#1 Randy Abrams has posted a follow-up article, Anatomy of a Biting Bunny – The Infected Update with additional information about how update services work, why they might distribute third-party code and what might be done to prevent malware from being distributed on services like ’s Windows Update in the future.  7-FEB-2011. Last week, we

Last week, we received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.

As you may be aware, Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In the case of a video card, this might be support for additional screen resolutions and color depths and 3-D graphics acceleration. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.

Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter, as you can see from this screen capture:
- trojan on windows update - Trojan in Microsoft Update Catalog

spread by Windows Update now blocked by Microsoft SmartScreen filter

From previous experience, we know that Microsoft goes to extraordinary lengths to screen third-party content provided for distribution through their Update Catalog, so it is somewhat bewildering to see it hosting malicious software, especially such an older threat. We were, however, quite impressed at Microsoft’s prompt response in removing the malicious file.

IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.

I would like to point out, though, that this could have happened with another vendor: Centralized update services for operating systems are not unique to Microsoft. Many developers provide such services for computers running their operating systems and, increasingly, so do the vendors of smart phones as well. While operating system vendors routinely check for threats in new device drivers provided to them by third-parties, it would probably be a good idea if they periodically scanned their existing catalogs, too, regardless of how old they are.

As previously mentioned, we view this as more of a statistical aberration than the norm, but do want to remind people that it is important to take adequate precautions when downloading files, even if they are from a trusted source like Microsoft.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Source link https://www.welivesecurity.com/2011/02/04/trojan-in-microsoft-update-catalog-a-bunny-bites-back/


Please enter your comment!
Please enter your name here