A Study on the Response Model to Malware Distribution through Update Servers

Abstract

Hackers are endeavoring to infect specific or undesignated systems by distributing malware as a preliminary step to cyberterrorism and hacking, such as through an APT attack or DDoS. Here, they abuse the updating servers of commonly used software programs to easily distribute their malware.

The problem of malware distribution through updating servers can be summarized as having two causes: absence of authentication procedures during updating, and absence of response measures in case of authentication certificate leak for code signing in a normal updating program. If an updating server has been hacked, the hacker can easily replace the normal updating program with malware, which is difficult to detect. Also, it is not easy to detect an infection because the client program in PC automatically downloads, installs and executes the updating file through the automatic update function.

As existing updating systems simply consist of 2 approaches, they may be efficient for quick updating but are exposed to threats, as malware can be transmitted in addition to normal files. These systems cannot confirm whether the PC user has updated using normal files or malware. As the safety and security of updating servers cannot be guaranteed, these systems are vulnerable to cyber-attacks that replace normal files with malware.

The security update server model is proposed to solve this problem. The security updating service model presented above blocks malware distribution, even if the updating server has been hacked, and notifies the corporation of any leaks of the code signing certificate in real time, in addition to reliably reporting the results of real-time authentication on the normality of the updating program by a third party for effective certificate security.

This study suggests several measures and models that can be applied to fundamentally block malware distribution via program updating servers.