Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asus.com Compromised With Exploit Code

Posted by kdawson on from the be-careful-out-there dept.

Juha-Matti Laurio writes in with news that the Web site of ASUSTeK Computer (asus.com) has been compromised to spread exploit code. The original report from Kaspersky Lab claimed that the compromise lead to code exploiting the recently patched Microsoft Windows Animated Cursor (.ANI) 0-day vulnerability, but sans.org found no evidence of this. Apparently a malicious iframe was added to one of the machines in asus.com's DNS round-robin.

27 of 117 comments (clear)

  1. Further evidence that ... by Aminion · · Score: 5, Interesting

    ... you don't have to visit porn, warez or shady sites to get your computer infected with all sorts of nastiness; "trusted" sites will just do.

    1. Re:Further evidence that ... by plague*star · · Score: 2, Funny
      ... you don't have to visit porn, warez or shady sites to get your computer infected with all sorts of nastiness; "trusted" sites will just do.

      I suspect the actual plan was to infect all the people mis-typing "anus.com"

      P*S

  2. Re:DNS needs improvment... by The+MAZZTer · · Score: 4, Informative

    You DO know that www. is just another subdomain, right? The only reason it's special is because most/all websites mirror <hostname> onto www.<hostname>. But it doesn't HAVE to be like that. Slashdot doesn't do it like that, for instance.

    It doesn't matter if the DNS entry has www. on it or not, the address is still owned by the same person and will get directed to a machine they specified (or nowhere).

  3. jpeg or png? by MichaelSmith · · Score: 3, Insightful

    TFA:

    up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file

    Then:

    Name: next3.png

    So is next3.png the real exploit and are they using "jpeg" to mean an image file? Or is there a jpeg file involved here?

    --
    http://michaelsmith.id.au
  4. Re:I heard rumors by bmo · · Score: 5, Informative

    "that Investor Village was spreading some "updater.exe" the other day (via ads), so this might have been a bit larger than just the one site?"

    It's spyware from an ad service. It's like those "Your computer is infected" ads on a Yahoo page.

    The real carrier of the evil is dropspam.com, which pretends to be a spam filtering service. I fired up VMware and installed upgrade.exe out of morbid curiosity. The results are here:

    Msg: 26529 of 26688 4/6/2007 6:57:44 AM Recs: 26 Sentiment: Not Disclosed
    By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
    Posted as a reply to msg 26470 by sco_source_scam

    Re: IV advertising malware? Dropspam.com

    The tiny program is a downloader and installer. I have run it inside of VMware, the only way to run Windows...

    It may be legitimate, but read on, and grok the implications of the license....

    3. Licensee's Covenants
    (a) The Licensee has read all information pertaining to the operation of the Software and expressly agrees that the Licensor shall be permitted to make any modifications, alterations and re-configurations to the Licensee's computer hardware and software including its email inbox and outbox as required for the normal operation of the Software, including but not limited to the re-routing of emails to the Licensor's server for the purposes of screening emails for spam and viruses and attaching a brief message promoting the Software to all out-going emails of the Licensee.

    The licensor can kindly stay the fuck out of my computer, tyvm.

    (b) The Licensee further agrees that the Licensor shall be permitted to send emails (Authentication Emails) on behalf of the Licensee to those email addresses which have been stored in the Licensee's computer or which appear as senders in incoming emails, for the purposes of authenticating these email addresses and providing the recipients with an opportunity to update the Licensor with additional authentic email addresses.

    "We're going to examine your drive for email addresses, and then we're going to spam the shit out of your friends."

    (c) If the Licensee wishes to delete or remove the Software for any reason, such deletion or removal must be carried out using either the program or software removal tool inherent in the Licensee's computer operating system including the Add/Remove tool provided by Microsoft® Windows, or such other similar program or software provided by the Licensor, which will be available to the Licensee through the Licensor's website. The Licensee acknowledges that if the deletion or removal of the Software is carried out by any other manner or by using any program or software other than those described above, the Licensee's email software or system may not be restored fully and/or may fail to start up and function properly, and as a result the Licensee may not be able to receive or send emails.

    "Yeah, ya see, our program so severely fucks your system that if you try to remove us with something that might work, we'll break your smtp and pop3 server pointers."

    As I wrote this, several other popups came up and want me to install shit. Ahahahah, I'm going to install all this and then I'm going to run a friend's malware scanner to see what it really does.

    Ghod...this is what being a windows user is like?! I have forgotten!

    --
    BMO

    Msg: 26531 of 26688 4/6/2007 7:18:35 AM Recs: 25 Sentiment: Not Disclosed
    By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
    Posted as a reply to msg 26529 by Boyle M. Owl
    Re: IV advertising malware? Dropspam.com

    I do this shit so you don't have to...

    Up until I installed upgrade.exe, the system was pristine except for an installation of OpenOffice and Opera....

    BTW, this is just a _part_ of the log that goes on forever...

    Checking system programs...

    Checking Windows directory contents...
    c:\windows\appupdate.exe: Version info not found (Suspicious)
    c:\windows\ewwsetup.exe:

  5. Re:I heard rumors by MichaelSmith · · Score: 2, Insightful

    Anyway, this has basically made the (virtual) computer useless and annoying.

    You should put the virtual disk under version control.

    --
    http://michaelsmith.id.au
  6. not the least bit surprised by Indy1 · · Score: 2, Informative

    Most of the motherboard oem's use IIS for their web sites. They tend to be incredibly slow, go down all the time, and often render poorly (or not at all) on anything other then IE.

    All signs of poor admins.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:not the least bit surprised by GeRM_007 · · Score: 4, Informative

      I was on their site last weekend, looking for a new BIOS and drivers. Their support web server was completely down. I called up to complain, and their tech support told me that they are aware of it, and have been having problems with it for a couple weeks now as they are changing their infrastructure. A couple weeks!!! Even their tech support couldn't access it, or even tell me what the BIOS version number was. This compromise is probably a result of an incorrectly configured server, which is a result of incompetent admins. All this results in them losing me as a customer. Good riddance Asus.

  7. Windows is unfit for business uses. by Anonymous Coward · · Score: 2, Insightful

    What this actually shows is that Windows is unfit for business uses. Even when using their top-end Windows Server products, it's obviously a very poor choice. Between the great expense, the low quality and the numerous security problems, there's no good reason to be using it.

    I can think of one reason why a company would go with Windows-based systems: ignorance. This includes ignorance on the part of the network designers and administrators, who do not stand up and demand to use Solaris, Linux, HP-UX, AiX, FreeBSD, Mac OS X or some other system. This also includes ignorance on the part of the management team that is authorizing the purchase and use of such software.

    1. Re:Windows is unfit for business uses. by toadlife · · Score: 2, Interesting

      So what exploit in IIS6 do you think let this hack happen?

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    2. Re:Windows is unfit for business uses. by PPH · · Score: 2, Insightful
      What sort of Windows-speific app do you think Asus has to run on their web servers? All they are doing is distributing divers, technical specs and product literature. From the point of view of a Unix/Linux/Solaris system, these are just binaries and the web servers could care less about the contents.


      This is one of the problems I've seen repeatedly with CIOs who have been brought up drinking the Microsoft Kool-Aide. They've never bothered to question the 'one size fits all' sales pitches.

      --
      Have gnu, will travel.
  8. Asus Site Is Always A Mess Anyway by chromozone · · Score: 3, Insightful

    Many people who like Asus products know the Asus website is awful. No problem on that site would come as any surprise to anyone who goes there for updates or information. I'm glad it's no big deal this specific problem but that is still one dodgey site that needs TLC quite desperately.

    1. Re:Asus Site Is Always A Mess Anyway by madclicker · · Score: 5, Informative

      I second that. They use M$ ftp servers with download speeds of 7MB per second. They have an issue since 2000 and never been able to fix their website. What a shame for a company that deals with technology. The funny thing is on their download site they have four locations like: Global, USA, China, Europe, Japan, but all are coming of the same subnet. Morons.

      --
      "History is the realm of the true lie." A.Szerb
  9. Advice by MindStalker · · Score: 3, Interesting

    Ok, friday I reinstalled a Asus laptop. While applying updates I was downloading asus drivers. Should I be concerned that I visited their site without a fully patched system? I hate to do it all over again? Any suggestions in how I can tell if I was infected.

    1. Re:Advice by lavid · · Score: 2, Funny

      Isn't "installing a laptop" just plugging in the power supply / battery?

      --
      If Bush wants to kill the terrorists, he should jump off a cliff.
    2. Re:Advice by Plutonite · · Score: 2, Informative

      If you visited their website using IE then yes (and insert a lot of jeering here for using IE) be very concerned. Firefox is immune because it's the IE rendering engine that is exploited.

      That said, your file explorer on windows also uses the said engine, so any files you download are a threat as soon as you browse to their location. If you have put these files somewhere you know of, try using the windows shell to move them into a directory you don't like to go to very often. Then wait until spyware/anti-virus removers get updated and you are "safe".

  10. Re:I heard rumors by bmo · · Score: 2, Informative

    "You should put the virtual disk under version control."

    VMware does that. To clean the virtual machine, you can pick any of the older images. I was asked if I tried uninstalling using the spyware company uninstaller and I said no. I picked the April 1 image out of a perverted sense of humor.
    --
    BMO

  11. Re:DNS needs improvment... by JWSmythe · · Score: 3, Interesting


        The one that always annoyed me was Promise. That is, when I was still using their hardware. :)

        http://promise.com/ goes to a blank index page.

        http://www.promise.com/ goes to their real content page.

    --
    Serious? Seriousness is well above my pay grade.
  12. It's not a DNS error-- it's a html page error by postbigbang · · Score: 2, Informative

    The Kapersky source material is poorly written. Dig was used to compare DNS servers, but the actual problem was a round-robin home page with outreaching code with little presents inside. At first glance, it sounded like a DNS exploit but it's not-- it's a good old fashion page re-write. DNS has nothing to do with it.

    --
    ---- Teach Peace. It's Cheaper Than War.
  13. Re:DNS needs improvment... by nuintari · · Score: 2, Insightful

    This is a whole lot different than what most sites do. Notice how you type www.slashdot.org in, but end up at slashdot.org? Yeah, the line "HTTP/1.x 301 Moved Permanently" means they redirect you away from the www, probably because a lot of us think the www is stupid.

    Most sites are configured to accept either the www.domain, or just the domain. Slashdot is not one of them.

    --

    --Nuintari

    slashdot : where an opinion can be wrong.

  14. Re:Just assume you're infected. by Aladrin · · Score: 3, Insightful

    As much as I hate to agree with a troll, he's partially right. It's best to assume you have been infected. Even if all the current anti-spyware doesn't find it, that doesn't mean it won't pop up soon. We don't know enough about this malware to identify what it is and if you have been affected, apparently.

    On the other hand, the troll is pretty much wrong about everything else, including "Furthermore, if you use WINE you can run virtually all of your existing Windows applications and games." I have been trying to get windows-based games to run for quite some time, and with the exception of a few favored games (WoW) and some old ones that were really simple, not much works at all, let alone with hours of tweaks. (Actually, I don't even own WoW, so I could be wrong about how well it works as well.)

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  15. I'm shocked... SHOCKED! by Excelcia · · Score: 5, Insightful

    How dare their web site go down when I need a driver? How dare anyone ever have a problem they don't know how to solve in sufficient time to deal with my selfish and entitled demands? Their tech support exists (solely, I might add) to tell me the bios version I need. So bye bye Asus, I consign you to the ash heap of history while I move along to a company that forces its developers to blog for me, whose support staff reads my every web site comment (including the ones on third party sites), and that spends every last dollar it has on server infrastucture. Of course, I don't particularly care that this company will be out of business in no time, because there are a constant influx of new companies who are willing to lose money for a year and fold.

    And to top it all off... BAH HUMBUG!

    1. Re:I'm shocked... SHOCKED! by Achromatic1978 · · Score: 2, Insightful
      For the longest time, I loved my Asus notebook (A7Vc). Heavy fucker, but great. 1.86GHz Pentium M (It's 18 months old), 2GB RAM, 1440x900, ATI Mobility Radeon x700, integrated HDTV. Lots of nice stuff.

      But it hasn't seen a driver update from Asus in coming up on a year. Not a single Vista driver? For a notebook that was one of your top-of-the-line models (yeah, yeah, I know time moves fast)? When there are HUNDREDS of posts on your forums about the integrated webcam breaking EVERY video input software under Vista, including but not limited to said webcam itself, HDTV tuner, Windows Media Player and Quicktime.

      Fuck you, Asus. My employer gave me a Sony Vaio. It's nice. It's a lot newer, sure, but at least its manufacturer (for all their evils) have updated drivers in the LAST TEN MONTHS.

    2. Re:I'm shocked... SHOCKED! by Flendon · · Score: 2, Informative

      Asus is known for their site being down for days at a time, having horrendous javascript, and often breaking in firefox. They are also known for having an unresponsive customer service. The most common answer you get is "look at our forums", yet their own forums indicate the problem is known and unresolved. To pick just one issue I've had with them as an example, due to their buggy firmware my DVD+-RW was recognized as a CD-R for over a year before they finally fixed it, with hundreds of people claiming the same problem. And, even then the firmware update could only be installed using a floppy drive (in 2006!) and required a third party bios flasher. No, this is par for the course with Asus and I laughed when I received my ISC newsletter.

      --
      chown -R us ./base
  16. SANS DID find evidence of an ANI exploit: by I)_MaLaClYpSe_(I · · Score: 4, Informative
    From isc.sans.org:

    UPDATE #2: That second javascript referred in the vbscript above didn't decode, it seems it's just not encoded right, but when decoding the string with a plain base64 routine, it does decode to what leads to an ANI exploit. You never know what a buggy script and a buggy browser do together.
  17. Re:DNS needs improvment... by ez76 · · Score: 4, Funny

    This is intentional and symbolizes the company's value proposition, the Empty Promise (TM).

  18. Only website affected? by AndrewM1 · · Score: 2, Interesting

    I'm surprised that whomever managed to crack into ASUS's servers only inserted malevolent HTML. Imagine the utter destruction they could have caused if they had *enhanced* the firmware downloads with some sort of (probably boot-sector) virus, or simply modified them to destroy the motherboard... *Shudder*

    Why wouldn't they? Are the file images stored separately or otherwise better protected?