Re: Virus tranmission via Windows Automatic Updates?
From: Chris T. Harris (rancier_at_bellsouth.net)
Date: 03/10/04
- Next message: Sarah: "Re: I want Swen - Come to me, Come in me !"
- Previous message: Marshall: "Mysterious Trojan"
- In reply to: Michael A. Covington: "Re: Virus tranmission via Windows Automatic Updates?"
- Next in thread: Tedd Riggs: "Re: Virus tranmission via Windows Automatic Updates?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Mar 2004 02:07:49 -0500
"Michael A. Covington" <look@www.ai.uga.edu.for.information> wrote in message
news:O9RPZyhBEHA.3748@tk2msftngp13.phx.gbl...
> Dear Chris,
>
> This is *very* interesting. Could you get, and post, the output of the
> following command?
>
> C:\> tracert windowsupdate.microsoft.com
>
> This might expose who is doing the spoofing, or at least *where*.
>
> (Can others confirm that that is the web address used by Automatic Updates?)
>
I took the suspect PC off the network and made an image backup right after I
applied the apparent rogue update that was delivered through the Windows
Automatic Update channel. Today I installed SAV's latest update from the
3/9/04 intelligent updater and ran a full system scan on both my local hard
drives. No viruses were found. So I notified our operations center that I
was going to reconnect my PC to the enterprise. I wanted to see if I was
going to be able to get to my domain profile if I put it back on the network.
But I already suspected what would happen. I was logged onto the new profile
that was setup when I had tried to login to it offline.
Had I not known better, I would have sworn that all of my data had been wiped
out!!! But of course, everything was still there under my old domain profile
under Documents and Settings. When I'd logged in offline, it set up a new
domain profile using a folder name under Documents and Settings. The new
folder name was my user ID with a domain name suffix. And that new profile
was the one it put me into when I logged in after re-connecting to the
enterprise network. So I no longer had any way to login to my old profile!
There didn't seem to be much point going on with that setup any more. I made
a Windows system backup of modified files and then rebuilt that PC with a
known good image.
The thing to do now might be to restore the image that I made right after the
suspected intrusion and login to it while it's connected to the network. Then
hopefully it would put me on the same profile I was using before.
I guess the only purpose of that though would be to see what would happen if I
clicked on the plunger to the dynamite. But isn't that sort of like playing
with fire? Or worse, a keg of dynamite? What if it released some awful
plague of viruses on our enterprise, more destructive than Blaster, Nachi,
MyDoom and Darth Vader all rolled into one? (It could happen...)
More than likely, if I click that new WMP dynamite icon in my Quick Launch bar
on that profile, Windows Media Player will come up trying to get me to buy
some DVD's or go spend my money on a movie!
But I don't want to take that chance.
I'm relating what happened just in case it really is something. In today's
computing climate, a little paranoia is a good thing, even behind a firewall!
> It could also be the work of a previously installed trojan horse; I'm sure
> you're considering this.
That actually seems a likely scenario, though you would think something like
that would be caught by the virus scanner after I applied the latest
intelligent updater from Symantec. Still, the virus scanner could be
corrupted too. It seemed like it was yesterday after I tried to get Live
Update to install a new pattern. But the intelligent updater didn't seem to
have a problem. That's a good sign, but not necessarily proof that it really
is working right.
>
> By all means keep up posted!
>
>
> --
> Michael A. Covington, Associate Director
> Artificial Intelligence Center
> The University of Georgia, Athens, GA 30602-7415 www.ai.uga.edu
>
I think I'm just going to leave it alone for now, except that I'm going to
very careful about checking all the details on any automatic updates that are
delivered to me. And I'd want to check more into the exact reasons that this
KB828026 update keeps being delivered over and over. I'd also want to study
up more on the details of that update itself, such as the info at this link:.
http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;828026 There are
some intriguing ramifications.
Regardless, this needs looking in to. Just how secure is the channel used to
deliver Windows Automatic Updates? Maybe every enterprise should shut it down
completely in favor of some better supervised means of delivering Windows
updates. And that may be an understatement. I don't want to sound like
Chicken Little here.
I've not heard anything from either Symantec or US-CERT (the U.S. Computer
Emergency Readiness Team: http://www.us-cert.gov/ ) about the reports I posted
on their websites. They probably get lots of reports.
cth
- Next message: Sarah: "Re: I want Swen - Come to me, Come in me !"
- Previous message: Marshall: "Mysterious Trojan"
- In reply to: Michael A. Covington: "Re: Virus tranmission via Windows Automatic Updates?"
- Next in thread: Tedd Riggs: "Re: Virus tranmission via Windows Automatic Updates?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
