Software updates are a familiar aspect of modern information technology. Malicious individuals can take advantage of these frequent software upgrades to introduce unauthorized programs into information systems through false updates (i.e. updates that also contain hostile code). This paper will explore the attack potential of false updates by examining their effects on computer systems, their methods of distribution, and some recent examples.
In today's competitive marketplace, software companies and their competitors are often locked in a frenzied race to bring a product to market. One byproduct of accelerated software development is, frequently, the release of unfinished products that still contain several errors. Software companies regularly release updates so that customers can either correct these errors or add new product features without having to buy another version of the software.
Software updates carry with them an implied trust that the software contained in the update (disk or downloaded file) actually does what it's supposed to do. A consequence of this implied trust is that end users may not verify the updates they install on their computers. Unfortunately, malicious individuals have taken advantage of this situation by either masquerading hostile code (e.g. viruses, Trojan horses) as legitimate updates or inserting hostile code into an update program. This form of attack is referred to as a false update. In order to better understand how false updates are used to attack information systems, this paper will describe the creation of false updates, their effects on computer systems, and how they are distributed. Several recent examples will also be provided to illustrate how false update attacks are carried out.
False updates can be created using one of two general methods, each method requiring a different amount of technical skill. The easiest way to create a false update is to simply masquerade hostile code as an authentic software update. This can be as easy as renaming a hostile code executable file as "update.exe" and convincing people to run the program on their computer. [1] This method involves some measure of social engineering to deceive the victim, but generally does not require any technical ability. Another strategy would involve embedding hostile code into a legitimate software update. In this case, the hostile code would be installed onto the target computer at the same time as the real update. The creator of this type of false update would need enough computer programming expertise to extract the source code of the original update, incorporate the hostile code, and "reassemble" the infected update program so it still performed its intended function. This strategy is somewhat analogous to the adware and spyware incorporated with some software programs today. Unless one makes a habit of reading the "fine print" in the software's license agreement, these so-called "parasite" programs can be installed on a system during the course of another installation without the user's knowledge. [2]
Depending on what type of hostile code is involved, false updates can have quite diverse effects. Trojan horses have been used to broadcast personal information (e.g. credit card numbers, passwords) about the user [3], generate spam e-mail [4], erase host computer hard drives [5], and grant remote access to an infected computer. [14] Viruses, worms, logic bombs, and time bombs can also be programmed to perform these actions or anything else the programmer desires. In short, the possibilities are limited only by a programmer's code-writing ability.
Before internet use became widespread, software updates were often distributed from the manufacturer to the customer on floppy disks. People who wished to introduce false updates had to do so from either the vendor or the customer side of this distribution channel. On the vendor side, company insiders could introduce hostile code into legitimate updates before shipping them or add an extra, contaminated disk to the update set. This potential threat has caused some software industry groups to develop strict product development guidelines to prevent accidental or intentional software infection at the manufacturing site. [6] On the customer side, a false update could be introduced simply by convincing an employee to install a program from an infected disk or by replacing a legitimate update disk with a similar-looking, but infected, false update. [7]
Although some software updates are still distributed by floppy disk or CD-ROM, most software updates today are distributed over the internet. Depending on the software, customers can download updates from third-party distributors (like CNET's Download.com [8]), bulletin board services, or company websites. Third-party distributors allow anybody to submit software to their service, making it possible for false updates to be submitted as well. These services, however, reserve the right to remove any false update discovered on their website. [9] Bulletin boards and newsgroups also allow anyone to submit files to their servers for distribution, except in many cases there is little or no verification of posted updates. This lack of update authentication make these services ideal places for false update authors to distribute their creations.
Under most circumstances, the best place to obtain an update is through the software manufacturer's website. However, even this direct method can be manipulated to distribute false updates. Many corporate websites that distribute updates possess digital certificates, small files issued by third-parties that serve to authenticate the source of the downloaded software. If a company's digital certificates were to be duplicated or stolen, a malicious individual could set up a clone of a company's software update server and distribute false updates. Although there have been no reported instances of this distribution method actually occurring, the potential existed in early 2001. In January 2001, an unidentified individual posing as a Microsoft employee was able to obtain two Microsoft digital certificates from Verisign, a digital certificate vendor. Not only did Verisign fail to authenticate the individual's identity, but they also did not discover the error until two months later. [10] During those two months the individual would have been able to prove that any e-mail, macro, software, update, or webpage was from Microsoft. In order to distribute false updates, he or she would had only needed to set up a fake update site, "verify" it with the Microsoft certificates, and send spam e-mail to convince people to go to the fake website for their "critical" update. [11] Verisign immediately revoked the certificates after discovering the error [12], and Microsoft distributed a security bulletin warning the public about the security breach. [13] Luckily, this individual did not have the inclination to cause any harm with the stolen certificates.
There have been a number of documented examples of false updates being used to infect computers with malicious code. Since Microsoft software is very widespread, notifications of "updates" to Microsoft programs are commonly used to deceive victims. In March 2002, the W32.Gibe@mm worm/Trojan horse was distributed as an attachment in a fake update notification e-mailed to computer users. The "upgrade" promised to update the security capabilities of Internet Explorer and Outlook/Outlook Express. When executed, this attachment forwarded the message to contacts in the victim's address book and installed a Trojan horse enabling remote access to the host system. [14] In 1998, another false update targeted users of Internet Explorer. This e-mail, which also contained an attachment, promised to fix glitches in the Internet Explorer program. Instead, the attachment installed a Trojan horse programmed to send spam e-mail whenever the host computer was operational. [4]
Microsoft customers have not been the only ones targeted by false updates. One false update claimed to improve the QuickDraw program performance on Macintosh computers. This Trojan horse, however, destroyed the hard drive directory of each computer it was installed on. [15] In June 2002, a security flaw was discovered in the Software Update feature of Macintosh's OS 10 operating system. The Software Update feature, which automatically downloaded updates from the internet, lacked any sort of authentication feature that could verify the source of downloaded software. Hackers could have exploited this vulnerability by impersonating an Apple Update server and sending false updates to the requesting computers. [16,17] Subscribers to the AtHome high-speed internet service were also targeted by a false update that contained the SubSeven Trojan horse, a program that enables hackers to gain remote access to infected systems. This false update was sent out during a period when the network services provider was experiencing several recurring outages, so fed up customers were anxious to solve the problem through a software upgrade. [18]
In summary, false updates are attacks against information systems that take advantage of end users' trust of software updates. False updates are distributed through several different channels and are often masqueraded as legitimate updates, so end users must be sure to verify the authenticity of any software update they receive. Researchers, security professionals, and computer users must work together to develop and implement fast, convenient methods to verify software. Some progress has been made in this area with the development of checksum programs, which are programs that generate an "electronic fingerprint" for digital files. End users can then compare the checksum of the software update in their possession with that of a known, legitimate copy to see if their copy has been altered. [19] A vast majority of computer users do not know about this technology, however, so further efforts must be made to incorporate the use of checksums into software-updating process. The ability to quickly verify the integrity of software updates may help reduce the number of computers affected by false update attacks.