Samsung: Disable_Windowsupdate.exe

[niemiro]

We've just had a very interesting case of a piece of software - purportedly from Samsung, which was deliberately crippling Windows Update. It was monitoring the registry and deliberately disabling Windows Update, even straight after we attempted to re-enable it again.

After quite some time fiddling around with various techniques, BrianDrab eventually went down the route of using auditpol.exe and registry security auditing to figure out what process was resetting the registry fixes we tried to implement. After a lot of extremely good analysis he figured out that C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64\Disable_Windowsupdate.exe was responsible.


It's not clear at this time whether the software is legitimately that of Samsung although this is something I am very interested in finding out. Either way there's something very suspect going on here and I am determined to get to the bottom of it. Thread is here: https://www.sysnative.com/forums/windows-update/14653-windows-update-problems.html

A huge round of applause should go to Brian though for nailing an extremely challenging thread. Very nicely done :)

 

[tom982]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Amazing work, Brian! This is really interesting, I've never seen anything like this happen before.

Ryan was also a huge help with tracking down this problem thanks to his auditpol suggestion, so a big well done to him! Even though he can't see this

 

[NoelDP]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Just as a FWIW - is that file signed?

Malware scan of Disable_Windowsupdate.exe (TODO: <제품 이름>) 3b5ea561fd1bc3ca2199d788b141035baf9eddff - herdProtect

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Just as a FWIW - is that file signed?

Malware scan of Disable_Windowsupdate.exe (TODO: <ì*œí’ˆ ì�´ë¦„>) 3b5ea561fd1bc3ca2199d788b141035baf9eddff - herdProtect

I don't know - which is why I'm trying to get a copy. If it's not, and if it's not Samsung's, it may need considering as semi-malicious. If it is Samsung's/I can't figure it out, I fully intend to write them a little email asking what its purpose is.... :)

Plus I'll whack it into IDA Pro and see if this is the only thing it does.

 

[NoelDP]

Re: The Good, the Bad, the Ugly.... and the Bizarre

If I'd known yesterday, I may have had a copy in my hot sweaty hands! I just gave a Samsung back to its transport at 8:00 a.m. this morning, to go back to Scotland, so it's probably north of Liverpool round about now

If you don't find it, let me know and I'll see if I can get hold of the owner and get them to email me a copy of the entire folder.

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Well, Samsung have admitted to it:

...
I went to Samsung online help and described the issue and asked them to explain why this was happening. Their site didn't allow me to copy so I noted the comments:

Me: Please explain why Samsung Software is configured this way and how I am meant to know about it and change it?

Samsung: Some of specific windows update installation caused slowness on pc before and we prevent this issue to update windows configuration update to change the setting. If you want to install windows updates automatic installation then please do not update the windows update configuration from sw update.

I replied to that with a bit of a rant about Samsung arbitrarily doing things without telling me and got a response that they would report to tech department about it.
...

I can't believe they're actually doing this. And I also wonder whether they're actually filtering out certain updates - but who knows which?

It's crazy. I really want to get to the bottom of what precisely is being done.

 

[Digerati]

Re: The Good, the Bad, the Ugly.... and the Bizarre

I want to know what Samsung software? Is it for cell phones? Samsung Magician for SSDs? Samsung notebook?

And why is Windows allowing 3rd party software to disable WU?

And, perhaps more significantly, why don't anti-malware programs block that?

And finally, why doesn't Google reports 1000s of complaints about it?

 

[Digerati]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Upload that as malware to Microsoft/MSRC......

That seems like a good idea to me.

 

[Patrick]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Holy crackers, Richard, you may be onto something big here... like Superfish with Lenovo, just maybe not as big.

Do you mind sharing the executable with us whenever you get your hands on it? I'd love to look at it as well.

 

[Tekno Venus]

Re: The Good, the Bad, the Ugly.... and the Bizarre

This is odd.

I've installed SWUpdate from here: SW Update | Samsung UK but I can't find the Disable_Windowsupdate.exe file.

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

This is odd.

I've installed SWUpdate from here: SW Update | Samsung UK but I can't find the Disable_Windowsupdate.exe file.

Yeah, it's dropped, run, and then deleted on each reboot. That's why the OP couldn't find it when I asked for it. I've been analysing that package for a while now, trying to figure out what the dropper is. Still working on that.

Clearly Samsung didn't want it hanging around too long.

 

[BrianDrab]

Re: The Good, the Bad, the Ugly.... and the Bizarre

We could always remove delete permission on the following directory and then when it's created it will be there for us to grab. Let me know if you want me to do this with the OP.

C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

P.S. That piece of software also doesn't operate fully on non-Samsung computers. Plus it doesn't include everything. In fact, if you persuade it to run, it tries to download 2.2GB of **** only my system!

 

[Patrick]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Nice, I'll take a look when I get home from closing shift tonight.

P.S. That piece of software also doesn't operate fully on non-Samsung computers. Plus it doesn't include everything. In fact, if you persuade it to run, it tries to download 2.2GB of **** only my system!​

What does it use to check for a Samsung environment? I imagine we can fake it if we find out where in the program it's checking for that, but not too sure really.

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

We could always remove delete permission on the following directory and then when it's created it will be there for us to grab. Let me know if you want me to do this with the OP.

C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64

Yes - that is something I've been considering. I've been trying to avoid that if at all possible (I always try to minimise what I ask OPs to do), but if I don't get anywhere tonight I will.

I've also privately messaged the OP thanking them for their patience and co-operation etc.

 

[Digerati]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Clearly Samsung didn't want it hanging around too long.

I would definitely classify it as malicious if it did hang around after a reboot.

 

[niemiro]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Nice, I'll take a look when I get home from closing shift tonight.

P.S. That piece of software also doesn't operate fully on non-Samsung computers. Plus it doesn't include everything. In fact, if you persuade it to run, it tries to download 2.2GB of **** only my system!​

What does it use to check for a Samsung environment? I imagine we can fake it if we find out where in the program it's checking for that, but not too sure really.

It will actually start OK without faking anything, it just runs terribly and keeps crashing etc.

Plus, look at all these possible entry points on the OPs system, just in standard startup locations:

C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
C:\ProgramData\SAMSUNG\SW Update Service\SWMAgent.exe
C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
C:\Program Files (x86)\Samsung\Settings\sSettings.exe
C:\Program Files\Samsung\S Agent\CommonAgent.exe
C:\Program Files\Samsung\Support Center\GuaranaAgent.exe

Then loaded modules:

2014-01-29 13:20 - 2014-01-29 13:20 - 00084800 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
 2015-02-04 16:11 - 2015-02-04 16:11 - 00088624 _____ () C:\Program Files\Samsung\S Agent\ToastX64.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00027968 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdWrapper.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 01141056 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmd.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00109888 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsBase.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00056440 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\HookDllPS2.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00211064 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\WinCRT.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00025920 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsAPI.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00109888 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsBase.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00059712 _____ () C:\Program Files (x86)\Samsung\Settings\EasyMovieEnhancer.dll
 2014-01-29 13:20 - 2014-01-29 13:20 - 00102720 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsCmdClient.dll

Gosh, don't we love what OEMs push onto their systems :)


My current focus is on SWMAgent.exe, which also runs as a service. There may be tests in relation to this I want to get the OP to run. In essence I'm doing research, and will ask the OP to run various tests once I/we figure out what the best tests to run are.

So for the time being I've sent a nice message to the OP to make sure we don't lose them.

 

[Tekno Venus]

Re: The Good, the Bad, the Ugly.... and the Bizarre

On this note, what are you guys using for virtual machine software? I tried to installed SWUpdate in a VM to avoid it installing any crap on my system but I'm having major issues with VMWare player at the moment, it locks up my whole computer after about 5 minutes and the only solution is a force shutdown. I might move to client Hyper-V due to the snapshot features, although I'll miss the drag and drop features of VMWare.

 

[Patrick]

Re: The Good, the Bad, the Ugly.... and the Bizarre

I use VMware.

GTG, will check thread tonight for any info, etc.

 

[tom982]

Re: The Good, the Bad, the Ugly.... and the Bizarre

Good luck, Richard. If you can't get to the bottom of it then none of us can.

I particularly enjoyed this line in the XML file he uploaded:

<Str>This program helps your windows configuration settings.</Str>

Helps? Right... :lol: