Alerts coming from Windows Update cabs

I can't say I've ever seen this one before. One of our mobile users was pulling down updates from download.windowsupdate.com (from what I can tell by public DNS records and the IP, this is a valid microsoft website) and a driver for a USB device is being flagged as malicious.

Code:

Name	Threat	Action	Information
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab	multiple threats	connection terminated - quarantined	Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe	multiple threats		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe » INNO » file0000.bin	probably a variant of Win32/Agent.LQHLSWT trojan		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe » INNO » file0010.bin	Win32/Arurizer.A trojan		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar	multiple threats		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe	multiple threats		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe » INNO » file0000.bin	probably a variant of Win32/Agent.LQHLSWT trojan		
http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe » INNO » file0010.bin	Win32/Arurizer.A trojan		

The connection was initiated by by NT AUTHORITY\SYSTEM, so I'm confident this activity was coming out of the Windows Update service. The directory structure indicates that this cab is from 2008, which makes me suspect a false positive.

e: I brought down a copy of the cab on my workstation and it was detected with the same definitions, so this isn't a case of downloads getting redirected. I guess it is a possibility that the WU repository was compromised, but that seems unlikely.

 

Hello,

Issue is under investigation. Thank you for your report.

Regards,

Aryeh Goretsky

 

The detection is correct, even Microsoft detects the malware as Backdoor:Win32/Arurizer.A.

 

Do you guys have any contacts with Microsoft to report this? A security vendor is going to get attention brought to it a lot faster than I ever could.

 

Hello,

Microsoft has been notified.

Regards,

Aryeh Goretsky

 

Well, they're apparently too chicken to blog about it then since they've not said anything on their main site.

 

Apparently this was a driver for an Energizer USB battery charger. There was a big stink a few years ago because the driver CD shipped with a virus on it, and I guess Microsoft just dumped the whole thing in that cab and said it was ok. It's been removed now.

 

This topic became famous: http://tweakers.net/nieuws/72432/microsoft-verspreidde-trojan-via-windows-update.html

 

Hello,

Given that the actual device is no longer sold, I don't think this is something which is going to affect many people.

I feel Microsoft's response was prompt and appropriate, as started here in ESET's blog.

Regards,

Aryeh Goretsky