Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 6th, 2011

Remote Access Trojan Distributed Through Microsoft Update Catalog

Last week, ESET received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.

Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.

In this case, though, the device plugged into customers notebook appears to have been an Energizer® DUO USB Battery Charger, which is an AC and USB charger for rechargeable NiMH batteries. Last year the very same Energizer DUO USB battery charger software allowed unauthorized remote system access by installing an unwanted Win32/Arurizer remote access trojan.

Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect report of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter.

IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.

Credit: Aryeh Goretsky, ESET ThreatBlog

Share this item with others:

More on CyberInsecure:
  • Trojan In The Wild Exploits Recently Disovered Bug In Mac OS X Remote Management
  • Android Market Security Update Released By Google Contained Mobile Trojan
  • Genuine Microsoft Software Trojan Infection
  • Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit
  • Microsoft Office Snapshot Viewer ActiveX Control Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Remote Access Trojan Distributed Through Microsoft Update Catalog

    5 Responses to “Remote Access Trojan Distributed Through Microsoft Update Catalog”

    1. Walter Bazzini Says:
      February 7th, 2011 at 6:04 am

      Why it’s better to wait a day or so before applying Microsoft updates. And one of the reasons why I always set Windows Update to “Notify, but do not download or install” rather than just let it have its way.

    2. I need your e-mail … please.


    3. CyberInsecure Says:
      March 23rd, 2011 at 5:45 am

      In case you need to contact us, please use the “Contact” form at

    4. Walter Bazzini Says:
      March 24th, 2011 at 5:21 am

      From what I’ve seen, you should already have it.

    5. Martin Kicks Says:
      December 15th, 2011 at 7:02 pm

      I just hope that you simply don`t lose your style because you`re undoubtedly one of the coolest bloggers available. Please maintain it up because the internet wants a person like you spreading the word.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.