Update: Asus issues fix for ShadowHammer attack, and a tool to detect if your PC was affected

Asus releases a patched version of Asus Live Update after the attack, and a tool to detect if you're affected.

asus zenbook 13 ux331ua lid
Adam Patrick Murray/IDG

Asus confirmed Tuesday that "a small number of devices" had been implemented with malicious code following an attack on its Live Update utility. That app has been patched, Asus said.

Asus said that it has reached out to affected users, and issued a patched version of its software, version 3.6.8. If you suspect that your PC might be affected, you can run an Asus tool that will check for affected systems, Asus said in a statement. The company also said that has introduced multiple security verification mechanisms, including an enhanced end-to-end encryption mechanism. Asus also updated and strengthened its server-to-end-user software architecture to prevent similar attacks from happening in the future, it said.

This story was updated at 9:04 AM on March 26. The original story follows.

Over 57,000 users, and possibly up to a million, have downloaded and installed a version of the Asus Live Update utility that was poisoned with a backdoor and hosted on the official Asus servers.

What security vendor Kaspersky is calling ShadowHammer was actually a targeted attack at a small number of users.  (The investigation is still in progress, Kaspersky said.) Kaspersky said that the ShadowHammer attack had been detected worldwide, most commonly in Russia and Germany, with about five percent of victims in the United States.

From a security standpoint, the most disturbing aspect of the malware is that it was digitally signed with legitimate security certificates, the stamp of authenticity that would make them indistinguishable from a real update. They were even hosted on Asus servers. The Live Update software can be downloaded from the Asus site, and it also comes pre-loaded on PCs. 

The Asus Live Update software is designed to look for new versions of the programs released on the Asus website and then automatically update a PC’s BIOS, drivers, and applications. If ShadowHammer allowed the PC to download malicious BIOS software from another site, that software could take over the entire PC. 

The target, Kaspersky said, was the supply chain, a network of companies supplying parts to a particular product. It could involve any number of manufacturing partners. It isn’t clear who or what ShadowHammer was designed to attack, but the security firm said it found a link to what it called BARIUM, involved in a similar supply-chain attack in 2017 called ShadowPad. That attack targeted the financial industry.

Kaspersky didn’t specifically say whether its software would block the attack, but the company said it had designed a tool to determine whether your PC was one of the targeted machines—about 600 addresses in all. To do so, you can download an executable file with a list of the MAC addresses, or check your MAC address manually against a list that’s been published online. (To find your MAC address, open the Windows 10 Settings menu, then navigate to Settings > Network & Internet and then View your network properties. You’ll find that Physical address (MAC) about three rows down.) 

We've reached out to Asus for comment, and will update this story when we hear back.

What this means for you: Given that Asus is usually considered to be the fifth-largest PC vendor in the world, and that ShadowHammer used authentic certificates, the attack is significant. Fortunately, you’re unlikely to be a target. The earlier ShadowPad triggered the download of malware only if a target was considered “interesting,” and it’s likely your PC isn’t. Still, if you’re concerned, Asus Live Update can apparently be safely uninstalled: Asus describes the process here, though it can be performed normally though Windows as well. 

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
  
Shop Tech Products at Amazon