Hack the vendor, not the user.

This has nothing to do with the fact Prevx was just down, but got me thinking.

What if or can malware writers hack a vendor web site and install something. The premise of all this is, lets say something gets installed and the vendor doesnt find it. The piece of malware then activates in a way that goes out to all users and performs the old hose theory to ther systems. Can this happen?

 

Sure, if you can compromise the server where the executable package is hosted then you can tamper with it.

 

You mean almost like the Razer-scenario, where hardware manufacturer's dl site was dishing out malware left and right?

For those who missed it, I mean this.

 

In such situations will ensuring that the SHA 1 checksum of the installer is correct help? Or is there some way of distributing the malware together with the legitimate software without altering the software in any way?

 

thats why you must have a good hips or behavior blocker installed to your system.....
if the vendor executable of a known antimalware software is infected hips and behavior blocker must stop it.....

 

If the vendor website is compromised, so is the information they provide when it comes to checksums. In such a case yo need to find 3rd party source for checksums.

AFAIK there isn't any way to make software+malware payload to have same md5 or sha checksum as the original software file.

 

If a hacker compromised a security software site, they could easily replace the legitimate apps with whatever they wanted to. It would be a simple matter to replace the installer for an AV with something else. Regarding checksums, they may not be able to produce an altered product with the same checksum, but they could replace any displayed or downloaded checksums just as easily as the files themselves. A lot of sites don't have checksums listed for the downloads, so there'd be nothing to compare to.

Something like this would be limited to installers and standalone applications. Infecting the update mechanism for an existing product (like an AV definitions server) would be harder, but not impossible.

There are definite advantages to a security package that doesn't require regular updates to definitions, signatures, etc and doesn't need to have access to a vendors database. With security systems that need to interact with the vendors servers, the security and integrity of their system is very much the users problem. I wonder about cloud based security apps in this light. The dependence on vendor servers could be a big liability if they're successfully attacked.