Tags: Trends

As most of you know, Microsoft doesn't distribute it's software updates via e-mail. Although this recently received bogus message would try to convince us differently. It claims to be from Steve Lipner who actually is a Director of Microsoft's security engineering team. It even explains that the reason for the update being delivered via e-mail is to help prevent malicious software and that this is a new experimental feature. This is a malicious application so delete it immediately!

Perhaps it's just a coincidence but it popped up the same day as Microsoft's official advance notification for the October security bulletin. From a social engineering viewpoint it could help lend credibility to the attack. If a person used a search engine they could easily find the announcement of an upcoming update. On the other hand they may just find our blog and warning. I should point out that this isn't the first time we've seen messages with malicious attachments pretending to be from Microsoft - they've been around a long time.

The message has a fake PGP signature to try and gain credibility. The file attached has a naming convention such as KB123456.exe and the number can change. Running it in a Sandbox environment shows it makes a HTTP request to ulm-haafeulm-haa.com and social-bos.biz to download additional files. It modifies the registry, deletes cookies and listens on ports 6051 and 6052.

From: Microsoft High-priority update
Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

M4XC05P4GNTSPRNX5BBJ1ZOFVQ10EHTRIEWJHPPHRF2KBFPOCSGDBDQSRN397EZUS
9464UVDHFLO91E293JVSGP3H19J7WC0YZ7IQAB094Z60CTYCNK18EE90OTSJD82UT
F3AQK5YM71P9F50XR673ZX02PMGN5K96J2NONS65ICK8DCJ45IKV6TQPQLZ6TXR4B
7280CTE7XV7JUGYTI9MBBVBLT70TNAP6BXDADC1KPWN4L1PA2SHP7SSHJG8GSCPVV
0CU2KJU20L2GCJUX821EFF8EVND7GO56640==
-----END PGP SIGNATURE-----

While I'm on the subject of Malware -we've been seeing the "Statement of Fees" malware campaign since August. However, inn the past few hours there was a change to the payload being delivered so the latest variant is more likely to be missed by AV software and end up in your inbox. The Trojan Downloader installs AV XP 2008.

Subject: Statement of fees 2008/09

Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Heidi

Search Our Blog

Subscribe To Our Blog

Free White Paper - Why Use an SMTP Relay Service

Let Us Know What You Thought about this Post.

Put your Comment Below.