Remote Access Trojan Distributed Through Microsoft Update Catalog
Last week, ESET received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.
Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.
In this case, though, the device plugged into customers notebook appears to have been an Energizer® DUO USB Battery Charger, which is an AC and USB charger for rechargeable NiMH batteries. Last year the very same Energizer DUO USB battery charger software allowed unauthorized remote system access by installing an unwanted Win32/Arurizer remote access trojan.
Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect report of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter.
IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.
Credit: Aryeh Goretsky, ESET ThreatBlog
More on CyberInsecure:
Print This Post
Posts
February 7th, 2011 at 6:04 am
Why it’s better to wait a day or so before applying Microsoft updates. And one of the reasons why I always set Windows Update to “Notify, but do not download or install” rather than just let it have its way.
March 22nd, 2011 at 5:04 pm
I need your e-mail … please.
D
March 23rd, 2011 at 5:45 am
In case you need to contact us, please use the “Contact” form at https://cyberinsecure.com/contact
March 24th, 2011 at 5:21 am
From what I’ve seen, you should already have it.
December 15th, 2011 at 7:02 pm
I just hope that you simply don`t lose your style because you`re undoubtedly one of the coolest bloggers available. Please maintain it up because the internet wants a person like you spreading the word.