Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

Microsoft re-issues warning to patch BlueKeep Vulnerability

=======================
Update: 30th June 2019
=======================
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

=======================
Update: 21st June 2019
=======================
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

=======================
A BlueKeep short story:
=======================
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC 3.0.7.1. I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

=======================
Update: 12th June 2019
=======================
TL DR:
Install the RDP patch if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
=======================

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

=======================
Original Post: 4th June
=======================
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 or Windows XP, if you have not done so already, please install this update.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003 or Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

NoScript Extension Made Available for Google Chrome

In early April the very well-known Firefox extension NoScript became available for Google Chrome. This extension should still be considered beta as detailed in this ZDNet article but it’s fast approaching a stable status expected later this month.

This extension helps to reduce the attack surface of your web browser by only executing (allowing to run) JavaScript (defined) for the websites that you have allowed. This reduces the possibility of exploitation of vulnerabilities and reduces/eliminated online adverts. Unfortunately, due to limitations within Chrome; the anti-XSS (cross site scripting)(defined) filter of NoScript cannot be implemented at this time). Further background on NoScript is available from here.

Thank you.

May 2019 Update Summary

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

No Fix Planned for Linksys Router Information Disclosure

Earlier this week a security researcher disclosed a vulnerability within Linksys routers that was thought to have been patched back in 2014.

TL DR: No fix for this vulnerability exists. It is made worse if your router is using the default password. With no fix from Linksys expected you may consider using OpenWrt firmware.

Why should this vulnerability be considered important?
This vulnerability is trivial to exploit and can be carried out remotely by an un-skilled attacker. A list of affected Linksys routers is available in Mursch’s report At the time of writing, Linksys have deemed the vulnerability “Not applicable / Won’t fix” following responsible disclosure by Mursch. This information disclosure vulnerability leaks (among other details):

  • MAC address (defined) of every device that’s ever connected to it (full historical record, not just active devices)
  • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
  • Operating system (such as “Windows 7” or “Android”)
  • WAN settings
  • Firewall status
  • Firmware update settings
  • DDNS settings

A further example of the information disclosed is present in Mursch’s report. One of the more important elements disclosed is the MAC address. This unique “fingerprint” allows the tracking of a device as it moves across networks and allowing it’s geolocation using a service such as Wigle (we have mentioned Wigle before on this blog). Using this location data, an attacker could plan and conduct targeted attacks against your business/home.

As mentioned above; this vulnerability is made more severe if your Linksys router is using a default password; the following actions can be taken by an attacker (list courtesy of Mr. Troy Mursch):

  • Obtain the SSID and Wi-Fi password in plaintext
  • Change the DNS settings to use a rogue DNS server to hijack web traffic
  • Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/TCP for Windows RDP)
  • Use UPnP to redirect outgoing traffic to the threat actors’ device
  • Create an OpenVPN account (supported models) to route malicious traffic through the router
  • Disable the router’s internet connection or modify other settings in a destructive manner

How can I protect my organisation/myself from this vulnerability?
If your router is one of the vulnerable models listed in Mursch’s report; please make certain the option for automatic firmware updates is enabled (if it is present). Should Linksys correct this vulnerability in the future, you will receive the fix automatically.

Please make certain your Linksys router is not using the default password it is supplied with. With no fix from Linksys expected you may consider using OpenWrt firmware.

Thank you.

April 2019 Update Summary

Yesterday Microsoft and Adobe made available their scheduled security updates. Microsoft addressed 74 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 42 vulnerabilities.

Adobe Acrobat and Reader: 21x priority 2 vulnerabilities (11x Critical and 10x Important severity)

Adobe Flash: 2x priority 2 vulnerabilities (1x Critical and 1x Important severity)

Adobe Shockwave Player: 7x priority 2 vulnerabilities (7x Critical severity)

Adobe Dreamweaver: 1x priority 3 vulnerability (Moderate severity)

Adobe XD: 2x priority 3 vulnerabilities (2x Critical severity)

Adobe InDesign: 1x priority 3 vulnerability (Critical severity)

Adobe Experience Manager Forms: 1x priority 2 vulnerability (Important severity)

Adobe Bridge CC: 8x priority CVEs (2x Critical, 6x Important)

If you use Acrobat/Reader, Flash or Shockwave, please apply the necessary updates as soon as possible. Please install their remaining priority 2 and 3 updates when you can.

Please note; as per Adobe’s notice Shockwave Player has now reached it’s end of life. No further updates will be made available.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4487563                Microsoft Exchange Server 2019, 2016, and 2013

4491413                Update Rollup 27 for Exchange Server 2010 Service Pack 3

4493441                Windows 10 version 1709, Windows Server Version 1709

4493446                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4493448                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4493450                Windows Server 2012 (Security-only Rollup)

4493451                Windows Server 2012 (Monthly Rollup)

4493458                Windows Server 2008 Service Pack 2 (Security-only update)

4493464                Windows 10 version 1803, Windows Server Version 1803

4493467                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4493470                Windows 10 version 1607, Windows Server 2016

4493471                Windows Server 2008 Service Pack 2 (Monthly Rollup)

4493472                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4493474                Windows 10 version 1703

4493509                Windows 10 version 1809, Windows Server 2019

4493730                Windows Server 2008 SP2

4493435                Internet Explorer Cumulative Update

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Win32k: CVE-2019-0803CVE-2019-0859 (both are being actively exploited in the wild)

Scripting Engine: CVE-2019-0861 ,  CVE-2019-0806 , CVE-2019-0739 , CVE-2019-0812 , CVE-2019-0829

Microsoft Graphics Component (GDI+): CVE-2019-0853

Microsoft Windows IOleCvt Interface: CVE-2019-0845

Microsoft Windows SMB Server: CVE-2019-0786

Microsoft (MS) XML: CVE-2019-0790 , CVE-2019-0791 , CVE-2019-0792 , CVE-2019-0793 , CVE-2019-0795

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Notepad++:
======================
As noted in the March Update Summary post (due to a critical regression for the version that was released in March) Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Wireshark 3.0.1 and 2.6.8
=======================
v3.0.1: 10 security advisories

v2.6.8: 6 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.1 or v2.6.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Intel VISA Vulnerabilities Explained

In late March; security researchers published new research concerning a previously undocumented debugging feature of Intel motherboards and CPUs known as VISA (Visualization of Internal Signals Architecture).

TL DR: If your system is affected (please see the advisory); please ensure that you have applied the fixes from Intel’s advisory. Please only allow trusted individuals to physical access your systems e.g. servers and workstations: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html

What is this technology?
VISA (Visualization of Internal Signals Architecture) is a logic signal analyser within the Platform Controller Hub (PCH) of motherboards since the release of the 5-Series Chipsets (November 2008 onwards). This can be used for debugging purposes during manufacturing and is disabled by default.

This feature allows for the real-time monitoring of internal data and address lines as well as other buses within the motherboard.

What is the risk of having this technology within my motherboard?
While the researchers demonstrated 3 methods of exploiting these vulnerabilities:

  • Previous known high severity buffers overflows and privilege escalation flaws within the Intel Management Engine (ME) patched by Intel in 2017
  • Use of the Intel JTAG password
  • Fault injection technique into Intel Management Engine firmware read-only memory (ROM)

If you have already patched the first means of using the VISA technology an attacker would require physical access to your system in order to exploit the remaining 2 methods. Thus the residual risk would be low.

As per Microsoft’s Immutable Laws of Security (the official link seems to have been removed); if an attacker has physical access to a computer system; it can’t be considered your system anymore since the avenues of attack now open to them are large and little can be done to avoid this.

How can I can protect my organisation or system from mis-use of this debugging feature?
Check your systems using the downloadable tool from Intel to check if your system is vulnerable to the known issues from 2017.

If so, please contact the manufacturer of your system or motherboard to obtain the most appropriate firmware updates for your system. You can provide them a link to Intel’s security advisory for further details.

Please only allow authorised and trusted individuals physical access to your systems. Be security aware by knowing that attackers can socially engineer you into providing physical access to a system by impersonating your internal IT support or Security staff. Please check that such individuals work for or on behalf of your company before allowing them access.

Personally; my Asus ROG Rampage VI Apex system has received 3 Intel ME firmware updates to address security vulnerabilities first identified in 2017. Intel’s tool linked to above shows my system as not vulnerable to the issues listed within it’s advisory.

Thank you.

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.