1

This is related to How does one Blacklist a patch based on Knowledge Based/KB number? and How to add a Deny ACE for TrustedInstaller?.

The Get Windows X malware has returned (again) on two Windows 7 machines and Windows 8 machine. I have previously removed it 5 times or so (per machine). After the last removal and I pre-created the folder it installs itself into and then placed a DENY ACE for both SYSTEM and TrustedInstaller. According to Microsof's documentation, this should have stopped it from installing and executing.

How did the malware install itself given it was denied access?

This is absolutely amazing... The machine was off for about 6 weeks, so I had to perform two update/reboot cycles. The malware installed itself twice in one day even though it is denied access to the folder!

The second update/reboot cycle was for KB3102429. Notice it claims to resolve issues in Windows - it does not state its marketing nagware or malware.

Community
  • 1
jww
  • 11,918
  • 44
  • 119
  • 208
  • KB3102429 only contains fonts so it must be another one. – ZippyV Dec 27 '15 at 02:08
  • @ZippyV - I can absolutely guarantee it. That KB was the only outstanding update listed after the first update/reboot cycle. There were no others. (And in between the first and second reboot, I completely removed the malware *and* verified the permissions). – jww Dec 27 '15 at 02:29
  • @ZippyV - I just went back to the System log via ***`eventvwr`***. KB3102429 was the ***only*** update installed in that cycle. I've also read reports about Microsoft doing this (hiding the malware in real updates), but I never encountered it until now. I can post the system log if you are interested in going through it. – jww Dec 27 '15 at 05:46
  • KB3035583 installs the get windows 10 malware (GWX) – Moab Dec 27 '15 at 16:03
  • @Moab Turns out [KB3072318](https://support.microsoft.com/en-us/kb/3072318) does too. – Ben N Dec 29 '15 at 15:32
  • Yeah i was corrected in another comment of mine about that, thanks, adding it to my do not update list. – Moab Dec 29 '15 at 17:10

2 Answers2

3

The SYSTEM account has SeRestorePrivilege, which grants it the right to write to the data or ACL of any securable object. (Kind of like how elevated administrators can blow through ACLs using the Security tab of the object's Properties.) These powers can also be used by the SYSTEM in Group Policy refreshes.

As an aside, the update responsible for your pain is actually KB3035583. You can try to identify which update is responsible for a certain file by searching Google for site:support.microsoft.com followed by the file name, since update KB articles always have tables of updated files.

Ben N
  • 40,045
  • 17
  • 140
  • 181
  • Oh, you are probably right... I forgot about that one. (Usually SeTcbName or "Act as part of the operating system" is the culprit). – jww Dec 27 '15 at 02:33
  • I just went back to the System log via ***`eventvwr`***. KB3102429 was the ***only*** update installed in that cycle. I've also read reports about Microsoft doing this (hiding the malware in real updates), but I never encountered it until now. I can post the system log if you are interested in going through it. – jww Dec 27 '15 at 05:49
  • @jww I've inspected KB3102429 with `wusa.exe` and it contains no trace of GWX. I looked at my own Windows Update history and compared the install dates with the last-modified and creation times of the GWX stuff, but no updates were installed near those times. Interesting. – Ben N Dec 27 '15 at 16:52
0

I've had a lot of success (until today) of hiding the recommended update KB3035583. For some reason I allowed windows update to some specified install "recommended updates" at the weekend and it appears to have unhidden itself and installed it anyway! Sneaky "@%&#'s By the way, it wasn't in the list of recommended updates either!

EDIT It seems to be an "Important Update" now and not recommended!!!! Lord Ubuntu save me!!!!

Declan Quinn
  • 412
  • 3
  • 5