View Full Version : (Another) fake 'MS update'...

2010-01-26, 18:44

Don't update via email!
- http://securitylabs.websense.com/content/Blogs/3537.aspx
01.25.2010 - "... spammers seem ready to pounce on the press attention towards the recent out-of-band release of MS10-002 to scare users into downloading fake updates via email. We have been seeing messages pushing a Microsoft update via a link...The URL in the spam messages leads to a file called "update2010.scr" which currently has low detection rates*... The site hosting these fake updates is located in the Netherlands, and we have also seen that it's hosting the same file, under a different extension, called "update2010.exe". The icon of the file, once downloaded, is also believable... Remember that Microsoft won't ever send messages for Windows updates, so please don't download and run this file. This probably won't be the only lure of this kind, so be diligent and remember not to click on links from unsolicited emails..."
* http://www.virustotal.com/analisis/52d23aa981e825f8601d848ed882a37d8ed2d9c1173e69c2a8c9a7f2cc6335c4-1264441334
File update2010.scr received on 2010.01.25 17:42:14 (UTC)
Result: 7/40 (17.50%)

- http://www.microsoft.com/protect/fraud/phishing/Msname.aspx
... Microsoft does not send unsolicited communications about security updates
Microsoft sends e-mail messages to subscribers of our security communications when we release information about a security software update or security incident. Unfortunately, cyber criminals can and have sent -fake- security communications that appear to be from Microsoft. Some of these messages lure recipients to Web sites to download spyware or other unwanted software. Others include a file attachment that contains a virus.
How to help verify the legitimacy of a security-related e-mail
• Legitimate notifications do -not- include software updates as attachments. We -never- attach software updates to our security communications. Rather, we refer customers to our Web site for complete information about the software update or security incident.
• Legitimate notifications are also on Microsoft.com. We never send notices about security updates or incidents until after we publish information about them on our Web site. Check the Microsoft Security Updates page* to see whether the information is listed there.
* http://www.microsoft.com/security/updates/bulletins/default.aspx


2011-01-05, 19:01

Fake MS Security Update w/worm...
- http://www.pcworld.com/article/215491/worm_planted_in_fake_microsoft_security_update.html
Jan 4, 2011 - "... the malware crowd is exploiting Microsoft's routine of releasing fixes on Tuesdays and sending out fake security emails bent on infecting their targets with a worm... "Please notice that Microsoft company [sic] has recently issued a Security Update for OS Microsoft Windows," the fake notice reads in typical fractured prose. It then goes on to give instructions for installing the fake security file, KB453396-ENU.exe. "If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine," it explained..."
- http://nakedsecurity.sophos.com/2011/01/04/fake-microsoft-update-spreads-worm/
Jan 4, 2011 - "... With so much effort being taken by the cybercriminals to hoodwink unsuspecting computer users, though, you would have thought they would have not made an elementary mistake in their forged email header. The messages we've seen claim to come from no-reply@microsft .com . That's right. "microsft"..."


2011-04-04, 14:05

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
Virus Outbreaks in the Last 24 Hours
(Last Updated: April 4, 2011) Trojan variant(s)...
Real-time Outbreak Details
- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d
Malicious Microsoft Security Update E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22862
... spam e-mail messages that claim to contain a security update for Microsoft Windows. The text in the e-mail message instruct the recipient to follow a link to receive the update. However, the link directs users to a malicious .exe file that, when executed, attempts to infect the recipient's system with malicious code... sample of the e-mail message that is associated with this threat outbreak:
"Subject: Protect yourself using latest Microsoft release!..."
Fake Post Express Parcel Delivery Failure Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22778


2011-05-10, 14:57

Fake MS Patch Tuesday Alert - SPAM...
- http://community.websense.com/blogs/securitylabs/archive/2011/05/09/administrators-and-users-beware-fake-patch-tuesday-alert.aspx
9 May 2011 04:07 PM - "... attack ties in almost perfectly with the release of patches on the upcoming "Patch Tuesday" from Microsoft. The attack lures the unsuspecting user into following the link provided within the email message, which evidently infects their system as it downloads an executable to the user's machine. The executable (the fake patch) is being hosted on a compromised domain... VirusTotal*... The email message looks quite legitimate, as the display names within the headers actually say they originate from Microsoft (spoofed). Other attributes of the message include a sense of urgency with the subject: "URGENT: Critical Security Update"..."
* http://www.virustotal.com/file-scan/report.html?id=6279d6acab9640b9d69d43d764fb4f5cf87c24971abc3899609443443d15cfb0-1305031214
File name: SECURITY_FIX_0231_.exe
Submission date: 2011-05-10 12:40:14 (UTC)
Result: 17/40 (42.5%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=6279d6acab9640b9d69d43d764fb4f5cf87c24971abc3899609443443d15cfb0-1305194349
File name: SECURITY_FIX_0231.exe
Submission date: 2011-05-12 09:59:09 (UTC)
Current status: finished
Result: 25/42 (59.5%)

- http://tools.cisco.com/security/center/viewAlert.x?alertId=23105
May 10, 2011 - "... SECURITY_FIX_0231.exe ... another variant SECURITY_FIX_0293.zip..."

- http://www.zdnet.com/blog/security/fake-microsoft-patch-tuesday-emails-lead-to-zeus-crimeware/8646
May 12, 2011


2011-06-09, 10:41

Fake AV cloaks itself to appear to be MS Update
- http://nakedsecurity.sophos.com/2011/06/09/fake-anti-virus-cloaks-itself-to-appear-to-be-microsoft-update/
June 9, 2011 - "... criminals behind fake anti-virus continuing to customize their social engineering attacks to be more believable to users and presumably more successful... This week they've started to imitate Microsoft Update. The page is nearly an exact replica of the real Microsoft Update page with one major exception... It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner. Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional. They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience..."

- http://www.infoworld.com/print/163719
2011-06-09 - "... It starts with an alert window popping up, purportedly for installing a critical update to - fittingly - the Windows Malicious Software Removal Tool. The window does bear a striking resemblance to a real Windows Update window. If the user agrees to install the 2.8MB "security update," he or she really ends up installing scareware..."