MS Defender Error: "Mallware Signeture Download" Appears Legitimate (Unfortunately).
Ow, the other day I was infected by the the Vundo trojan. I believe the trojan came in through an infected webpage and attacked a Java vulnerability on my machine. During the cleanup, I installed a variety of anti-malware software, including Microsoft Windows Defender. Although I don't believe things can be 100% clean after such an infection, I *really* don't want to reformat that workstation. That said, I was extremely suspicious today when a Dr. Watson/Microsoft Error Reporting error pops up with obvious misspellings (picture taken after report submission):
Web path: https://blog.netnerds.net/images/mallware.gif
Disk path: /static/images/mallware.gif
Using Page Bundles: false
"Mallware Signeture Download"
I immediately went to Google and found that other people experienced the error and were also suspicious of the spelling errors, since such errors are common in actual malware. Feeling adventurous, I decided to allow the software to send the reports that I didn't bother looking at because if it's malware, it would be a setup anyway, right? Immediately after the data submission, I brought up a command window and typed netstat -b which listed the following:
Proto Local Address Foreign Address State PID TCP MYWORKSTATION:1332 watson.microsoft.com:http ESTABLISHED 2728 [DW20.EXE]
After going to https://watson.microsoft.com and receiving a Directory Listing Denied error, I pinged watson.microsoft.com and noted the IP resolved to 126.96.36.199. Using Sam Spade, I then asked ARIN who owns that IP block and sure enough, the IP is owned by Microsoft.
12/14/08 15:35:18 IP block 188.8.131.52 Trying 184.108.40.206 at ARIN Trying 65.55.22 at ARIN
OrgName: Microsoft Corp OrgID: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US
NetRange: 220.127.116.11 - 18.104.22.168
Now, I was pretty confident that the pop-up was indeed legitimate. But I became completely convinced after I found a posting by "Dude" on pcreview.co.uk that shows the string can be found within the program files, themselves.
$ cd "$PROGRAMFILES/Windows Defender" $ for file in *; do strings -t x -e l $file | grep Mallware | grep Signeture && echo $file ; done 10cdc Mallware Signeture Download MSASCui.exe 26fc Mallware Signeture Download MpSigDwn.dll
Having such spelling errors in an anti-virus program is unacceptable. Hopefully Microsoft will address it soon so that IT pros can stop wasting their time researching its legitimacy. However, seeing that the problem has been around since at least 11/2006, a fix doesn't really seem likely.