MS Defender Error: "Mallware Signeture Download" Appears Legitimate (Unfortunately).

Ow, the other day I was infected by the the Vundo trojan. I believe the trojan came in through an infected webpage and attacked a Java vulnerability on my machine. During the cleanup, I installed a variety of anti-malware software, including Microsoft Windows Defender. Although I don’t believe things can be 100% clean after such an infection, I *really* don’t want to reformat that workstation. That said, I was extremely suspicious today when a Dr. Watson/Microsoft Error Reporting error pops up with obvious misspellings (picture taken after report submission):


“Mallware Signeture Download”

I immediately went to Google and found that other people experienced the error and were also suspicious of the spelling errors, since such errors are common in actual malware. Feeling adventurous, I decided to allow the software to send the reports that I didn’t bother looking at because if it’s malware, it would be a setup anyway, right? Immediately after the data submission, I brought up a command window and typed netstat -b which listed the following:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    MYWORKSTATION:1332       watson.microsoft.com:http  ESTABLISHED     2728
  [DW20.EXE]

After going to http://watson.microsoft.com and receiving a Directory Listing Denied error, I pinged watson.microsoft.com and noted the IP resolved to 65.55.22.252. Using Sam Spade, I then asked ARIN who owns that IP block and sure enough, the IP is owned by Microsoft.

12/14/08 15:35:18 IP block 65.55.22.252
Trying 65.55.22.252 at ARIN
Trying 65.55.22 at ARIN

OrgName:    Microsoft Corp
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   65.52.0.0 - 65.55.255.255

Now, I was pretty confident that the pop-up was indeed legitimate. But I became completely convinced after I found a posting by “Dude” on pcreview.co.uk that shows the string can be found within the program files, themselves.

$ cd "$PROGRAMFILES/Windows Defender"
$ for file in *; do strings -t x -e l $file | grep Mallware | grep Signeture
&& echo $file ; done
10cdc Mallware Signeture Download
MSASCui.exe
26fc Mallware Signeture Download
MpSigDwn.dll

Having such spelling errors in an anti-virus program is unacceptable. Hopefully Microsoft will address it soon so that IT pros can stop wasting their time researching its legitimacy. However, seeing that the problem has been around since at least 11/2006, a fix doesn’t really seem likely.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security, Windows
6 comments on “MS Defender Error: "Mallware Signeture Download" Appears Legitimate (Unfortunately).
  1. Vivian says:

    Thanks Chrissy.
    I had just installed windows defender and got the same error report.
    Because of the misspelling, I didn’t submit the report. But immediately googled the suspect application name exactly as spelled…and I saw your link.

    Thanks for your thorough investigation. It saved me a lot a time.

    Vivian

  2. Antonio says:

    ARRR! Chrissy

    Just found the same message today!
    My Toshiba went crazy last night (started to open applications like crazy) and afterwards some MS software started to check for errors in office. Corrected one error and today, when I started again my pc, I have this error report software that wants to send info to MS.
    It wants to report two errors: one is this “Mallware Signeture Download”

    Thanks for the information you have here.
    Im going to click send to the report …

  3. David Pelton says:

    Thanks, but I think there may be some mistakes here. I think all of us were previous (or may still be) infected with malware.

    I believe this because in addition to several “Mallware Signeture Download” lines I also had “Microsoft Office Word”.

    The difference between my error reporting dialog and the one you show is that I have a link under more information (maybe that goes away after you send the information). Anyway, when I click that for one of the “Mallware Signeture Download” links I am taken to a dialog that shows the error signature which lists the EventType as mptelemetry.

    Searching the web for the that eventtype led me to http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.private.security.spyware.appcompat&tid=1e346d40-bf90-4567-817e-3cf9071e41ec&cat=&lang=&cr=&sloc=&p=1 where I see that the error is an inability to connect to a website usually for an update.

    I think what we have here is that a malware (which I had on my machine and cleaned up) was trying to report and failed. That malware, I’ll bet, was entitled “Mallware Signeture Download”.

    Also, when I look through the attached CAB file about the report (and look at the one for Word) it even more points to “Mallware Signeture Download” being the name of an application as opposed to the action being performed here.

  4. Ena says:

    The update was for Windows Defender. I don’t know if your Windows Defender automatically updates, but if that is the website and it was trying to download a signature. It was the signature to identify a problem. Not a signature to initiate a problem.

  5. RedNose says:

    I tried to search for the string in Windows Defender files in Vista SP2 and Windows 7 but could not find any Mallware or Signeture. I think either you were really infected or Microsoft got wiser.

  6. lymnenjoync says:

    I read this forum since 2 week and I want to register and say hi to everybody

Leave a Reply

Your email address will not be published. Required fields are marked *

*