Penetration Testing
Hacking AutoUpdate by Injecting Fake Updates Apr 03 2012 02:02PM
Adam Behnke (adam infosecinstitute com)
We all know that hackers are constantly trying to steal private information
by getting into the victim's system, either by exploiting the software
installed in the system or by some other means. By performing routine
updates for their software, consumers can protect themselves, patching known
vulnerabilities and therefore greatly reducing the chance of getting hacked.

Commonly used software, such as MS Office, Adobe Flash and PDF reader (as
well as the browsers themselves) are the major targets for exploits if left
unpatched. In the past, fake patches for Firefox, IE, etc. displayed
messages informing users that updated versions for a plugin or the browser
were available, prompting the user to update their software. For example,
the page will tell the user that updating their Flash version is critical.
Once the user clicks the fake update, it will download malicious content
(like, for example, the Zeus Trojan) to the victim's computer, as well as
perhaps a rogue anti-virus, asking the user to pay in order to remove the
infections. Similar attacks have been done in the past for various browsers,

When you think about it, how many people are really cautious about the
updates, the type of update or the link from where they are downloading and
installing the update? Obviously, there are very few people that are really
cautious and vigilant about updates, therefore making the success rates for
those exploiting the users high.

Read more about how to perform a few different AutoUpdate man-in-the-middle
attacks that work against Java, AppleUpdate, Google Analytics, Skype,
Blackberry and more:


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus