81

This morning, I noticed that a new Windows update was offered to me. It looks very suspicious to me:

Malicious Windows update

Here are the update details:

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

Download size: 4,3 MB

You may need to restart your computer for this update to take effect.

Update type: Important

qQMphgyOoFUxFLfNprOUQpHS

More information:
https://hckSLpGtvi.PguhWDz.fuVOl.gov
https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu

Help and Support:
https://IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil

Obviously, this seems way too fishy to install, but I would like to know more. Has everyone received this update (Google only has a couple of hits for this)? Could this be an attack? Is there a way to download the update data without installing it?

I'm open to any ideas.

I'm running an Windows 7 Pro (64-bit).

As @Buck pointed out below, the update is no longer available through Windows Update. I'm not sure how this question will be resolved.

Thunderforge
  • 211
  • 2
  • 9
executifs
  • 4,772
  • 4
  • 23
  • 25
  • 1
    The information links looks like randomly generated domains which is a known behavior of botnets called Domain generation algorithm (DGA) used to hide the real controllers. However, the domains are NX (not registered) so either there was a data corruption, or I don't see a point. Did everybody get the same values in their updates or are these unique? (FYI, I can't post answers because it is protected) – Ehsan Foroughi Sep 30 '15 at 16:14
  • Based on a Google search, it seems that at least some other people have received the exact same update (domains included). – executifs Sep 30 '15 at 17:14
  • There's also a thread over on [Answers about this](https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e). – Xander Sep 30 '15 at 18:12
  • 4
    “We incorrectly published a test update and are in the process of removing it.“ – a Microsoft spokesperson – Xander Sep 30 '15 at 18:58
  • The Register just issued this: http://www.theregister.co.uk/2015/09/30/windows_update_glitch/ – Hannah Vernon Sep 30 '15 at 19:58
  • Are you sure it wrote "4,3 MB" (not "4.3 MB")? Have you changed the decimal point to "," in Regional Settings? – Peter Mortensen Oct 01 '15 at 15:21
  • The OS is installed in English, but I use the French regional settings. The decimal point is likely affected by this. Nice catch, by the way. – executifs Oct 01 '15 at 15:46

2 Answers2

67

The official communication from Microsoft at this time:

“We incorrectly published a test update and are in the process of removing it.“ – a Microsoft spokesperson

I won't add commentary, but will update the answer as more information becomes available.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • 2
    For commentary one can see a news report: http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/ – Kevin Cathcart Sep 30 '15 at 19:07
  • 2
    There's also an article about this on ARS: http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/ – executifs Sep 30 '15 at 19:11
  • 4
    I won't add commentary either because it will get flagged as Microsoft-offensive otherwise. Wow. Just wow. – Deer Hunter Sep 30 '15 at 19:32
  • 4
    I'll only dub this patch: "Move over to Windows 10 or else". – Deer Hunter Sep 30 '15 at 19:35
  • It still doesn't explain the .gov and .mil domains in the patch description. I guess we will never know what really happened. – Sebi Sep 30 '15 at 19:43
  • @Sebi Why would those need explanations, and not the .edu? – Xander Sep 30 '15 at 19:51
  • @Xander Any (supposedly civilian) commercial entity that conducts business with the government and military subjects itself to possibly undesirable attention and criticism. Concerning the .edu domain it may be that, due to the high number of affiliations with educational bodies around the world, a decision was made to change the functionality of software products distributed through them. As a student I had access to any MS product using a code provided by my university. The usage of the products was indefinite. Maybe, in recent years policies changed and an "update" was necessary. – Sebi Sep 30 '15 at 20:01
  • 19
    @sebi: To be honest I suspect that Microsoft has an internal library with functions that can generate "random" strings, urls, numbers, etc. Such a library is really useful for certain fuzz testing applications, and just generating junk data to fill in required records you don't care about while testing. Since it is helpful if the URLs would pass any validation regexes, picking a random TLD from a list of known TLDs (such as the original handful of TLDs) would make good sense. I suspect such a library was used here, and all the URLs were generated like that. – Kevin Cathcart Sep 30 '15 at 21:25
13

Yes, it seems very strange to include a .mil domain for an update for a commercial software product. I'm unable to reciprocate the issue, but you could run the specific update in a virtual machine, close all inbound and outbound connections on the host machine(and any possible running guest machines) and monitor the update through tcpdump/wireshark.

Then at least, you could check where the update is being distributed from. Afterwards, you could check the involved remote addresses against black lists as well as their location.

You could change the default download location of the update:

net stop wuauserv
mklink /j c:\windows\softwaredistribution d:\other\desired\location
net start wuauserv

and try to reverse engineer it.

Sebi
  • 1,391
  • 9
  • 16
  • 5
    Strange to include a .mil, and a .gov, and a .edu... – Iszi Sep 30 '15 at 15:36
  • Yep, out of place and eye catching. – Sebi Sep 30 '15 at 15:42
  • 4
    @Iszi I think those specific TLDs are being used here for the reason that they are unregisterable for everyone but government or military agencies and educational institutions. That way nobody can register one of those domains if an update is say, published accidentally as happened in this case. – Austin Burk Oct 01 '15 at 22:58