) after a few miserable failed USB BIOS flashes. The windows version ran well. It's not quite so simple as saying 'auto updates are idiotic'. Bearing in mind, the BIOS you download from the site may also be hacked and contain hidden code. This is an ASUS issue - not an auto update issue.

There is one question - how does Kaspersky know half a million infected PC's if ASUS are being quiet?
Posted on Reply
#15
Xzibit
the54thvoid said:
It'd be good to know what boards are affected and if you can find out what was done. I used the windows Asus AI suite updater (call it auto) after a few miserable failed USB BIOS flashes. The windows version ran well. It's not quite so simple as saying 'auto updates are idiotic'. Bearing in mind, the BIOS you download from the site may also be hacked and contain hidden code. This is an ASUS issue - not an auto update issue.

There is one question - how does Kaspersky know half a million infected PC's if ASUS are being quiet?
Don't AVs in general send info (statistics home) whether you give them permission or not every time they call home to check for a update.
Posted on Reply
#16
turbogear
In my experience ASUS autoupdate tool never works on motherboards.
I have been using a fews ROG generations of motherborads but autoupdate for me was often broken.

I usually do manual update of drivers and bios.

Now I am also happy that ASUS Grid stopped working on my Crosshair VII a year ago.

What I am concerned about is if it could be that the updates that you download from their website are also infected? :confused:

I have Zonealrm extreme security installed, but I have not seen any message from it while manually updating drivers.
Posted on Reply
#17
kastriot
Nice job hackers, Asus you suck big time.
Posted on Reply
#18
BorgOvermind
And of course Kaspersky had to report it. Many of the others are way into the spy program to say anything. Just like it happened with Intel and Seagate spy programs.

@the54thvoid - most AV solutions today have also a centralized (cloud) defense center from where you can get live data about threats and be protected faster in case of new attacks. Kaspersky also has this option (which last time I checked you had to explicitly enable it, it was not on by default, although many already use their alternatives active by default).

As for ASUS, my main problem with them has always been over-pricing for nothing, so I passed paying for a brand which in time proved to be of lower and lower quality over the years. No offense to any RoG notebook owners.
Posted on Reply
#19
the54thvoid
Perhaps there was no hack. Imagine if Asus actually had files in the BIOS that were for their own purposes.... Tin foil hat time.
Posted on Reply
#20
Abaidor
Whenever you see "Asus" & "Software" in the same sentence prepare yourself for an adventure. I have been an Asus customer for more than 15 years owning over 20 motherboards and graphics cards..I am not complaining about their hardware but damn their software team (if there is a proper team) must be either underfunded or lacking knowledge at a very high degree...

My latest experience is about a Rampage VI Extreme that is advertised with a huge list of features that unfortunately many of them depend of software in order to work. As a result features such as Windows Fan Control (AI Suite & Fan Expert,) along with the heavily promoted Aura Sync are a mess. A big freaking mess!!

The board is fine and really stable but after paying a premium for it one would expect ALL features to work but this is not the case. I decided to only use one piece of software AURA and even this is not working properly and lacks features. And of course Asus does not seem to care.

I am very glad I never installed any of their other utilities or Autoupdate Junk and will think twice before getting an Asus board in an upcoming pure gaming build with 9900K.
Posted on Reply
#21
the54thvoid
Abaidor said:
Whenever you see "Asus" & "Software" in the same sentence prepare yourself for an adventure. I have been an Asus customer for more than 15 years owning over 20 motherboards and graphics cards..I am not complaining about their hardware but damn their software team (if there is a proper team) must be either underfunded or lacking knowledge at a very high degree...

My latest experience is about a Rampage VI Extreme that is advertised with a huge list of features that unfortunately many of them depend of software in order to work. As a result features such as Windows Fan Control (AI Suite & Fan Expert,) along with the heavily promoted Aura Sync are a mess. A big freaking mess!!

The board is fine and really stable but after paying a premium for it one would expect ALL features to work but this is not the case. I decided to only use one piece of software AURA and even this is not working properly and lacks features. And of course Asus does not seem to care.

I am very glad I never installed any of their other utilities or Autoupdate Junk and will think twice before getting an Asus board in an upcoming pure gaming build with 9900K.
Oh yeah, Asus fan control software is horrendously sensitive to Windows updates.. PITA.

edit: the following article has more info, including a link to check if you're infected. Apparently.
https://www.theregister.co.uk/2019/03/25/asus_software_update_utility_backdoor/
Posted on Reply
#22
Dexiefy
Lost respect for Asus some time ago.
They were first to prudly bend over for nvidia GPP along with MSI, their hardware is performing below/on par with competition but with higher price tag. Their motherboards seem to be about looks nowadays rather than high quality.
Speaking of quality, their low/midrange lineups of hardware leave MUCH to be desired...

And now this...

Guess my Ryzen 3000 upgrade scheduled for next year is gonna be based on Asrock
Posted on Reply
#23
moproblems99
the54thvoid said:
There is one question - how does Kaspersky know half a million infected PC's if ASUS are being quiet?
It really is a guestimation. They know they had 57,000 clients that had the infection and they likely know how many clients have ASUS mobos so it was a simple extrapolation. Symantec reported 13,000 of their clients had it.

What I find the most interesting is that the attackers already knew the MAC addresses they were targeting. I would surmise that they retrieved those from the previous ASUS hack they did.
Posted on Reply
#24
RH92
Dexiefy said:
Guess my Ryzen 3000 upgrade scheduled for next year is gonna be based on Asrock
As far as AM4 goes Asrock has good hardware but their bios is a big joke : missing bios options , abysmal ram oc/support , bios updates take ages even for simple bugs and brake more things than they do fix , moved from Fatality AB350 itx to Strix B450-i for this exact reason and i can tell you for sure that ASUS are miles ahead in terms of OC features , relevant bios updates etc etc . If for some reason you don't want to go with ASUS i would advise you to go with MSI especialy now that they have implemented offset voltage , don't make the Asrock mistake !
Posted on Reply
Add your own comment