Jump to content

hacked windows and/or windows update server?

John Eucist

By John Eucist
in Off Topic Discussion

Recommended Posts

John Eucist Veteran

John Eucist

Posted
Posted

Got this windows update entry under "important updates" today.  It's Windows 7 Ultimate installed in my Shenzhen, China PC by someone else so it's almost certainly pirated.  AVG reports no viruses but maybe it's rootkitted?  Either that or Windows Update servers are hacked (unlikely).  What gives it off as a "hack" (as opposed to a bug) is the .gov .edu and .mil links in it.  Note: the (making link unclickable) was added by myself.

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

Download size: 4.3 MB

You may need to restart your computer for this update to take effect.

Update type: Important

qQMphgyOoFUxFLfNprOUQpHS

More information:
https:// (making link unclickable) hckSLpGtvi.PguhWDz.fuVOl.gov
https:// (making link unclickable) jNt.JFnFA.Jigf.xnzMQAFnZ.edu

Help and Support:
https:// (making link unclickable) IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil

 

Link to comment
Share on other sites
John Eucist Veteran

John Eucist

Posted
  • Author
Posted

At this point in time when I google for:

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

I get two other links asking about this (with no replies).  Bing has one extra reply (and missing another) asking about this (with no replies).  All of which were posted within last 12 hours so it's something new.

Link to comment
Share on other sites
zentype Explorer

zentype

Posted
Posted

Got this windows update entry under "important updates" today.  It's Windows 7 Ultimate installed in my Shenzhen, China PC by someone else so it's almost certainly pirated.  AVG reports no viruses but maybe it's rootkitted?  Either that or Windows Update servers are hacked (unlikely).  What gives it off as a "hack" (as opposed to a bug) is the .gov .edu and .mil links in it.

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

Download size: 4.3 MB

You may need to restart your computer for this update to take effect.

Update type: Important

qQMphgyOoFUxFLfNprOUQpHS

More information:
links removed for safety

Help and Support:
links removed for safety

 

Just a suggestion, I wouldn't post those three URLs as clickable links ... You may send some unwitting trusting types here to sites that aren't safe.

Regarding that update, I'll check our machines here to see if that shows up on any of them. Very interesting...

On a semi-related note, years ago we did receive "official software" from Backup Exec (Enterprise backup software) from a large corporate vendor. The CDs were officially labelled, everything was legit. But the CDs contained something completely different. Chinese software of some kind with strange graphics. A screw up at the CD plant? or something more sinister? :ph34r:

Link to comment
Share on other sites
John Eucist Veteran

John Eucist

Posted
  • Author
Posted
 

 

Just a suggestion, I wouldn't post those three URLs as clickable links ... You may send some unwitting trusting types here to sites that aren't safe.

Although unlikely someone could register a random alphabet long string domain name under .gov .edu .mil TLDs, I have made my links unclickable nevertheless.  Thanks.  :)

At this point in time when I google for:

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

I get two other links asking about this (with no replies).  Bing has one extra reply (and missing another) asking about this (with no replies).  All of which were posted within last 12 hours so it's something new.

Google now returns 8 results instead of 2 now (one of them being this thread) hehe.

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

i do not know about anyone else - but I followed these directions =>  https://support.microsoft.com/en-us/kb/2509997 at Method 10 and Method 11 - to stop windows update and went into the downloader folder and deleted that 4.3 mb of whatever it downloaded - BEFORE - I rebooted my computer - and i STILL have not rebooted - waiting on further developments on this from the web o Microsoft to post a statement or fix on how to remove the update as pending

update_hacked.JPG

Link to comment
Share on other sites
Bygodzombie Newbie

Bygodzombie

Posted
Posted

i have yet to update after seeing the very suspicious looking 4.3MB update that is labeled as important.  i just made this account to talk to you guys because it really does seem malicious.  i installed it on my throw-away machine and it just fails to update after installing. BUT, it does not show up anymore after the failure. so im guessing it might not be friendly. im more of a hardware buff but im no spring chicken when it comes to software.  i'll post some more if something changes. please ask me and i'll do any kind of test if you need me  to. thats why i have the extra machine.

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

Whatever it is - it could be a whole lot of things you will never see nor know - but one thing is for SURE it is NOT an official Microsoft update and I would not poke the bear and play with Pandora's box

This is a fake update and you cannot even hide or delete it !!!

Something in the world of fake windows updates is going on as this guy bragged about and Microsoft scoffed at

Ref =>
http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html

Link to comment
Share on other sites
Bygodzombie Newbie

Bygodzombie

Posted
Posted
Hi, thanks for visiting Answer Desk! I'm Virdette E.
12:16 pm
hello im Jacob
12:16 pm
 
 
Hi Jacob, how are you today?
12:17 pm
could be better. there is very suspicious activity going on involving windows update.
12:17 pm
 
 
May I know what is that?
12:18 pm
it was an update listed as Important and its 4.3 MB and the three support links attached to it are false web addresses linked to .edu .mil and .gov. i have 2 computers. 1 is a test machine for basically debug and diagnostics. and my personal machine. they are configured identically down to the hardware, but after i installed this recent update it said it failed and then very shortly after looking into it via microsoft forums and other parties i foudn out that not a single person believes its a legitimate update. and i just want to know if it was issued by microsoft or was it malicious?
12:22 pm
 
i use windows 7 ultimate 64bit
12:22 pm
 
i hope im not overwhelming you but this link is useful
12:24 pm
 
 
May I know what is that update?
12:24 pm
gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL
12:25 pm
 
is the update label
12:25 pm
 
 
Microsoft is not releasing this kind of update.
12:25 pm
thats all i needed to know
12:27 pm
 
 
Is there anything else I can help you today?
12:27 pm

^^^^^^^^^^^^^^^

 

Link to comment
Share on other sites
Andy Spark Newbie

Andy Spark

Posted
Posted

Im being disconnected repeatedly by MS tech support who say they were initially disconnected, then Ill get a call back despite the fact we were having a live online text chat.

Get the impression Im being fobbed off. Sigh....

 

3 separate antivirus checks including Trend Micro online Housecall service cant find any threats.

An identical virus load?  A possible man in the middle attack?  MS update server compromised?  I dont know which.

 

Guys, a man in the middle attack would likely be geographically localized, right?  Im from the UK.  If you have this problem, are you from the same place?

win7 update.jpg

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

Microsoft is in CYA mode - quietly behind the scenes.  I used to work there.  They claimed this could never be done - see the computerwworld article - but it has been done  (http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html )

Either way they are going to have to explore that 4.3 MB file and explain - what iti is and how is got released down the "holy grail' Windows Update channel

This is a free utility that can scan the registry to see if anything has been modified if you install the update => http://www.nirsoft.net/utils/regscanner.html

Microsoft does not want to say anything util they know what the file is - and if it is malicious they have a fix for it - BUT one thing is for SURE - they are going to have to come up with a way to get it OUT of the windows update pending queue - or it will keep trying to install over and over again.

They are going to have to send out an update to clean the entry from the update history at the very least and delete the 4.3MB file from people's systems - and I know it down loaded a file because I DELETED a 4.3 mb file from  \documents and settings\all users\application data\microsoft\network\downloader

Link to comment
Share on other sites
esaj Grand Master

esaj

Posted
Posted

Guys, a man in the middle attack would likely be geographically localized, right?  Im from the UK.  If you have this problem, are you from the same place?

The update hasn't appeared on my Windows 7 64bit Pro-box, I'm in Finland. @John Eucist reported it appeared on his Win7 Ultimate (64bit, I presume) in Shenzhen, China.

Edit: This has just appeared in the Microsoft community -page:

my laptop was screwed after the update. windows explorer crashes 

VERY frequently now and most of my programs stopped working even in admin mode.
system restore didn't work and i don't have the information i need for a reinstall.
basically whatever it was killed my system and compromised my gear so i wouldn't want to look up anything sensitive to personal data on your machine.  also i noticed the update cant be deleted or hidden or detected after a failed install. even though you can clearly see it listed as a failed update... this is bad.

sorry if this isn't what you wanted to hear. maybe it effects things differently depending on location and computing capabilities.  hope for the best and try to restore.

 

Edit 2: We have never had this many users online, looks like this topic draws a crowd ;)

Link to comment
Share on other sites
Bygodzombie Newbie

Bygodzombie

Posted
Posted

im on the USA eastern seaboard and i just got a developing situation. not a good one either.  My laptop was ufortunately set to auto-update. and it ate up that fake update already and it totally locked me out of the system basically. if i try to open windows explorer thats related to system files, control panel, admin tools, and update. It immediatly  crashes windows explorer. also 90% of my programs stopped working even in elevated mode.  If i try to go to windows update through the actual star menu button the system reacts as if i hit shutdown.  im not a happy camper.  i cant even use system restore.  safe mode is a wash and wont even load.  Reinstall is out of the question because i have no idea any of the credentials of this laptop it was wholesale and pre-loaded with windows 7 ult 64X. microsoft said to virus scan but wouldnt you know it they all come up aboslutely clean. even external scans. granted the external one is at about 64% ATM. no detection's yet.

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

Microsoft is in panic mode now . . . Microsoft does not make "mistakes" . . . like this kind of update . . .  The process for update roll-out prevents it - this is Public Relations nightmare they are trying to cover.  I DELETED the below files this morning - and now when i powered on my machine they have returned after Windows Update checked again for updates - and this time I have turned Windows Update OFF to never check for updates.  If anyone believes that zdnet article - then I have some prime swamp land I can sell you . . . 

delete_file.JPG

Link to comment
Share on other sites
Andy Spark Newbie

Andy Spark

Posted
Posted

http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/

Don't panic: Microsoft mistakenly posted a 'test' Windows update patch

Some believed Windows Update has been hacked or compromised

 

Glad theyve finally stopped talking crap saying its a corrupted file or a virus. 

Not inclined to believe its a test patch.  Why would they have those dodgy 'more info' links associated with it?  Why would it wreck peoples pcs?

More likely theyve been compromised :(

At least I had my settings on 'download but do not install' thank bod.

 

Btw, the front line ms tech support guys dont appear to have been told about the problem fully.  And they cant access internet links to see the articles on zdnet.com etc...

So they dont really believe the problem exists I think...  So dont get mad with them if they misunderstand what you are telling them.  After all, who would have believed that ms update servers could be hacked....?

 

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

Andy . . . 

Classic hacker mischievousness dictates - many people would mindlessly click on the more info links not knowing they are another malicious way to get infected.

Microsoft has likely directed anyone fielding support contracts to act like they do not know what you are talking about - that way you cannot talk further in depth or seek answers the support person has no knowledge of  - it is classic Public Relations spin 101

No mistakes like that "update" which take you to other links that actually answer a DNS call.  If a person stayed on the other  page long enough a browser "drive by" attack could happen also to your machine.

If Microsoft admits the Windows update has been compromised - millions of people would turn OFF Windows update and maybe never trust it again - talk about a product wrecking event . . . .

Link to comment
Share on other sites
Kevin Explorer

Kevin

Posted
Posted

The links do not exist. It seems to me like it really is a 'test' update that somehow made it into production - the links look like randomly generated URL strings, and don't go anywhere (yes, I looked them up).

Besides which, a hacker wouldn't make it so obviously bogus - much better to name it "Security Update" and have it silently steal your credit card information without anyone ever having a clue.

Link to comment
Share on other sites
Jag_Rip Community Regular

Jag_Rip

Posted
Posted

@Kevin I just wonder why a Test Update wouldnt be clearly labeled as Test everywhere, Title, Description, more info etc. so everybody inside MS can identify it on first sight. At least thats what I do on my systems and all colleagues i know in IT do it similarly. Why use some random character generated urls if you dont have to hide something?
Also: call it a conspiracy or coincidence but the first "more Info" link to the .gov URL starts with the characters "hck".

Link to comment
Share on other sites
wilburunion Newbie

wilburunion

Posted
Posted

I can tell this much - there is something "wonky" about this "mistakenly released update" - it is persistent, and now my computer is behaving strangely - similar to what "ByGodZombie" reported here => https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e - however my Explorer is the only thing acting strange right now - but there  is something persistent about this "update" because I deleted it yesterday as a running "job" - and now it apparently re-downloaded itself at 6:52 PM - 9/30/2015  and now cannot be accessed or deleted now as "being used by another process" - and I cannot tell which process of course.  This was the file that was downloaded - in the "mistaken update".  I tend to thing there is more to this story here => http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html than one might think.  If he - or another - succeeded somehow and this is being covered up - I hope it was a fairly harmless proof of concept hack

hack_back.JPG

Link to comment
Share on other sites
John Eucist Veteran

John Eucist

Posted
  • Author
Posted

I can tell this much - there is something "wonky" about this "mistakenly released update" - it is persistent, and now my computer is behaving strangely - similar to what "ByGodZombie" reported here => https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e - however my Explorer is the only thing acting strange right now - but there  is something persistent about this "update" because I deleted it yesterday as a running "job" - and now it apparently re-downloaded itself at 6:52 PM - 9/30/2015  and now cannot be accessed or deleted now as "being used by another process" - and I cannot tell which process of course.  This was the file that was downloaded - in the "mistaken update".  I tend to thing there is more to this story here => http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html than one might think.  If he - or another - succeeded somehow and this is being covered up - I hope it was a fairly harmless proof of concept hack

 

Sorry to hear that it is affecting your system in a similar fashion to that of @Bygodzombie .  In my case I never installed the update.  I've set my Windows Update to NOT automatically download or install.  I did a "hide update" to it as soon as I spotted it.  My system appears to act normal so far.

In your and @Bygodzombie 's case, hopefully Microsoft will be more forthcoming and release a fix.  If not, hopefully the antivirus companies can figure it out soon.  May I ask if your Windows installation is "genuine"?  This seems to be something very few people are mentioning perhaps because it's taboo or incriminating.  My installation is certainly pirated and it was installed by someone else in Shenzhen, China.  I'm worried that this is something that is only affecting a certain pirated distribution which means there's more than this issue to worry about.

As for stopping processes and figuring out which processes are using it perhaps @esaj might know more and hopefully he can chime in.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...