Aryeh Goretsky posted a blog about a trojan program in a Microsoft catalog update. I thought it might be a little interesting to know how this can happen and why it doesn’t happen more often.
As it turns out, it was once my job to make sure that Microsoft did not release infected software. Initially my responsibility was only for retail software, but eventually grew to encompass virtually everything that Microsoft releases and virtually everything that Microsoft hosts on Microsoft.com or in Microsoft update sites. It quickly became known that inside of Microsoft if there was an infected release it was immediately escalated to very high levels and was taken very seriously. Almost all detections I encountered at the end of the time I did scanning at Microsoft were in third party drivers.
Is the Release of Infected Code Unusual?
A Company releasing infected code is not at all unusual.
There have been many instances, however this case is a bit unusual and can best be equated to the Sony Rootkit incident. . In Sony’s case, they wrote the rootkit, however were so obliviously ignorant of technology they didn’t even know what it was or that other hackers could use it for bad purposes. In the Energizer case, Energizer apparently had no clue how the dangerous file got into their software, but introduced a vulnerability that could allow unauthorized remote access to your computer.
Why Didn’t Microsoft Catch it?
At the time the software was added to the update catalog, at least a dozen different antivirus products did not detect the file as malicious. The program is not a virus, and unless presented by a malicious person as something you want, it is not a trojan or otherwise malicious software. The program is potentially dangerous software, but arguably no more dangerous than many third party programs if you do not keep them up-to-date. Outdated versions of Adobe Flash, Adobe Reader, Adobe Acrobat, Mozilla Firefox, Microsoft Internet Explorer, and many other programs present vulnerabilities that are actively being exploited. Microsoft did not write the software in question and did due diligence prior to adding it to the update catalog.
Why Is Microsoft Hosting Code for other Companies?
The reason that Microsoft hosts so much third party code is in part that many drivers must be digitally signed in order to work with Microsoft operating systems. Just because you don’t see a digital signature does not mean that the file hasn’t been signed though, there are catalog files that contain cryptographic representations of the files. Ask me if you want to know more about catalog signing :) But yeah, at some point it is likely that the file in question was digitally signed or added to a catalog.
If these drivers get updated they must go through some quality assurance processes and be signed. In this case it appears that Energizer simply discontinued the software but may not have informed Microsoft that this offering needed to be removed from the catalog update collection.
What Can Microsoft do to Prevent This From Happening Again?
Microsoft has developed pretty intensive processes to prevent the release of infected software. Every file that gets released or signed is scanned by a large number of antivirus products that are professionally maintained and configured. Working at Microsoft I saw that some companies did not seem to use even one current scanner.
Aryeh recommend that perhaps Microsoft could go back through the existing software repositories to check again for malicious software. While theoretically possible it is impractical and has a low probability of a meaningful return on investment. Microsoft scans several terabytes of code each month. Much of this code is compressed and needs to be decompressed. It takes massive amounts of computing resources to go through that much code even once a year. It isn’t just the computers, you are talking about wasting a lot of electricity looking for something that almost never exists. This incidence demonstrates that if there is something bad there that has since become detected, technologies like Microsoft’s “Smart Screen”, and updated antivirus are much more efficient ways to find the trillionth of a percentage exceptions.
In the future there will be better mechanisms of keeping track of the hashes of files and then such a file is found to be harmful a simple database look-up can be used by Microsoft to see if the file is contained on any Microsoft property or resource, however it has only been recently that significant progress has been made in attempting such an endeavor and may take a long time to go back and added existing files to such a database.
Security is about managing risk, and even though automatic updating mechanisms do introduce some risk, they eliminate so much more risk that it is a no-brainer as to what makes sense.
This is an interesting story in that it is such an unusual exception, but the lesson isn’t in what Microsoft could have or should have done, it is in that Energizer and all companies need to know what software they distribute. If there is a file that doesn’t belong in their distribution, they should know about it.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America