Buffalo driver downloads delivered Bankeiya

Buffalo's compromise was narrow in time and broad in product surface. For several hours on May 27, 2014, customers downloading official Windows utilities and drivers from Buffalo Japan could receive modified installers instead of clean vendor software. The affected set crossed routers, wireless LAN tools, NAS firmware, external drive software, and Bluetooth mouse drivers.

The attacker used installer trust as the delivery mechanism. Symantec described two variants: one modified a self-extracting setup archive so a malicious DLL ran during installation and downloaded Infostealer.Bankeiya.B; the other wrapped a legitimate Buffalo installer inside malware made to look like the installer. Either way, the user action was normal: download from the vendor and run setup.

Bankeiya.B targeted Japanese online banking users on Windows XP, Vista, and 7, monitoring browser sessions in Chrome, Firefox, and Internet Explorer. Buffalo told affected users not to use internet banking until their systems were disinfected, and antivirus vendors detected the trojan. The short window limited spread, but the official download itself had been replaced.

The record is scoped to the ten named Buffalo downloads and the May 27 window because that is where the public evidence is concrete. The broader lesson is still larger: commodity driver and firmware utilities can be valuable to attackers when they are signed, familiar, and downloaded only when a user is already prepared to grant installer privileges.

Motive

Credential Theft

Cause

Vendor Server Compromise

Transitive

No

User Impact

540

• Dodgy installer drops Trojan in Japanese Buffalo updatetheregister.com
• Hackers distribute banking malware through Buffalo site in Japancsoonline.com
• Buffalo discloses tampered download files and malware infection riskinternet.watch.impress.co.jp