John Eucist Posted September 30, 2015 Share Posted September 30, 2015 Got this windows update entry under "important updates" today. It's Windows 7 Ultimate installed in my Shenzhen, China PC by someone else so it's almost certainly pirated. AVG reports no viruses but maybe it's rootkitted? Either that or Windows Update servers are hacked (unlikely). What gives it off as a "hack" (as opposed to a bug) is the .gov .edu and .mil links in it. Note: the (making link unclickable) was added by myself.gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRLDownload size: 4.3 MBYou may need to restart your computer for this update to take effect.Update type: ImportantqQMphgyOoFUxFLfNprOUQpHSMore information:https:// (making link unclickable) hckSLpGtvi.PguhWDz.fuVOl.govhttps:// (making link unclickable) jNt.JFnFA.Jigf.xnzMQAFnZ.eduHelp and Support:https:// (making link unclickable) IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil Link to comment Share on other sites More sharing options...
John Eucist Posted September 30, 2015 Author Share Posted September 30, 2015 At this point in time when I google for:gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRLI get two other links asking about this (with no replies). Bing has one extra reply (and missing another) asking about this (with no replies). All of which were posted within last 12 hours so it's something new. Link to comment Share on other sites More sharing options...
esaj Posted September 30, 2015 Share Posted September 30, 2015 Maybe it's just Microsoft adding more spyware on the OS? http://www.pcworld.com/article/2978239/windows/microsoft-slips-user-tracking-tools-into-windows-7-8-amidst-windows-10-privacy-storm.html Link to comment Share on other sites More sharing options...
zentype Posted September 30, 2015 Share Posted September 30, 2015 Got this windows update entry under "important updates" today. It's Windows 7 Ultimate installed in my Shenzhen, China PC by someone else so it's almost certainly pirated. AVG reports no viruses but maybe it's rootkitted? Either that or Windows Update servers are hacked (unlikely). What gives it off as a "hack" (as opposed to a bug) is the .gov .edu and .mil links in it.gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRLDownload size: 4.3 MBYou may need to restart your computer for this update to take effect.Update type: ImportantqQMphgyOoFUxFLfNprOUQpHSMore information:links removed for safetyHelp and Support:links removed for safety Just a suggestion, I wouldn't post those three URLs as clickable links ... You may send some unwitting trusting types here to sites that aren't safe.Regarding that update, I'll check our machines here to see if that shows up on any of them. Very interesting...On a semi-related note, years ago we did receive "official software" from Backup Exec (Enterprise backup software) from a large corporate vendor. The CDs were officially labelled, everything was legit. But the CDs contained something completely different. Chinese software of some kind with strange graphics. A screw up at the CD plant? or something more sinister? Link to comment Share on other sites More sharing options...
John Eucist Posted September 30, 2015 Author Share Posted September 30, 2015 Just a suggestion, I wouldn't post those three URLs as clickable links ... You may send some unwitting trusting types here to sites that aren't safe.Although unlikely someone could register a random alphabet long string domain name under .gov .edu .mil TLDs, I have made my links unclickable nevertheless. Thanks. At this point in time when I google for:gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRLI get two other links asking about this (with no replies). Bing has one extra reply (and missing another) asking about this (with no replies). All of which were posted within last 12 hours so it's something new.Google now returns 8 results instead of 2 now (one of them being this thread) hehe. Link to comment Share on other sites More sharing options...
John Eucist Posted September 30, 2015 Author Share Posted September 30, 2015 Maybe it's just Microsoft adding more spyware on the OS? http://www.pcworld.com/article/2978239/windows/microsoft-slips-user-tracking-tools-into-windows-7-8-amidst-windows-10-privacy-storm.html Good to know! Gotta check for these later. KB3068708, KB3022345, KB3075249, and KB3080149 Link to comment Share on other sites More sharing options...
wilburunion Posted September 30, 2015 Share Posted September 30, 2015 i do not know about anyone else - but I followed these directions => https://support.microsoft.com/en-us/kb/2509997 at Method 10 and Method 11 - to stop windows update and went into the downloader folder and deleted that 4.3 mb of whatever it downloaded - BEFORE - I rebooted my computer - and i STILL have not rebooted - waiting on further developments on this from the web o Microsoft to post a statement or fix on how to remove the update as pending Link to comment Share on other sites More sharing options...
Bygodzombie Posted September 30, 2015 Share Posted September 30, 2015 i have yet to update after seeing the very suspicious looking 4.3MB update that is labeled as important. i just made this account to talk to you guys because it really does seem malicious. i installed it on my throw-away machine and it just fails to update after installing. BUT, it does not show up anymore after the failure. so im guessing it might not be friendly. im more of a hardware buff but im no spring chicken when it comes to software. i'll post some more if something changes. please ask me and i'll do any kind of test if you need me to. thats why i have the extra machine. Link to comment Share on other sites More sharing options...
wilburunion Posted September 30, 2015 Share Posted September 30, 2015 Whatever it is - it could be a whole lot of things you will never see nor know - but one thing is for SURE it is NOT an official Microsoft update and I would not poke the bear and play with Pandora's boxThis is a fake update and you cannot even hide or delete it !!!Something in the world of fake windows updates is going on as this guy bragged about and Microsoft scoffed atRef =>http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html Link to comment Share on other sites More sharing options...
Andy Spark Posted September 30, 2015 Share Posted September 30, 2015 Ive been on microsoft support about exact same thing on windows 7. She suggested in the end it was a corrupted file. But not possible as the 'more info' links to .edu and .gov sites Link to comment Share on other sites More sharing options...
Bygodzombie Posted September 30, 2015 Share Posted September 30, 2015 Hi, thanks for visiting Answer Desk! I'm Virdette E.12:16 pmhello im Jacob12:16 pm Hi Jacob, how are you today?12:17 pmcould be better. there is very suspicious activity going on involving windows update.12:17 pm May I know what is that?12:18 pmit was an update listed as Important and its 4.3 MB and the three support links attached to it are false web addresses linked to .edu .mil and .gov. i have 2 computers. 1 is a test machine for basically debug and diagnostics. and my personal machine. they are configured identically down to the hardware, but after i installed this recent update it said it failed and then very shortly after looking into it via microsoft forums and other parties i foudn out that not a single person believes its a legitimate update. and i just want to know if it was issued by microsoft or was it malicious?12:22 pm i use windows 7 ultimate 64bit12:22 pm i hope im not overwhelming you but this link is useful12:24 pm http://forum.electricunicycle.org/topic/1366-hacked-windows-andor-windows-update-server/?_fromLogin=112:24 pm May I know what is that update?12:24 pmgYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL12:25 pm is the update label12:25 pm Microsoft is not releasing this kind of update.12:25 pmthats all i needed to know12:27 pm Is there anything else I can help you today?12:27 pm ^^^^^^^^^^^^^^^ Link to comment Share on other sites More sharing options...
Andy Spark Posted September 30, 2015 Share Posted September 30, 2015 Im being disconnected repeatedly by MS tech support who say they were initially disconnected, then Ill get a call back despite the fact we were having a live online text chat.Get the impression Im being fobbed off. Sigh.... 3 separate antivirus checks including Trend Micro online Housecall service cant find any threats.An identical virus load? A possible man in the middle attack? MS update server compromised? I dont know which. Guys, a man in the middle attack would likely be geographically localized, right? Im from the UK. If you have this problem, are you from the same place? Link to comment Share on other sites More sharing options...
wilburunion Posted September 30, 2015 Share Posted September 30, 2015 Microsoft is in CYA mode - quietly behind the scenes. I used to work there. They claimed this could never be done - see the computerwworld article - but it has been done (http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html )Either way they are going to have to explore that 4.3 MB file and explain - what iti is and how is got released down the "holy grail' Windows Update channelThis is a free utility that can scan the registry to see if anything has been modified if you install the update => http://www.nirsoft.net/utils/regscanner.htmlMicrosoft does not want to say anything util they know what the file is - and if it is malicious they have a fix for it - BUT one thing is for SURE - they are going to have to come up with a way to get it OUT of the windows update pending queue - or it will keep trying to install over and over again.They are going to have to send out an update to clean the entry from the update history at the very least and delete the 4.3MB file from people's systems - and I know it down loaded a file because I DELETED a 4.3 mb file from \documents and settings\all users\application data\microsoft\network\downloader Link to comment Share on other sites More sharing options...
esaj Posted September 30, 2015 Share Posted September 30, 2015 Guys, a man in the middle attack would likely be geographically localized, right? Im from the UK. If you have this problem, are you from the same place?The update hasn't appeared on my Windows 7 64bit Pro-box, I'm in Finland. @John Eucist reported it appeared on his Win7 Ultimate (64bit, I presume) in Shenzhen, China.Edit: This has just appeared in the Microsoft community -page:my laptop was screwed after the update. windows explorer crashes VERY frequently now and most of my programs stopped working even in admin mode.system restore didn't work and i don't have the information i need for a reinstall.basically whatever it was killed my system and compromised my gear so i wouldn't want to look up anything sensitive to personal data on your machine. also i noticed the update cant be deleted or hidden or detected after a failed install. even though you can clearly see it listed as a failed update... this is bad.sorry if this isn't what you wanted to hear. maybe it effects things differently depending on location and computing capabilities. hope for the best and try to restore. Edit 2: We have never had this many users online, looks like this topic draws a crowd Link to comment Share on other sites More sharing options...
Bygodzombie Posted September 30, 2015 Share Posted September 30, 2015 im on the USA eastern seaboard and i just got a developing situation. not a good one either. My laptop was ufortunately set to auto-update. and it ate up that fake update already and it totally locked me out of the system basically. if i try to open windows explorer thats related to system files, control panel, admin tools, and update. It immediatly crashes windows explorer. also 90% of my programs stopped working even in elevated mode. If i try to go to windows update through the actual star menu button the system reacts as if i hit shutdown. im not a happy camper. i cant even use system restore. safe mode is a wash and wont even load. Reinstall is out of the question because i have no idea any of the credentials of this laptop it was wholesale and pre-loaded with windows 7 ult 64X. microsoft said to virus scan but wouldnt you know it they all come up aboslutely clean. even external scans. granted the external one is at about 64% ATM. no detection's yet. Link to comment Share on other sites More sharing options...
Mr Darkman Posted September 30, 2015 Share Posted September 30, 2015 Just wanted to say thanks to the board and the people who have posted.I know there are arrows for that, but it has reassured a lot of people that "its not just them",Thanks. by the wayhttp://betanews.com/2015/09/30/suspicious-windows-7-update-has-users-worried-microsofts-servers-may-have-been-compromised/Hopefully MS will now reply. Link to comment Share on other sites More sharing options...
Mr Darkman Posted September 30, 2015 Share Posted September 30, 2015 http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/Don't panic: Microsoft mistakenly posted a 'test' Windows update patchSome believed Windows Update has been hacked or compromised Link to comment Share on other sites More sharing options...
wilburunion Posted September 30, 2015 Share Posted September 30, 2015 Microsoft is in panic mode now . . . Microsoft does not make "mistakes" . . . like this kind of update . . . The process for update roll-out prevents it - this is Public Relations nightmare they are trying to cover. I DELETED the below files this morning - and now when i powered on my machine they have returned after Windows Update checked again for updates - and this time I have turned Windows Update OFF to never check for updates. If anyone believes that zdnet article - then I have some prime swamp land I can sell you . . . Link to comment Share on other sites More sharing options...
Andy Spark Posted September 30, 2015 Share Posted September 30, 2015 http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/Don't panic: Microsoft mistakenly posted a 'test' Windows update patchSome believed Windows Update has been hacked or compromised Glad theyve finally stopped talking crap saying its a corrupted file or a virus. Not inclined to believe its a test patch. Why would they have those dodgy 'more info' links associated with it? Why would it wreck peoples pcs?More likely theyve been compromised At least I had my settings on 'download but do not install' thank bod. Btw, the front line ms tech support guys dont appear to have been told about the problem fully. And they cant access internet links to see the articles on zdnet.com etc...So they dont really believe the problem exists I think... So dont get mad with them if they misunderstand what you are telling them. After all, who would have believed that ms update servers could be hacked....? Link to comment Share on other sites More sharing options...
wilburunion Posted September 30, 2015 Share Posted September 30, 2015 Andy . . . Classic hacker mischievousness dictates - many people would mindlessly click on the more info links not knowing they are another malicious way to get infected.Microsoft has likely directed anyone fielding support contracts to act like they do not know what you are talking about - that way you cannot talk further in depth or seek answers the support person has no knowledge of - it is classic Public Relations spin 101No mistakes like that "update" which take you to other links that actually answer a DNS call. If a person stayed on the other page long enough a browser "drive by" attack could happen also to your machine.If Microsoft admits the Windows update has been compromised - millions of people would turn OFF Windows update and maybe never trust it again - talk about a product wrecking event . . . . Link to comment Share on other sites More sharing options...
Kevin Posted September 30, 2015 Share Posted September 30, 2015 The links do not exist. It seems to me like it really is a 'test' update that somehow made it into production - the links look like randomly generated URL strings, and don't go anywhere (yes, I looked them up).Besides which, a hacker wouldn't make it so obviously bogus - much better to name it "Security Update" and have it silently steal your credit card information without anyone ever having a clue. Link to comment Share on other sites More sharing options...
John Eucist Posted October 1, 2015 Author Share Posted October 1, 2015 Edit 2: We have never had this many users online, looks like this topic draws a crowd Probably because this thread is ranked #2 (out of 24) on Google when searching the update name string. Link to comment Share on other sites More sharing options...
Jag_Rip Posted October 1, 2015 Share Posted October 1, 2015 @Kevin I just wonder why a Test Update wouldnt be clearly labeled as Test everywhere, Title, Description, more info etc. so everybody inside MS can identify it on first sight. At least thats what I do on my systems and all colleagues i know in IT do it similarly. Why use some random character generated urls if you dont have to hide something?Also: call it a conspiracy or coincidence but the first "more Info" link to the .gov URL starts with the characters "hck". Link to comment Share on other sites More sharing options...
wilburunion Posted October 1, 2015 Share Posted October 1, 2015 I can tell this much - there is something "wonky" about this "mistakenly released update" - it is persistent, and now my computer is behaving strangely - similar to what "ByGodZombie" reported here => https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e - however my Explorer is the only thing acting strange right now - but there is something persistent about this "update" because I deleted it yesterday as a running "job" - and now it apparently re-downloaded itself at 6:52 PM - 9/30/2015 and now cannot be accessed or deleted now as "being used by another process" - and I cannot tell which process of course. This was the file that was downloaded - in the "mistaken update". I tend to thing there is more to this story here => http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html than one might think. If he - or another - succeeded somehow and this is being covered up - I hope it was a fairly harmless proof of concept hack Link to comment Share on other sites More sharing options...
John Eucist Posted October 1, 2015 Author Share Posted October 1, 2015 I can tell this much - there is something "wonky" about this "mistakenly released update" - it is persistent, and now my computer is behaving strangely - similar to what "ByGodZombie" reported here => https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e - however my Explorer is the only thing acting strange right now - but there is something persistent about this "update" because I deleted it yesterday as a running "job" - and now it apparently re-downloaded itself at 6:52 PM - 9/30/2015 and now cannot be accessed or deleted now as "being used by another process" - and I cannot tell which process of course. This was the file that was downloaded - in the "mistaken update". I tend to thing there is more to this story here => http://www.computerworld.com/article/2510998/cybercrime-hacking/hacker-claims-he-can-exploit-windows-update.html than one might think. If he - or another - succeeded somehow and this is being covered up - I hope it was a fairly harmless proof of concept hack Sorry to hear that it is affecting your system in a similar fashion to that of @Bygodzombie . In my case I never installed the update. I've set my Windows Update to NOT automatically download or install. I did a "hide update" to it as soon as I spotted it. My system appears to act normal so far.In your and @Bygodzombie 's case, hopefully Microsoft will be more forthcoming and release a fix. If not, hopefully the antivirus companies can figure it out soon. May I ask if your Windows installation is "genuine"? This seems to be something very few people are mentioning perhaps because it's taboo or incriminating. My installation is certainly pirated and it was installed by someone else in Shenzhen, China. I'm worried that this is something that is only affecting a certain pirated distribution which means there's more than this issue to worry about.As for stopping processes and figuring out which processes are using it perhaps @esaj might know more and hopefully he can chime in. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.