Home > CAPEC List > CAPEC-186: Malicious Software Update (Version 2.9)  

CAPEC-186: Malicious Software Update

Malicious Software Update
Definition in a New Window Definition in a New Window
Attack Pattern ID: 186
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an attacker controlled source. Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an attacker to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source.

Virtually all software requires frequent updates or patches, giving the attacker immense latitude when structuring the attack, as well as many targets of opportunity. Attacks involving malicious software updates can be targeted or untargeted in reference to a population of users, and can also involve manual and automatic means of payload installation. Untargeted attacks rely upon a mass delivery system such as spamming, phishing, or trojans/botnets to distribute emails or other messages to vast populations of users.

Targeted attacks aim at a particular demographic or user population. Corporate Facebook or Myspace pages make it easy to target users of a specific company or affiliation without relying on email address harvesting or spamming. One phishing-assisted variation on this attack involves hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update. This type of attack has also been conducted using an Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update. While both methods involve a high degree of automated mechanisms to support the attack, the primary vector for achieving the installation of the update remains a manual user-directed process, although clicking a link within an IM client or web application may initiate the update.

Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters.

+ Typical Severity


+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

This attack requires advanced cyber capabilities

+ Resources Required

Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code.

+ Solutions and Mitigations

Validate software updates before installing.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Execute unauthorized code or commands
Utilize the built-in software update mechanisms of the commercial components to deliver software that could compromise security credentials, enable a denial-of-service attack, or enable tracking.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-11-09Updated Activation_Zone, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_SeverityInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015