Personally I don't even try to count the amount of times I get popups telling me "There is a java update", "There is an adobe update", "There is an xyz update" on my various PCs. There are many mechanisms, for these updates (especially on Windows systems) and as each mechanism is independent, so it is up to the software vendor for each application, how these mechanisms are implemented, and how securely.
Most update mechanisms are fairly basic:
- System checks periodically at a predefined URL
- System checks an index file for anything new at that location
- System downloads updates specified and installs them
Basically, this set of techniques means that attackers can replace the update process, and rather than provide legitimate updates, can install malware of the attackers' choice at the time they choose.
The basic mechanism is to use network hacking techniques typically used for man-in-the-middle attacks (MITM), to substitute an attackers' host for a legitimate download location. For example using; ARP spoofing, DNS Cache Poisoning, DHCP spoofing, TCP hijacking or WAP impersonation. The attackers' system then provides notifications, and updates, in place of the legitimate update service.
This second release of Evilgrade (2.0), released on 27th October 2010, supports many more application update services, including the following:
...and I am sure there are many, many more possibilities which could easily be developed on top of this framework.
More information and an installer download of the tools are available from the authors' website at infobyte.com.ar
Take great care when using this application. Use it only for legitimate testing purposes, and do not break the law.
- Limiting the number of applications on corporate laptops to only those required for working
- Deploying software management systems
- Networking protections for typical MTIM attacks