Description:

New security vulnerabilities are being discovered at a staggering rate nowadays. In order to make sure that their softwares do not fall prey to a newly discovered vulnerability, most software vendors included an automatic update feature. This feature checks the software's servers periodically (generally during every run) for the latest updates and patches. If updates are available, then it prompts the user to download and install it. This mechanism is primarily designed to beat hackers to the chase and make sure that the software is patched before they can exploit it. So what have hackers come up with to counter this? - Well, they decided to hack the upgrade process itself! - Say hello to our friend EvilGrade created by Infobyte Security Research. Evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic and uses either of DNS cache poisoning, ARP spoofing, DHCP spoofing or Internal DNS access to accomplish this. Once EvilGrade has inserted itself as the man-in-the-middle it intercepts automatic update requests for the softwares it supports and injects the malicious payload as the "update". This payload can be configured to whichever binary the hacker wants. Once the victim downloads this malicious "update" and runs it, the hacker has full control of his system. Game Over! :)Currently, EvilGrade Supports the interception of the following upgrade mechanisms:- Java plugin- Winzip- Winamp- MacOS- OpenOffices- iTunes- Linkedin Toolbar- DAP [Download Accelerator]- notepad++- speedbitThe interesting thing is that it is extensible and allows you to implement your own modules. Thus a hacker can reverse engineer the entire update process of a software and create a module to intercept and inject his custom update into it. For more details on how to use EvilGrade, write your own modules and to download it, please visit Infobyte Security Research site. In the video below, we see a demo of how EvilGRade can be used to subvert the update process of Notepad++. Thanks go out to John Strand for posting this video on Vimeo.