Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (52)
  • add to favourites
    Add to Bookmarks

Disguised as an update

Read: 571 Comments: 3 Rating: 9

What do inexperienced users do when "some stuff" needs to be updated? Sometimes, they do this:

So I opened Windows Update. A CRITICAL update was available. I didn't read the details; it was something about the display or some such thing. So I just trusted Windows. The update was downloaded. Then the installation began. After a while, Dr.Web displayed a message like:

"Do you really want to allow some system stuff to be modified?" So I trusted Dr.Web, too, and pressed "Block". Then some flashes appeared; things were going very slowly (I was surfing the web) and then the same message from Dr.Web popped up again. So I pressed "Block" again.

This got me worried; I opened TEMP, and a huge number of files were in there. I deleted them all. Now everything's quiet. I checked the list of installed updates and the new update was not on it. Can you please tell me what was really happening and what I should do in situations like that?

A technical support request

How many people actually read update descriptions attentively? After all, the information in them is often extremely vague.

Meanwhile, there’s reason to be worried: attackers often try to fake update prompts.

The criminals behind Fantom encryption ransomware disguise it as a critical Windows update.

To make it appear legitimate, the ransomware file properties indicate that the file belongs to Microsoft and is, in fact, a critical update.


criticalupdate01.exe! That's a funny one…

Once the "critical update" file is launched, WindowsUpdate.exe is extracted from the original ransomware file. The program displays a fake Windows update progress window. The window appears on top of all the other windows and thus prevents users from switching to any other running application.


The fake update screen also features a percentage counter that increases while files are being encrypted in the background. This is done to make the increased hard drive activity look as if it’s being caused by the “update”.

The window can be closed by pressing Ctrl+F4. This will stop the fake update application and return the user to the standard Windows screen, but the encryption process will still continue.

Apparently, WindowsUpdate will also appear on the list of running processes, which will also help allay users' suspicions.

Naturally, the Dr.Web Preventive Protection component will detect the suspicious activity (including multiple file operations). But a problem still exists. The Preventive Protection monitors application activity but doesn't know the purpose of those applications and can't always be confident that a flurry of activity over a huge volume of files being overwritten is necessarily malicious. That's why it displays a warning, and it is up to the user to decide what to do with the suspicious process.

The incident we described at the very beginning ended well. It was a false alarm, and the user actually initiated a legitimate update. But things could have turned out differently!

Faking updates is not the only trick criminals have; the updating routine can be compromised too.

The malicious program Win32.HLLW.Flame.1 intercepted Windows updates by mounting a man-in-the-middle attack. To accomplish such an attack, the Trojan would make an infected machine impersonate the Web Proxy Autodiscovery Protocol server. Should a host on the local network attempt to connect to a Microsoft Windows Update server, the query would first be relayed to the compromised machine which would return a fake malicious update to the host. Thanks to this trick, attackers could even infect systems that had the latest updates installed on them!

It should also be noted that one of Flame's components—WuSetupV.exe—incorporated a digital signature from Microsoft and could be launched without user confirmation. To address the issue, Microsoft released a security update that recalled the series of certificates Flame had been using to sign its code.

And now let's take a short break! As we were gathering information for this issue, we came across this:

A massive advertising campaign was initiated in the European media to intimidate users who were reluctant to upgrade Windows XP to newer Windows versions. British mass media outlets and politicians were particularly zealous; even Theresa May weighed in. The BBC deserves a special award for the aggressive campaign it waged on behalf of the Redmond giant.

Which malware species inspired it? Can you guess without Google's help?

#security_updates #anti-virus_updates #malware #encryption_ransomware #digital_signature

Dr.Web recommends

Of course, updates are necessary and should be installed regularly. But the Flame example shows that an operating system updating procedure can be compromised!

  1. Don't use automatic updates (except for your anti-virus). Manually select the update files you want launched.
  2. Don't launch updates you were told were necessary by some website you visited or by some email message even if it appears to have been signed by a system administrator.


  3. Keep your anti-virus up to date. Preventive Protection routine upgrades are delivered alongside anti-virus updates. And this means that the way malicious behaviour is detected is also subject to improvement.


The Trojan described in this issue poses no threat to systems protected by Dr.Web. Our anti-virus detects it as Trojan.Encoder.5654.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.