Evilgrade Attacks Automatic Updates

Last week I wrote about the DNS cache poisoning vulnerability that affects nearly all vendors’ DNS implementations.  If you haven’t patched your servers yet, now would be a good time to do so.  On Monday a security research group in Argentina called Infobyte released a toolkit that uses DNS cache poisoning to fool automatic update utilities into connecting to fake servers where malicious code is installed instead.  The aptly named Evilgrade exploit tool contains modules to mimic the structure of automatic update utilities of such popular applications as iTunes, Java, MacOS, Winzip and many others.  Oh, and if that isn’t enough, it can also use other attack vectors such as ARP and DHCP spoofing.

When using DNS cache poisoning as an attack vector, Evilgrade starts by injecting bogus DNS information into the cache of a vulnerable name server causing the victim’s machine to connect to a server of the hacker’s choosing.  Next, when an application like iTunes attempts to update either automatically or manually, instead of connecting the Apple update server it will connect to a server maintained by the hacker where malicious software will be installed rather than a software update from the vendor.  Nice.  Not only doesn’t the machine get the update it expects, but it gets compromised to boot.

Given that two-thirds of the vulnerable DNS servers on the Internet have yet to be patched, this tool provides the bad guys with an easy method to infect computers.  And given that most of us rely on DNS servers managed by our ISP, there is little we can do to protect ourselves if their name servers are vulnerable.  Let’s all hope this lights a fire under the collective bottoms of DNS server administrators to get this problem resolved.

Comments are closed.