“Evilgrade,” a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles, recently received an upgrade of its own and is now capable of hijacking the update process of more than 60 legitimate programs.
Evilgrade’s creator, Francisco Amato of InfoByte Security Research, says that by targeting widely deployed programs that don’t properly implement digital signatures on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be downloading a package designed to compromise the security of their computer.
Software companies should include these signatures in all of their updates, so that a user’s computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with a cryptographic key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. But for whatever reason, many software vendors have overlooked this important security precaution, and have chosen not to sign their updates — or have implemented the signing verification process in a way that can be circumvented.
Among the software products that Amato says EvilGrade can compromise are iTunes, Java, Skype, Winamp — even security applications like Superantispyware, Sunbelt, and Panda Antirootkit (a longer list of vulnerable apps is available in the documentation).
The video above shows how Evilgrade works against even the latest version of Java — Java 6 Update 22.
As the release notes state, this tool is a cross-platform attack suite, meaning that it can be used to attack not only Windows systems, but any vulnerable update mechanism: The attacker need only supply platform-specific payloads designed to run on the targeted user’s operating system.
According to Amato, the only things an attacker needs to hijack the update process on a targeted computer is control over the network, and for the victim system to be running one of the 60+ applications targeted by Evilgrade. And as I noted in a blog post last week, there are several easy-to-use, open source tools that allow attackers to hijack wired and wireless networks and trick all of the systems on a local network into routing their traffic through the assailant’s computer.
As Evilgrade makes painfully clear, it’s generally a good idea to delay installing updates until you’re using a network you know, trust and hopefully control (such as your home network). Many more programs these days have auto-updaters built-in, and these features can help users stay up to date with the most recent and secure versions of these products. But when you’re computing on-the-go, it’s probably best to delay responding to an auto-update prompt. At the very least, make sure you initiated the process, to ensure that you are not simply responding to a bogus update prompt sent to you by an attacker who’s using the same network.