SMBs beware! This is how automated software updates spread malware

Why you should never trust automatic updates

"This certificate is OK."

You're surfing the web, and suddenly a pop-up appears asking you to update a piece of software on your computer.

Today, we should all be canny enough to hesitate before clicking 'install'. We know that there is a good chance that this is malware and that what we will be downloading could put the future of our business at risk.

However, what happens when we're not given a choice? Can we always trust the seemingly routine automatic updates our computers receive, even when their certificate seems to be OK?

The answer is no.

There is now plenty of evidence that criminal gangs have found vulnerabilities in the software that runs our computers to take control of these automatic updates in order to hold our computer to ransom or even record every single Skype conversation.

The hackers' Holy Grail

In June, a kind of ransomware called Not Petya - a Petya-based malware - quickly spread around the world from a 'patient zero' in Ukraine, infecting thousands of computers. At its peak, some analysts were seeing 5,000 networks hit every ten minutes by the ransomware.

The computers we heard about belonged to huge multinational corporations such as Maersk, Rosneft and Merck. The computers we didn't hear about belonged to the networks of small-to-medium businesses that were likely caught up in the chaos as well.

One of the reasons why Not Petya spread so quickly was that it exploited the way patches were delivered to businesses' computers (which can be confusing to a time-poor SMB with even a small network of computers).

When their computers contacted the servers of a piece of accounting software called Medoc for an update, what they received were the instructions to download Not Petya instead. Medoc is a trusted piece of software used by companies to pay taxes in the Ukraine. These were updates that Ukrainian businesses would never have thought to question, because they came from a very trusted source.

All it took was one computer in a network to be infected, and Not Petya then used Windows networking software, usually reserved for remote administration, to infect other computers on the same network without any alarms going off.

Going global

US and European companies that did business in the Ukraine soon found their computers infected as well.

"Worms - malicious computer programs that spread from computer to computer throughout the network - are perhaps the most devastating delivery mechanism for an electronic attack," says Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California. "Able to spread throughout an entire institution (or even across the entire planet) in a matter of minutes, they represent the most effective way for a bad actor to deliver a malicious payload to as many computers as possible. A worm can do its damage faster than humans can react."

The concern for SMBs

What should be worrying for small businesses is that this isn't the first time that hackers have been able to hit the sweet spot of cyber-crime and compromise the auto-update systems that we trust. What's perhaps even more worrying is that cyber criminals have managed to obtain tools and hacks, often illegally, from states in the past, and used them to great effect.

In 2012 one of the most sophisticated pieces of malware ever discovered turned up in Iran. The Flame malware completely compromised the Windows update process to allow malware to pass from computer to computer in Iran, an operation that many have attributed to the US government.

Rather than ransomware, Flame was a targetted cyber-espionage program reported as having infected 1,000 machines, with victims that ranged from governments and businesses to private individuals. The vast majority of targets were in Iran, with 65% of infections occurring there and in Israel, Saudi Arabia and the rest of the Middle East. Flame was also reported in Europe and North America.

For SMBs, malware like Flame can be devastating, especially if they are trading beyond borders. Flame can record everything that you have been talking about in your office, including Skype calls, screenshots of your work, keyboard activity to collect logins and all your network traffic. It can also turn your computers into Bluetooth beacons that will try and download contact information from anyone nearby with a Bluetooth-enabled device.

In and out without a trace

Flame even has a 'kill switch', which wipes all traces of the malware from your computer, so you wouldn't know that you had been spied on in the first place.

In 2013 an attack on banks and TV stations in South Korea was also blamed on compromised auto-updating systems.

The methodology of these hacks is, it turns out, remarkably simple for such sophisticated software: the human element.

The way the hackers start the spread of their malicious software can be by using something as simple as a USB stick deliberately left outside an office. A conscientious employee picks it up, thinking a colleague has dropped it by mistake, and inserts it into their computer to try and identify its contents and thus the owner. But it's a trap; it contains malware.

This malware uses a certificate that fools computers - and unwary humans - into allowing an auto-update of legitimate software, which is then hi-jacked.

Once a single computer in a local network is infected, the malware can quickly spread across them all before anyone has time to react.

"While this kind of malware is perhaps more often associated with state-sponsored hacking," says Greg Mosher, VP of Product and Engineering, AVG Business by Avast, "hackers of the more criminal kind will be using it for their own purposes too."

For SMB leaders who are often without specialist IT support, the headlines that swirl around this sort of attack can be particularly worrying because it could involve getting to grips with the nuts and bolts of their computer systems in a way they haven't had the time - or inclination - to do in the past.

That said, there is a lot that business leaders can do off their own back to reduce the chances of being hacked or held to ransom:

  1. Discourage the use of plug and play devices like USBs unless strictly necessary.
  2. Always install patches and updates promptly, but verify them.
  3. Do not reuse passwords and make sure they are strong!
  4. Keep an eye on the headlines and listen out for the software that is being targeted. If you use the same software you may be at risk and need to take action.
  5. Back up your data on a daily basis. If you are held to ransom, you may be able to avoid paying and continue trading.

Mark Piesing is a freelance journalist based in Oxford, UK, writing about technology, culture and the intersection between the two. He has written for some some of the biggest brands in the global media, such as The Economist, Wired (UK), The Independent/ i news and BBC Future. He has also written regularly for Warwick Business School's Core magazine on technology; and, a few years ago, was head hunted to cover a similar beat for the New York-based, Frankfurt Book Fair-owned, Publishing Perspectives.