Hack the vendor, not the user.

Discussion in 'other anti-malware software' started by trjam, Sep 30, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    This has nothing to do with the fact Prevx was just down, but got me thinking.:blink:

    What if or can malware writers hack a vendor web site and install something. The premise of all this is, lets say something gets installed and the vendor doesnt find it. The piece of malware then activates in a way that goes out to all users and performs the old hose theory to ther systems. Can this happen?
     
  2. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Sure, if you can compromise the server where the executable package is hosted then you can tamper with it.
     
  3. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    You mean almost like the Razer-scenario, where hardware manufacturer's dl site was dishing out malware left and right?

    For those who missed it, I mean this.
     
  4. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    In such situations will ensuring that the SHA 1 checksum of the installer is correct help? Or is there some way of distributing the malware together with the legitimate software without altering the software in any way?
     
  5. simisg

    simisg Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    410
    Location:
    Greece
    thats why you must have a good hips or behavior blocker installed to your system.....
    if the vendor executable of a known antimalware software is infected hips and behavior blocker must stop it.....
     
  6. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    If the vendor website is compromised, so is the information they provide when it comes to checksums. In such a case yo need to find 3rd party source for checksums.

    AFAIK there isn't any way to make software+malware payload to have same md5 or sha checksum as the original software file.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If a hacker compromised a security software site, they could easily replace the legitimate apps with whatever they wanted to. It would be a simple matter to replace the installer for an AV with something else. Regarding checksums, they may not be able to produce an altered product with the same checksum, but they could replace any displayed or downloaded checksums just as easily as the files themselves. A lot of sites don't have checksums listed for the downloads, so there'd be nothing to compare to.

    Something like this would be limited to installers and standalone applications. Infecting the update mechanism for an existing product (like an AV definitions server) would be harder, but not impossible.

    There are definite advantages to a security package that doesn't require regular updates to definitions, signatures, etc and doesn't need to have access to a vendors database. With security systems that need to interact with the vendors servers, the security and integrity of their system is very much the users problem. I wonder about cloud based security apps in this light. The dependence on vendor servers could be a big liability if they're successfully attacked.
     
Loading...
Similar Threads
  1. max2
    Replies:
    16
    Views:
    1,100
Thread Status:
Not open for further replies.