Monday, 1 November 2010

Evilgrade 2.0 released - with a lot more modules for vulnerable update mechanisms

Evilgrade 2.0 is an exploitation framework for attacking systems by hijacking application update services.

Personally I don't even try to count the amount of times I get popups telling me "There is a java update", "There is an adobe update", "There is an xyz update" on my various PCs. There are many mechanisms, for these updates (especially on Windows systems) and as each mechanism is independent, so it is up to the software vendor for each application, how these mechanisms are implemented, and how securely.

Most update mechanisms are fairly basic:
  1. System checks periodically at a predefined URL
  2. System checks an index file for anything new at that location
  3. System downloads updates specified and installs them
With all the updaters that run for applications these days, it was only a matter of time before someone came up with a framework for exploiting these mechanisms for malicious purposes, and have done just that with Evilgrade.

Basically, this set of techniques means that attackers can replace the update process, and rather than provide legitimate updates, can install malware of the attackers' choice at the time they choose.

The basic mechanism is to use network hacking techniques typically used for man-in-the-middle attacks (MITM), to substitute an attackers' host for a legitimate download location. For example using; ARP spoofing, DNS Cache Poisoning, DHCP spoofing, TCP hijacking or WAP impersonation. The attackers' system then provides notifications, and updates, in place of the legitimate update service.

This second release of Evilgrade (2.0), released on 27th October 2010, supports many more application update services, including the following:

- Freerip 3.30 - Jet photo 4.7.2 - Teamviewer 5.1.9385 - ISOpen 4.5.0 - Istat. - Gom - Atube catcher 1.0.300 - Vidbox 7.5 - Ccleaner 2.30.1130 - Fcleaner - Allmynotes 1.26 - Notepad++ 5.8.2 - Java 1.6.0_22 winxp/win7 - aMSN 0.98.3 - Appleupdate <= ( Safari 5.0.2 7533.18.5, <= Itunes, <= Quicktime 7.6.8 1675) - Mirc 7.14 - Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works) - Dap - Winscp 4.2.9 - AutoIt Script - Clamwin - AppTapp Installer 3.11 (Iphone/Itunes) - getjar ( - Google Analytics Javascript injection - Speedbit Optimizer 3.0 / Video Acceleration - Winamp 5.581 - TechTracker (cnet) 1.3.1 (Build 55) - Nokiasoftware firmware update 2.4.8es - (Windows software) - Nokia firmware v20.2.011 - BSplayer 2.53.1034 - Apt ( < Ubuntu 10.04 LTS) - Ubertwitter 4.6 (0.971) - Blackberry Facebook | Twitter - Cpan 1.9402 - VirtualBox (3.2.8 ) - Express talk - Filezilla - Flashget - Miranda - Orbit - Photoscape. - Panda Antirootkit - Skype - Sunbelt - Superantispyware - Trillian <= - Adium 1.3.10 (Sparkle Framework) - VMware

 ...and I am sure there are many, many more possibilities which could easily be developed on top of this framework.

More information and an installer download of the tools are available from the authors' website at

Take great care when using this application. Use it only for legitimate testing purposes, and do not break the law.

  • Limiting the number of applications on corporate laptops to only those required for working
  • Deploying software management systems
  • Networking protections for typical MTIM attacks

1 comment: