Ow, the other day I was infected by the the Vundo trojan. I believe the trojan came in through an infected webpage and attacked a Java vulnerability on my machine. During the cleanup, I installed a variety of anti-malware software, including Microsoft Windows Defender. Although I don’t believe things can be 100% clean after such an infection, I *really* don’t want to reformat that workstation. That said, I was extremely suspicious today when a Dr. Watson/Microsoft Error Reporting error pops up with obvious misspellings (picture taken after report submission):
“Mallware Signeture Download”
I immediately went to Google and found that other people experienced the error and were also suspicious of the spelling errors, since such errors are common in actual malware. Feeling adventurous, I decided to allow the software to send the reports that I didn’t bother looking at because if it’s malware, it would be a setup anyway, right? Immediately after the data submission, I brought up a command window and typed netstat -b which listed the following:
Proto Local Address Foreign Address State PID
TCP MYWORKSTATION:1332 watson.microsoft.com:http ESTABLISHED 2728
After going to http://watson.microsoft.com and receiving a Directory Listing Denied error, I pinged watson.microsoft.com and noted the IP resolved to 188.8.131.52. Using Sam Spade, I then asked ARIN who owns that IP block and sure enough, the IP is owned by Microsoft.
12/14/08 15:35:18 IP block 184.108.40.206
Trying 220.127.116.11 at ARIN
Trying 65.55.22 at ARIN
OrgName: Microsoft Corp
Address: One Microsoft Way
NetRange: 18.104.22.168 - 22.214.171.124
Now, I was pretty confident that the pop-up was indeed legitimate. But I became completely convinced after I found a posting by “Dude” on pcreview.co.uk that shows the string can be found within the program files, themselves.
$ cd "$PROGRAMFILES/Windows Defender"
$ for file in *; do strings -t x -e l $file | grep Mallware | grep Signeture
&& echo $file ; done
10cdc Mallware Signeture Download
26fc Mallware Signeture Download
Having such spelling errors in an anti-virus program is unacceptable. Hopefully Microsoft will address it soon so that IT pros can stop wasting their time researching its legitimacy. However, seeing that the problem has been around since at least 11/2006, a fix doesn’t really seem likely.