Virus tranmission via Windows Automatic Updates?

  • Thread starter Thread starter Chris T. Harris
  • Start date Start date
C

Chris T. Harris

At approximately 4:30 PM EST today (March 8, 2004), I received a notification
from my Windows Automatic Updates icon in my task bar that "New Updates have
been downloaded. Click here to install." I clicked on Windows automatic
update icon in my task bar and then clicked on details to see what the new
update was all about. It claimed to be a Windows media player security
update. I had only just recently installed WMP 9 and then applied the
critical security patch. So I figured this must be another patch that
Microsoft had come out with today, so I clicked OK to install it. I got a
standard message shortly thereafter saying that the latest patch was
installed. But then I noticed that I had a new icon in my Quick Launch bar.
It was a picture of a bundle of dynamite sticks with a plunger attached to it.
I hovered my cursor over the icon and it claimed to be Windows Media Player!
I didn't dare to click it.

Iinstead, I double-clicked on my yellow-shield in the task bar, which is the
control icon for Symantec Antivirus Corporate Edition v. 8.1.0.825. I wanted
to do a complete scan of my computer. But since this seemed like it was
probably something very new, as I'd never heard of anyone ever being able to
hijack the Windows automatic updater before, I chose to do a live update first
on my virus patterns. An update was found and downloaded, but the Antivirus
program would not install it. It claimed that the live update virus pattern
failed an internal authentication check. I decided at that point to shut down
my PC. I changed over to another PC that had not been infected with the WMP
dynamite icon and started checking to see if anyone else was reporting any
such suspicious activity, but I found nothing. So I'm posting something about
it myself.

I filed reports with Symantec and with the U.S. CERT Coordination Center
Incident Reporting System. https://irf.cc.cert.org/ , which is operated by the
U.S-Cert, a partnership between the Department of Homeland Security and the
private sector, http://www.us-cert.gov/workwithus/.

If Windows Automatic updates really has been hijacked, I think we'll probably
be hearing a lot more about it very soon. In the meantime, I'd suggest NOT
allowing any Windows automatic updates to your computers at this time.

Chris T. Harris
 
Chris,

I see 3 possibilities:

1. You are correct
2. You are spreading a hoax.
3. You are incorrect.

- Tim
 
Just in case it's *not* a virus...

There are fairly common Windows bugs that cause items to be marked with the
wrong icon. It may be that the bundle of dynamite sticks came from
something else in your icon cache, and that there is actually nothing wrong.

If the counterfeit Windows Update really exists, Microsoft will be making
public announcements about it very soon.

One obvious thing to check is whether Microsoft really did release a Media
Player security update recently. As best I can tell, they did not. (At
least, nothing with a March date on it.)

Someone else mentioned the possibility of a hoax. Your message did not, to
me, have the appearance of a hoax, and I've seen a lot of them. It lacks
the fantasy-like quality that hoaxes almost always have. On the other hand,
virus authors and other saboteurs would *love* to get people to distrust
Windows Update.

It would take a lot of work for a virus author to impersonate the Microsoft
server, and if he did, he'd be relatively easy to catch.

So... The jury is still out on this one.
 
My son in law also had the same problem with Windows
update.
He is convinced that is how he got a virus becuse his pc
was working fine until then.
He now has two viruses that he can't get rid of.
This is no hoax.
 
jill vincent said:
My son in law also had the same problem with Windows
update.
He is convinced that is how he got a virus becuse his pc
was working fine until then.
He now has two viruses that he can't get rid of.
This is no hoax.
Click to expand...

Of course, you'll understand that in order to confirm that, we will need to
know the particulars. Names of viruses, how they were detected, what
symptoms they produce, etc., as well as the particulars of the connection to
Windows Update (or what appeared to be Windows Update).

If someone is indeed successfully impersonating Windows Update, it will be
important to find out what part of the Internet they're doing it on. Quite
possibly just a small part.

Also, let's distinguish this from something else: E-MAIL VIRUSES that claim
to be from Microsoft Support. Those are very common and have nothing to do
with Windows Update, though they claim to. They arrive in e-mail.
 
Tim said:
Chris,

I see 3 possibilities:

1. You are correct
2. You are spreading a hoax.
3. You are incorrect.

- Tim
Click to expand...


Actually, possibility 2 would fall under the purview of 3, wouldn't it?

I also posted this message to microsoft.public.security.virus and I've replied
in more detail there. I've got to get back to work now or I'd put more about
this here. Thanks for your input on this.

cth
 
Chris,

Some important points.

1. I don't know you and have no desire to discredit you - that is not my
intention.
If you have discovered anything that is even marginally correct then
well done.
2. I was careful to cover the options in my posting.
3. There are many hoaxes, inaccuracies and other more sinister things going
on.

My objective was to ensure that ordinary people (of which there are many and
is the reason why we have viruses) did not leap in and turn off Windows
Update without solid evidence of a real confirmed problem with the
mechanism.

You will see below someone else is spreading heresay "My son in law...".

The thing I fear when I see a potential hoax is that people will turn off
windows update, they will not get a critical update because of it, and they
will have there system trashed by a virus.

People that cease maintaining there systems are also likely to get virii.

My advice, for what it is worth, don't use WMP for the next week, but keep
using Windows Update.

You seem to be well intended (how often do hackers post back with rational
speech). Lets hope this blows over.

- Tim
 
Jill,

How do you know it was "the same problem"? Have you 100% identified the
cause of the problem that Chris has? If so, could you please share the
details?

How does your son in law know it was via Windows Update?
How do you know that you son in law is not grand standing?

How does he know it is a virus?
What virus scanner detected the virus?
What is the name of the virus?
If it is a known virus, then surely there is a fix documented?
Why can't he resolve the issue if he is so certain it is the *same* problem?

There is no point in heresay.

- Tim
 
jill vincent said:
My son in law also had the same problem with Windows
update.
He is convinced that is how he got a virus becuse his pc
was working fine until then.
He now has two viruses that he can't get rid of.
This is no hoax.
Click to expand...

Sounds like maybe your son-in-law was using regular Windows update, i.e.,
going to Windows Updates (
http://v4.windowsupdate.microsoft.com/en/default.asp ) from the Start menu and
having the PC scanned by Microsoft to see if it needs updates.

Recently, a virulent E-mail virus called Sobig generated a lot of E-mail
claiming to be from Microsoft and trying to get people to run file attachments
to install updates. Some of those might even have included web links to hoax
websites that might have appeared to be Microsoft Windows update and might
have been able to install viruses in that way. I don't know what all was in
them, because I deleted hundreds of them day after day for a while there (from
my home account, not my work account), without trying to open them.

But as far as we know at this time, it is safe to go directly to the Windows
update website from the Start menu of Windows or by using Windows Update from
the Tools menu of Internet Explorer to have your computer scanned for updates.
I've not seen anything to make me think otherwise. Just know that Microsoft
does not send out E-mails to the general populace about anything.

But Microsoft does have a provision for having Windows updates delivered to
your computer through the Internet automatically. And that's the channel that
I'm more worried about. There you're not going to a controlled website, but
you're just counting on that channel to be securely reserved exclusively for
Microsoft to deliver updates. I'm not so sure I can count on that any more.
I'm thinking Windows Automatic Update should be disabled altogether by
enterprise managers unless and until the Windows Automatic Updates channel is
proven secure.

To set Windows automatic update options and to learn more about it, use
Start/Settings/Control Panel/Automatic Updates. There is a link from there to
a local (not internet) help file that will give you more info about that,
though it says nothing to validate its security.

cth
 
If somebody puts a false entry for windowsupdate.microsoft.com in your hosts
file (which I think is in system32), that's a way of making your computer go
to their site rather than to the real windowsupdate.microsoft.com. That is
how a virus could send you to a fake Windows Update site.

This is worth checking. Of course, it would still be a lot of work to rig
the site where Windows would actually download updates from it and accept
them.
 
Back
Top