exploit question

Discussion in 'other security issues & news' started by lunarlander, Jul 4, 2012.

Thread Status:
Not open for further replies.
  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    I was installing Vista the other day. And when I reached the step to do Windows Update, I started Windows Update, clicked on the install button, and the machine suddenly rebooted. Assuming that it was an attack, could an exploit payload survive a reboot ? I am hoping that ASLR did what it is supposed to do and I don't need to reinstall the machine again.
     
  2. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Sometimes a reboot is the whole point of an initial payload - to install the rootkit and run some scheduled tasks (further downloads).

    Do you have any other reason to suspect infection? Is the machine a custom build? Are you behind a router? Has the machine rebooted itself before? Have you checked the fans/memory/power supply?

    If you have a clean computer to work with, you could make a rescue CD (e.g. Dr Web http://www.freedrweb.com/livecd) and test the computer just for your own edification. Sounds like it's just as well to wipe and reinstall it afterwards just to be safe.
     
  3. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Guess I should have done the Windows Update using my standard account. I've read somewhere that rootkits need admin rights to install properly.

    OK, so I am re-installing. I will now place wuauclt.exe and trustedinstaller.exe under protection of EMET. Lets see how that fares when I do Windows Update next time.
     
  4. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    It seems unlikely that it was related to malware or an attack. Vista mucking up during Windows Updates isn't uncommon IME.

    Still, you can always download the service packs for an offline update - that way you won't be open to the internet.

    If you're behind even a basic 'hardware' firewall like in any router modem, then most network attacks should be blocked.
     
Loading...
Thread Status:
Not open for further replies.