FYI...

- http://www.f-secure.com/weblog/archives/00001308.html
November 1, 2007 - "Some malware authors are still fond of using the good old techniques to spread their wares. One of these techniques is to send e-mail messages with "Security Updates", released by a well-known software vendor.
Today we received multiple reports about a message claiming to be a "Critical Security Update" from Microsoft. The message had a ZIP archive with a trojan downloader inside. To become infected a user needs to extract the trojan's file and to run it..."

(Screenshot available at the URL above.)

:fear:

FYI... (It continues because this fraud works! Spread the word!)

- http://sunbeltblog.blogspot.com/2008/01/fake-ms-update.html
January 21, 2008
"...(another) fake 'MS update' spam seen in the wild today... Payload is IRC.Backdoor.Trojan..."

(Screenshot available at the URL above.)

>>> http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

:fear::devil:

They just keep comin'...

Spotted in the wild: Rogue Microsoft Update site
> http://www.f-secure.com/weblog/archives/00001374.html
February 6, 2008 - "Watch out for this one. It's -not- the real Microsoft Update site... Note the real url (cfm48.com) and the spelling errors ("Please intall"). If you click the Urgent Install button, you get a file called WindowsUpdateAgent30-x86-x64.exe. Which is not signed by Microsoft. This is a fast flux site and uses a wide range of IP addresses..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/before-patch-tuesday-there-were-malware/
April 6, 2008 - "...A new spam run emerges as a threat to Web users before Microsoft’s Patch Tuesday. And not because it exploits soon-to-be named vulnerabilities. What this spamming operation takes advantage of is the anticipation itself for the release of patches by Microsoft... The email, which first of all claims to be sent by Microsoft itself, informs users of a zero-day vulnerability in all versions of Microsoft Outlook and Microsoft Exchange Servers and asks users to download a patch to fix the bug. Installation of the patch is said to prevent systems from being compromised or exploited by malicious users. To install the said “patch” would mean system infection..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.us-cert.gov/current/#email_attack_targeting_microsoft_s
April 7, 2008 - " US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan..."

:fear:

FYI...

- http://blog.trendmicro.com/bogus-microsoft-update-delivers-nasty-file-infector/
May 31, 2008 - "Even though Patch Tuesday is still two weeks from now, crimeware authors are already sending out fake Microsoft “critical updates.” The TrendLabs Content Security Team recently found a hoax purporting to be from Microsoft that urges users to update their computers due to a “critical security issue”. The email, which has the subject heading Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026), urges recipients to install the latest security update to avoid a successful attack which could result in comprising the recipinets’s PC. If the unlucky victim clicks on the file name, WINDOWS-KB946026-X86-ENU, they won’t be getting any security patch — but rather, malware detected by Trend Micro as PE_VIRUT.XZ. PE_VIRUT.XZ is a pretty old variant that appends its code to EXE and SCR files, making a pretty big mess depending on where it is executed..."

(Screenshot available at the URL above.)

:fear::mad:

Once again - more...

Fake Microsoft patch SPAM
- http://securitylabs.websense.com/content/Alerts/3122.aspx
06.30.2008 - "Websense... has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update... The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor... An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems... It is important to add that Microsoft -never- sends security update notifications through emails..."

(Screenshots available at the URL above.)

:fear::sad:

FYI...

Fake IE 7 update SPAM...
- http://isc.sans.org/diary.html?storyid=4852
Last Updated: 2008-08-10 09:56:42 UTC - "A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:

"You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice."

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror). For the sample we received, VT has good coverage:
- http://www.virustotal.com/analisis/18b97fb3bc30251051a8542a90401b6f ..."

:fear:

FYI...

Bogus IE7 and MSRT - SPAM
- http://blog.trendmicro.com/bogus-msn-spam-features-malicious-software/
August 12, 2008 - "Spam claiming to be from Microsoft and offering download links to Internet Explorer 7.0 and Windows Malicious Software Removal Tool appear in the wild... To buy themselves some credibility, spammers added what seems to be a disclaimer from MSN Featured Offers, which is a newsletter service by MSN, where users subscribe to “offers” from a number of categories. MSN then sends certain discounts and offers to the subscribers depending on the category they have chosen. Upon clicking the links, malicious files are downloaded onto the user’s system. Trend Micro detects the downloaded files as TROJ_RENO.ADX and TROJ_MONDER.HM..."

(Screenshot available at the URL above.)

:fear:

FYI...

Fake MSRT...
- http://preview.tinyurl.com/l28pj7
June 12 2009 CA Security Advisor blog - "CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV... this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.
Fake Microsoft MSRT Warnings
When the installation package is executed, it will display the fake alert in the system tray... Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result... (also) imitates the Windows Security Center..."

(Screenshots available at the URL above.)

:fear::mad::spider:

FYI...

Fake MS Update SPAM...
- http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/
June 22, 2009 - "... Close to the weekend, we identified SPAM claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.” A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination... For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here*. Note that the said list may be changed at any time. How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST..."
* http://preview.tinyurl.com/qrbt7m

(Screenshots available at the Trendmicro URL above.)

> http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

:fear::spider: