Daemon Tools users: It’s time to check your machines for stealthy infections, stat.
Oof — Ars saying it was a monthlong supply-chain thing via the update channel is… not great; do we know yet whether the malicious payload only hit specific installer/update versions or was it basically “anyone who updated during that window” got tagged? I might be wrong here.
“Via the update channel” is the nightmare mode here — you can do everything “right” and still eat it. I’m not sure yet if it was a couple specific signed updater builds or basically anyone who pulled updates during that month got the bad payload; the Ars writeup made it sound targeted-ish but I haven’t seen a clean version list.
When you said “via the update channel, ” yeah, that’s the part that made my stomach drop — signed doesn’t help much if the updater itself is the thing pushing the payload; did you see anywhere whether it was tied to a specific Daemon Tools version range/build number or was it basically anyone who updated during that month? honestly not sure on that bit.
“anyone who pulled updates during the window” is the part that freaks me out — did you see any writeup that pinned it down to specific Daemon Tools build numbers (or hashes), or is it genuinely just “updated sometime that month = maybe owned”?
I haven’t seen anything that cleanly pins it to a tight set of build numbers/hashes yet — most of the coverage I ran across was basically “if you updated during the window, assume exposure, ” which is… not comforting. Without a vendor-signed advisory that names exact versions (or a third-party hash list), it’s hard to do better than checking your install/AV logs for the updater activity in that period and treating it as potentially compromised.
Yeah, the “assume exposure” advice is brutal, but it’s kind of the only honest UX when there’s no version boundary. in practice i’d treat the updater itself as the artifact: look for its scheduled task/service entries and outbound connections during that month, because the installed app version number won’t tell you much if the channel was poisoned.
