Using Software Updates to Spread Malware

More Than 100 Applications Vulnerable When Updating via Wi-Fi

(CBS)  By CNET Staff Writer Elinor Mills
Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.

About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.

Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network.

With the tool, an attacker can scan a Wi-Fi network for computers checking for new updates via HTTP (Hyper Text Transport Protocol). If the system detects a computer sending a software update request, the tool replies before the app update server can respond, Kotler said.

Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said. A malicious file is then downloaded from the attacker's server onto the victim's computer.

The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.

"You have to assume when on a public infrastructure that the infrastructure can be attacked," he added.

There is also the possibility that someone could spread an "airborne virus" via software updates that uses victim machines to attack and infect other machines on a network, according to Kotler.

[cameraphone]

The article implies that the 2 who discovered the security flaw are introducing software tools that allows others to exploit this breach, not so that security experts can patch it.

Otherwise I agree with most of those here who say that you should always be wired :)

[raskal_2]

This vulnerability is known and beaten.(i.e.,Microsoft) Anytime you open com channels like 21,23 or 80 you can be attacked. And anything can be hacked. Those that fall victim are stupid because they have no imagination. I make a living reaming idiots who pay me to do so. Try studying the Unicorn Analogy for personal computing protection.

[Wookiee-1138]

What of the security certificates? Is the bad stuff piggybacking on legitimate signed updates?

[vuenbelvue]

Defcon Conference - is the world's longest running and largest underground hacking conference. ... DEFCON 2009 CTF is officialy underway!
These two people and others at the conference are like the Muslim opium trafficers who spread heroin and the blight it causes on law abiding citizens throughout the world. Why aren't they being arrested upon their return to Israel? Their proud to have found a method of hacking into personal computers and causing harm to innocent people?

[transmogrify]

@vuenbelvue

apparently this went right over your head. the purpose was to make others aware of this security vulnerability so that it can hopefully be fixed in the applications affected by it. the term "hacker" has a lot of bad stigma surrounding it, but you should be aware that there are many hackers out there that provide a great service to the rest of the world without any malicious intentions.

[layali2010]

excuse me sir, it is not muslims who spread heroin, Islam is the most peacful religion in the world. eventhough, if some muslims behaved badly you can not judge the whole muslim society through them as this is called stereotyping. one more thing, why dont you refer to the israilis who are committing all these massacre to the plestinains as terrorists, it is these people who are spreading heroin not the people who are protecting their lands.

[rf35]

Layali2010,
Could you please explain that to the @ssholes who keep launching mortar rounds at me? I don't think they got the memo. Your religion of peace is trying to blow me to pieces.

[sightpoint]

I wish I had an option. I have dial up and Wi-Fi. Thats it, oh yeah... smoke signals and flare guns. Other than that I'm hit! Not everybody is stupid: some have no choice.

[barbaram99]

I do have an old notebook and I have it wired. I bought along newwork cable to take to the table in another room. I don't have wireleaa network. We learn by using common sense. I take my notebook with me but if I wish to look something up I do it at home wired.

[John_Merritt]

And thats safe? Don't think so.

[zonkzilla]

WiFi is the most vulnerable thing in the universe. It can be tapped into by almost anybody.
When will people learn?
The American Sheeple.

[Samuel-HiLL]

I hope never. I make a living undoing what the sheeple screw up. I don't think I have to worry.

[ToolMangler1]

You have to use internet rubbers if you don't want to be infected.