exploit question

Hi,

I was installing Vista the other day. And when I reached the step to do Windows Update, I started Windows Update, clicked on the install button, and the machine suddenly rebooted. Assuming that it was an attack, could an exploit payload survive a reboot ? I am hoping that ASLR did what it is supposed to do and I don't need to reinstall the machine again.

 

Sometimes a reboot is the whole point of an initial payload - to install the rootkit and run some scheduled tasks (further downloads).

Do you have any other reason to suspect infection? Is the machine a custom build? Are you behind a router? Has the machine rebooted itself before? Have you checked the fans/memory/power supply?

If you have a clean computer to work with, you could make a rescue CD (e.g. Dr Web http://www.freedrweb.com/livecd) and test the computer just for your own edification. Sounds like it's just as well to wipe and reinstall it afterwards just to be safe.

 

Guess I should have done the Windows Update using my standard account. I've read somewhere that rootkits need admin rights to install properly.

OK, so I am re-installing. I will now place wuauclt.exe and trustedinstaller.exe under protection of EMET. Lets see how that fares when I do Windows Update next time.

 

It seems unlikely that it was related to malware or an attack. Vista mucking up during Windows Updates isn't uncommon IME.

Still, you can always download the service packs for an offline update - that way you won't be open to the internet.

If you're behind even a basic 'hardware' firewall like in any router modem, then most network attacks should be blocked.