Fake 'Conficker.B Infection Alert' spam campaign drops scareware

Fake 'Conficker.B Infection Alert' spam campaign drops scareware

Summary: An ongoing spam campaign is once again attempting to impersonate Microsoft's security team -- the same campaign was first seen in April -- by mass mailing Conficker.B Infection Alerts (install.


An ongoing spam campaign is once again attempting to impersonate Microsoft's security team -- the same campaign was first seen in April -- by mass mailing Conficker.B Infection Alerts (install.zip), which upon execution drop a sample of the Antivirus Pro 2010 scareware.

Whereas the theme remains the same, the botnet masters have slightly modified the message:

"Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected. To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your  prompt cooperation.

Regards, Microsoft Windows Agent #2 (Hollis) Microsoft Windows Computer Safety Division"

The use of email as propagation vector for scareware campaigns (The ultimate guide to scareware protection), and in particular the use of email attachments is an uncommon practice, compared to the single most effective way of hijacking traffic through blackhat search engine optimization where the cybercriminals rely on real-time news events.

The campaign is an example of a -- thankfully - badly executed one in the sense that with Microsoft's Security Essentials recently gained momentum, even the average Internet user would notice the suspicious timing of the offered "antispyware program".

Topics: Collaboration, Browser, Malware, Security, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Conficker.B Alert: Why is MS not doing something

    This spam is clogging my mail box since yesterday.Not sure what the software giant doing about this.

    Of late spam purporting to be from Sony Electronics, DHL, Fedex, Western Union, Microsoft, Walmart are attempting to distribute malware in large numbers. Are these companies taking steps to stop misuse of their brand for illegal purposes or choose to do so only in the print/mainstream media?

    Brand recognition carries some responsibilities too.
    • How do you propose they do that?

      Would they send in some covert operators that
      track them down and kill them? Higher some
      leading security firms to track the origin on
      the spam?

      Realistically, the odds of capture and
      prosecution are small.

      Best just to invest in good corporate anti-spam
      technology at the gateway, use something your
      ISP provides, or whatever your AV vendor

      Common email etiquette, if you don't know who
      it's from, don't open it.

      If it still comes through, you're doing it
      • RE: How do you propose they do that?

        Your first sentence says it all!

        [i]Would they send in some covert operators that
        track them down and kill them?[/i]

        I wish that were possible. [b]Summary execution[/b] for spammers, identity thieves and malware authors!

        But in reality, that will not happen. (But one can wish!)
        • Ya, a recreation of the Salem witch trials would be so great.

          "HE SPAMMED ME!!"
          Boom, dead.

          Boom, dead.

          Ya.. no.
    • Not much they can do.

      Not much they can do.

      Email was never designed for security, and it's
      HARD getting everybody on the same page with a
      solution that works, because basically every
      solution we know of pretty much requires
      everybody to use it. But, unfortunately, it's
      difficult convincing people running email
      servers to implement a common solution.

      So, we're stuck with what we've got. A system
      that is broken to the core with no end in sight
      for a solution.
      • Two things they can do;

        1) Stop this spam in the email service they run
        (hotmail) and the mail client they provide

        2) Make Windows stop being infected by malware,
        and do so in a way that isn't so annoying that
        users disable it.
        • Re: Two things that can do:

          1. impossible and pointless, they'll just move on.

          2. Done in Vista, improved in Win7. A very small percentage disabled it.
          • Improved?

            1. To what.. fax?

            2. Annoying enough in Vista that many disabled
            it.. and in 7 it doesn't even work;

            Oops, I forgot, everything non-Microsoft is
            [i]evil[/i] and can't be trusted.. so here you
            go, straight from your holy horse's mouth;

          • Improved.

            1. to other accounts, and other servers.

            2. You say many, I say very few. Google, bing or yahoo searches don't tell us anything about the numbers. The web is full of misinformation.
          • Ya...

            1. Okay..? And? That's like saying their reason
            for not making Windows secure is that the other
            OSs would be hacked if they did. Such an outcome
            would cast a favorable light on MS's stuff.

            2. Sorry, but since working binaries and source
            code are provided, there's not much room for
            misinformation. :p

            P.S. did you even look before replying?
          • oh ya...

            1. Every public email service has abuse, it's unavoidable. It's been years since spam hit my mail client from hotmail. Outlook isn't used by any spammer as a tool for UCE, that's mostly done by botnets these days.

            2. You wrote "Annoying enough in Vista that many disabled it.". I replied "you say many, I say very few".
          • Did you reply to the wrong post?

            1. Yes the others will still get it. But the
            question was what can Microsoft do, and if their
            own services are being used as attack vectors they
            can do something about that.

            2. What's that have to do with the fact that UAC
            has been weakened (not improved, like you claimed)
            in Windows 7?
    • errrr

      How about complaining to your ISP about the spam and maybe not throwing your Email address around like it's nothing.

      Ain't Microsoft's fault you're on a spammers list.
      Gis Bun
      • re: errrr

        Thanks for that tip, I'm just not as savvy as some but am learning rapidly.
    • Not much they can do.

      I don't think you understand how email works. If you did, you would know that there is not much those brands can do. Most of those emails are coming from offshore servers, so out of our jurisdiction. The only thing that really helps is education. People need to know enough to discard those emails without opening any attachements.
  • This is up to the Internet caretakers to deal with

    And so far, they don't have the stomach to take the necessary steps to stop it. They're all content to sit around wringing their hands, or going into a lab and working on some weak countermeasure that's ineffective.

    But hey, it keeps us security guys employed, so don't rock the status quo boat.
    • I'm bad, but agree with ejhonda

      It's always more of the same. It provides employment for us poor security guys.
  • RE: Fake 'Conficker.B Infection Alert' spam campaign drops scareware

    The problem is that Microsoft Windows security exploits are the norm. It is completely normal for users to hear that they are in danger again from a Microsoft WIndows exploit and this living in expectation of the next Windows exploit in a never ending series of Windows exploits is the actual vector. People have been conditioned to expect buggy software from Microsoft, and that, sadly, is what they get.
    • Buggy software comes from everyone.

      Not just Microsoft. You imply with your consistant posts that only Microsoft has errors while you know full well that is false. It is people like you that give these forums a bad name.

      This has nothing to do with buggy software or an exploit. This has to do with how stupid some end users are an how they still open every attachment sent to them.
      • It's not so black and white.

        Acknowledging how insecure Microsoft's software is
        doesn't mean you think no other company has ever
        made mistakes. Just that Microsoft makes very
        insecure software.