Hackers used ASUS update software to add back doors to PCs worldwide (Updated)

Updated March 26, 2019: ASUS has now released an updated version (opens in new tab) of the Live Update tool that patches the ShadowHammer vulnerability. The company also says it has "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means." The company has also released a tool (opens in new tab) that can diagnose whether your PC is affected.

ASUS's Live Update utility was compromised by hackers to install malware on PCs, according to a new report from security firm Kaspersky Labs (opens in new tab) (via Motherboard). The attack, which has been given the name "ShadowHammer," created a back door in the update software, allowing hackers to install malware on machines that had downloaded the compromised utility.

According to Kaspersky Labs, the attack targeted around 600 systems, with the devices' MAC addresses being hardcoded into the malware. That said, Kaspersky has identified 57,000 of its own customers have installed the compromised ASUS Live Update utility, and the full breadth of people that have downloaded it could be upwards of one million, according to the firm's estimates.

"The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," Kaspersky Labs said in a blog post. "The criminals even made sure the file size of the malicious utility stayed the same as that of the original one."

If installed on one of the pesently identified 600 target machines, the back door is then used to install malware on the affected device. If a machine is not among the targets, it simply does nothing, but the back door remains, potentially allowing attackers to compromise PCs further.

Kaspersky Labs says that it has found the same techniques were used "against software from three other vendors." The firm says that it has notified ASUS and the other unnamed companies about the attack, but investigations are still ongoing.

Symantec also confirmed the attack to Motherboard, noting that it identified 13,000 of its own customers who had been affected.

ASUS Live Update is used by the company to ensure users receive BIOS and driver updates, among other things. Though ASUS was alerted of the compromised software in January, a Kaspersky employee who met with ASUS in February told Motherboard that the company has been "largely unresponsive since then and has not notified ASUS customers about the issue."

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

  • WTF in 2019 why does Asus even have a separate update system? I used to love their hardware.
  • These custom update services some manufacturers put out are the first things I delete when setting up a new system. As far as I'm concerned it's just more bloatware.
  • You have to consider that some/most people don't know what or care what a software driver is, so this is the way these companies get these people to update their systems.
  • That stuff should all go through Windows Update. Why would we need do to anything through a vendor-specific update system, let alone manually?
  • Exactly. All updates, including the one from OEM manufacturer and device drivers, should use Windows Update and nothing else.
  • Windows Update won't update the BIOS because it has nothing to do with it.
  • It updates BIOS on Surface devices
  • Well yeah, because they are manufactured by Microsoft.
  • Actually it's a requirement for all those driver and firmware updates to go through Windows Update. Some OEM's just don't listen.
  • what's the point if even MS screwed up their own Windows updates
  • All software has its issues. Even the infallible Apple has failed to release stable updates to iOS and macOS. Overall, Microsoft's track record with Windows 10 is solid.
  • Windows update does the bare minimum. HP Support Assistant for example, pulls the most current drivers for your hardware. Drivers you would never receive via Windows Update for some reason. Some of these being critical bios updates. Which I've always found odd. You'd think WU would be the goto
  • That's because it is up to the OEM, and most still elect to use their own update tools despite Microsoft's requests. LG fully supports Windows Update and it's glorious.
  • This is why I never install that kind of software.
    Not any vendor software of any kind as it's never supported properly.
    (I'm looking at YOU NVIDIA with your GeForce Experience!)
    The only auto-update software I ever put in is from Intel (and that is because I am lazy.)
    Everything else; Bios, drivers, etc. you should handle yourself.
    With most drivers, you can take a "if it ain't broke, don't fix it" attitude.
  • Another reason not to use OEM junk.
  • This is why all grandmas need Windows 10 in S Mode.
  • Grandmas need a phone. We tried for years to get my (then 80ish) mother in law to use a Windows laptop. No way. Then we tried a Mac laptop. No way. Now they both have iPhones. She is now 90, he is 75 or so. Both text us, we send them photos, and he now knows how to lookup "how-to" videos on youtube for whatever project he is working on this month. These people have no idea how to administer a Windows PC. Nor should they, considering their usage. A phone is all they need.
  • In this case, the malware was signed and hosted on Asus' own servers. S mode wouldn't have helped if asus cannot protect their own servers. I suppose the malware couldn't install more malware if on S mode...
  • Good thing I don't use OEM bloatware. First thing I do with new PCs is a clean install with no bloatware. Good riddance to bad rubbish.
  • That’s what you get for buying a Chinese “huawei” laptop... wait ... you said they all are Chinese laptops?