Hardware biz issued trojan-laced drivers, says researcher

Razer burn

A maker of hardware for computer gamers has taken its support site offline following a report that it was surreptitiously distributing malware on its downloads section.

Carlsbad, California-based Razer took the precautionary move after Rik Ferguson, a senior security adviser in Europe with anti-virus firm Trend Micro, warned users could be at risk.

"A large amount of the device drivers offered for download at the Razer support site were infected with a Trojan," Ferguson wrote Monday. "It is unclear how long the problem has been ongoing, so in the meantime, if you downloaded anything from Razer recently, head over to HouseCall and run a full system scan and clean up if necessary."

Razer spokesman Heathcliff Hatcher said company officials weren't immediately able to confirm Ferguson's report, but decided to temporarily close the support site out of an abundance of caution.

"We're still investigating," he told The Register. "We've taken the support site down as a precaution to our customers. We are definitely giving it its due weight. It's a very serious concern for the company, and that's why we've gone ahead and taken the support site down."

According to Ferguson, the trojan was activated when users clicked on a link used to download drivers from the website. A recent analysis by VirusTotal shows the malware is detected by just seven of the 41 major AV products. The trojan then caused users to download a file named usbctl.exe, which installed another piece of malware known as WORM.ASPXOR.AB in a computer's system directory.

Ferguson said he was still awaiting a more thorough analysis from Trend Micro labs about exactly what the malware does. He said that based on a quick search of gaming forums, it appeared the attacks began in the past 24 to 36 hours. ®

Similar topics

Broader topics

Other stories you might like

  • Google tracked record 58 exploited-in-the-wild zero-day security holes in 2021
    Friends are always tellin' me, you're a user ... Just be good to free()

    Google's bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014.

    This is more than double the earlier record of 28 zero-day exploits detected in 2015. And miscreants are still using the same old techniques to get away with their mischief.

    "With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn't actually had to change much from previous years," wrote Google security researcher Maddie Stone in Project Zero's third annual review of exploited programming blunders. 

    Continue reading
  • DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
    Researcher tells world after being stonewalled

    There is a live cross-site scripting (XSS) vulnerability in takedowns website DMCA-dot-com's user interface. It's existed for more than a year and the site's operators don't appear to be interested in fixing it.

    Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

    "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS.

    Continue reading
  • CafePress fined for covering up 2019 customer info leak
    Watchdog demands $500,000 after millions of people's info stolen and sold

    The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.

    In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.

    The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.

    Continue reading
  • App, security teams need closer bond to fend off cyberattacks
    Enterprises should shift left to protect themselves, says Immersive Labs

    Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.

    Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they're compromised by attackers.

    The end result should be to reduce the risk to the organization, Wright told The Register.

    Continue reading
  • Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k
    Now you see a harmless PNG. Now it's a malicious payload. Look into my eyes

    A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams.

    Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting (UXSS) bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

    Pickren told El Reg the flaw granted "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."

    Continue reading
  • Unpatched flaw 'weaponises' Apple AirTags to turn them into the phisherman's friend
    XSS vulnerability allows miscreants to hijack phone number field on website

    Apple has been accused of ignoring a vulnerability in the Lost Mode functionality of its AirTags location-tracking accessories which would allow an attacker to seed "weaponised AirTags" for harvesting the iCloud credentials of anyone who find them.

    Launched back in April, AirTags are compact battery-powered devices you stick to your belongings in order to locate them when misplaced. Apple chief compliance officer Kyle Andeer was very clear that AirTags are in no way a copy of Tile's popular compact battery-powered devices you stick to your belongings in order to locate them when misplaced.

    Should your AirTag-equipped thing not be where you thought it was, you can enable Lost Mode. When in Lost Mode, an AirTag scanned via NFC provides a unique URL which lets the finder get in contact with the loser – and it's this page where security researcher Bobby Rauch discovered a concerning vulnerability.

    Continue reading
  • PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation
    While Uncle Sam recommends shutting down print spooler service

    Another potential mitigation has emerged for the PrintNightmare zero-day vuln, which lets low-privileged users execute code as SYSTEM on Windows domain controllers: remove those people from a backwards-compatibility group.

    The zero-day hole came to light earlier this week after an infosec research firm mistakenly published proof-of-concept exploit code for a remote-code execution (RCE) vuln it had nicknamed PrintNightmare. Sangfor Technologies published the exploit for the vulnerability after wrongly believing Microsoft had patched it this month, having read the June Patch Tuesday notes for a remote-code execution vuln in Windows Print Spooler tracked as CVE-2021-1675.

    While the patch for CVE-2021-1675 also protects against PrintNightmare on most Windows devices, it didn’t do so for domain controllers, which caused some puzzlement among security researchers. Until today, when Yunhai Zhang of Tianji Lab discovered a potential cause:

    Continue reading

Biting the hand that feeds IT © 1998–2022