Asus servers as virus disperser
"Let's just download the update from the Asus server" -- and all of a sudden a computer with a freshly installed copy of Windows was infected. Fortunately the subsequently installed virus scanner detected the malware as "PWStealer", a spyware program which sniffs out password information.
The drive-by download took place silently in the background without user intervention on a heisec test system with an unpatched version of Windows XP SP2 - probably via a vulnerability in Internet Explorer. Which vulnerability and whether fully patched systems are also at risk will not be clear until a precise analysis of this well concealed piece of malware has been carried out.
The recognition rate of anti-virus applications is - as for most new malware - to date pretty poor. Fewer than half the virus scanners on Virustotal fingered the culprit.
Asus now appears to be cleaning up its sites. Some have been disinfected already, others remain dangerous. How long the sites have been infected, how many customers are affected and how the malware was able to establish itself on the servers is not yet known. A posting on a Belgian forum from 12th December suggests, however, that the infection has been present for a few days.
(ju)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
