Welcome to my blog. Here you'll find information about things that interest me. That means that mostly it will be about Microsoft Windows development and administration. My biggest interests are in SQL Server and C# development but I don't promise to limit my writings to what I know; I may also write what I think - even if I am wrong.
To get back to my home page, go to http://www.DalePreston.com
About Me
- Name: Dale Preston
- Location: Park Hill, Oklahoma, United States
I am a consultant specializing in developing Microsoft SQL Server, .Net Windows and ASP.Net applications using C#.
Archives
To DRM or not to DRM?
Pass an Array to SQL Server
Vista Sidebar Gadget Security
More Album Art Tips
Trojan.WSUS
More Media Disappointments from MS
Windows Media Player and Album Art
Media Playe FAQ
What is COM Surrogate?
Metadata Backup
ID3 Embed Pictures
Online Music Databases
ID3 Raw Tag Viewer
Removing ID3 Tags
Learn to Program in .Net
Encapsulating Fields with Properties
C# User-Defined Conversions
PGP - It Works For Me... or...
Pretty Good Privacy, Update
Pretty Good Privacy, So-so Software
Identity Crisis Cured
Identity Crisis
Visually Add Client Scripts to Your ASP.Net Pages
Rootkits and Hooks
DLL Hell was a Walk in the Park in Comparison
You Only Run Once
I just want to encrypt this simple line of text...
Returning Custom Classes from a Web Service, Part 4
Returning Custom Classes from a Web Service, Part 3
Returning Custom Classes from a Web Service, Part 2
Returning Custom Classes from a Web Service, Part 1
Motivation by Insult
No Excuses for not Localizing.
Friday, June 20, 2008
More Trojan.WSUS
I have about a dozen and a half PCs (half physical, half virtual) on my home network including a WSUS server. That's Windows Server Update Service for non-technical readers. It allows all my PCs to get updated by downloading updates only once. It's all been working fine for at least a year now.A few weeks ago, I approved Windows XP SP3 for installation on one PC - my Media Center 2005 PC (It's the only PC in it's group in WSUS). I wanted to test SP3 on one PC before deploying it on the rest of my XP PCs. The Media Center PC is configured to notify before downloading and before installing. The service pack was downloaded successfully to my WSUS server and I accepted the notification on the Media Center PC to download updates. There were 4 or 5 other updates and then XP SP3.
A few minutes later - maybe half an hour - without thinking, I shut down the WSUS server to complete the installation of updates on the server even though the Media Center PC had not finished updating. I didn't expect this to be a problem; it should be pretty common for a PC to lose contact with its update server or the Microsoft update servers in the middle of downloading updates.
When I turned the WSUS server back on and then rebooted the Media Center, I was unable to get the update download to continue. I tried the usual wuauclt.exe /detect now but it didn't help. Something was wrong but I didn't have time to find out what. Well, tonight I finally got the time to spend on resolving the issue. After much Googling and trying fixes that didn't fix a thing, I finally tried the obvious: ping the WSUS server to make sure I was even communicating with it. The surprising results were:
C:\Documents and Settings\MyUser>ping mywsusbox
Pinging mywsusbox.mshome.net [65.74.135.110] with 32 bytes of data:
Now how in the world did my Media Center PC that has been successfully finding mywsusbox on my network for over a year suddenly begin looking for mywsusbox at 65.74.135.110? I searched hosts files, etc. trying to find out how the requests to mywsusbox were being redirected. I opened group policy editor to see if the specified intranet Microsoft update service location had been changed. It had not. It still said http://mywsusbox/.
Finally I recognized something strange in the results from the ping. having MSHOME in the computer name isn't unusual. As I build and rebuild PCs I have to sometimes set the DNS suffix and since MSHOME is the default workgroup name for XP networks, I didn't think much about it being in the name originally. Then I noticed that it was mywsusbox.mshome.net. The .net part bothered me. Could that have been a real Internet address?
I pinged it and got no response. I did a tracert and found that the IP address routed to a server run by Directapps, Inc. at a hosting company named heraklesdata in Roseville (near Sacramento), California . I'd been HACKED! My PC, without my knowing or without my permission, was looking to an unknown server in California for updates rather than looking at my own WSUS server!
Now I was getting pretty upset. I'm a very careful Internet user and keep my PCs up to date. How in the world had I been hacked? And what other information could they have gotten? We don't do any surfing from the Media Center PC. We try very hard to limit its access to the Internet completely (see http://dalepreston.com/Blog/2007/04/windows-media-player-and-album-art.html). But we do use the Media Center to backup most of the other PCs so its local drives contain a lot of personal data. Had it all been compromised? I was getting frantic.
I started tracking down who this heraklesdata was and to find out what, if anything, mshome.net was. At first, I couldn't find anything useful on either. MSHOME is such a common term in Windows XP networking that Google results appeared rather useless.
Had someone gotten smart and registered the seemingly benign MSHOME.net and created the world's biggest security hole? This question led me to the next obvious step: Whois at http://whois.domaintools.com/mshome.net.
I was relieved, surprised, a little stunned, and a lot disappointed when I found out who owned the domain mshome.net: Microsoft!
Microsoft had, it looks like to me, hijacked my Media Center PC's update process and redirected it to their own server. I suppose I only found this because I turned off my WSUS server mid-update so the nefarious settings could not be removed at the end of the update process without me having become any-the-wiser.
I removed the changed DNS suffix settings using the Network Connections control panel applet (TCPIP advanced settings) and finally my Media Center PC was using my own WSUS server instead of Microsoft's update server in Roseville.
The implications of all of this boggle my mind. Microsoft apparently changed my network settings in a way that could have made my Media Center PC unreachable by other PCs on my local network, could have broken my backup system, and who knows what else. They redirected my PC to their application server without regard to my configuration settings intended to get updates from my own local network instead of from Microsoft on the Internet.
I have limited Internet bandwidth and performance because I am stuck with satellite Internet access in the rural area where I live - that's the reason I have my own update server in the first place. Microsoft bypassed my own server and used my valuable and limited bandwidth for updates without my permission. My wife and I have both complained about the slowness of our home Internet access but blamed our ISP. Now it appears it may not have been the fault of our ISP at all. It is likely that the slowness we have seen may very well be related to one or more of our PCs being redirected to Microsoft's servers without our knowledge or permission.
Now the only unresolved questions are, what else has Microsoft used Trojan.WSUS in order to install on my PC? What software, if any, were they secretly installing on my PC when they redirected me to their server at DirectApps, Inc? What was so important to get onto my PC that they bypassed my own update server and that they would change my network settings without my knowledge - even worse, include my own WSUS server name in their redirected URL so as to obfuscate what they had done?
- posted by Dale Preston @ 6/20/2008 10:19:00 PM
Comments:
<< Home
I just want to add a note to my post above. I have had a few people comment that I must be mistaken and that the mshome.net suffix must have already been on the Media Center pc. While I cannot swear that it wasn't, here are the facts:
My Media Center has been contacting my own WSUS server for updates for over a year. It started the SP3 download from my own WSUS server. Since I could not, after this issue started, contact my WSUS server or any other PC on my network until I removed the mshome.net suffix, it certainly appears that the Media Center PC could never have worked with that suffix - and it worked up to the time that it started downloading Windows XP SP3 from my WSUS server. My own WSUS update logs prove that. One minute, it worked and the next minute it didn't work and the solution was to remove the mshome.net suffix. That convinces me that during the SP3 download process the suffix was changed.
My Media Center has been contacting my own WSUS server for updates for over a year. It started the SP3 download from my own WSUS server. Since I could not, after this issue started, contact my WSUS server or any other PC on my network until I removed the mshome.net suffix, it certainly appears that the Media Center PC could never have worked with that suffix - and it worked up to the time that it started downloading Windows XP SP3 from my WSUS server. My own WSUS update logs prove that. One minute, it worked and the next minute it didn't work and the solution was to remove the mshome.net suffix. That convinces me that during the SP3 download process the suffix was changed.
Dale, I just found your site while looking for a fix for WMP. Nice job with those tools! I wanted to pass along my experience with SP3 in case it sheds some light on your case. I recently had half a dozen boxes here fail on installing SP3 using Windows Update(I just installed WSUS to control this in the future). Did the user reboot the box during install, was there packet loss? Who knows. The result was they no longer could reach our DNS server. I could ping addresses, but the box acted like the host file was corrupt or hijacked. We ended up rebuilding some boxes before we realized it was the SP3 install failure and just manually installed SP3 vs using the Windows Update. It seems that during the SP3 install, MS does replace the host file, perhaps with some default data then later in the process updating it with previous information. Sorry, but I didn't confirm what data was in the host file, only that it had a newer date and once we replaced it, our boxes worked.
For what it's worth...
For what it's worth...
# posted by 
: August 11, 2008 2:32 PM
: August 11, 2008 2:32 PM
By any chance is this a SBS box?
Is your server's DHCP being renamed to "mshome.net" and getting Event ID: 30013 in your log files? - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2004/04/24/5452.aspx
It's not WSUS doing this. I've personally had this on my pre WSUS SBS server years and years ago.
It was a problem with RRAS/NAT not Microsoft.
Is your server's DHCP being renamed to "mshome.net" and getting Event ID: 30013 in your log files? - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2004/04/24/5452.aspx
It's not WSUS doing this. I've personally had this on my pre WSUS SBS server years and years ago.
It was a problem with RRAS/NAT not Microsoft.
# posted by : August 15, 2008 3:32 PM
: August 15, 2008 3:32 PM
http://msmvps.com/blogs/bradley/archive/2004/04/24/5452.aspx
or
http://tinyurl.com/6s8lpu
if that doesn't work
Post a Comment
or
http://tinyurl.com/6s8lpu
if that doesn't work
# posted by : August 15, 2008 3:34 PM
: August 15, 2008 3:34 PM<< Home
