Fake "Conficker Infection Alert" spam campaign circulating

Fake "Conficker Infection Alert" spam campaign circulating

Summary: Researchers at Marshal8e6's TRACElabs have intercepted a spam campaign that's issuing bogus "Conficker Infection Alerts" and redirecting users to rogue security software upon clicking on the links.The event-based social engineering campaign is also impersonating various Microsoft security departments in order to improve its truthfulness.

SHARE:

Researchers at Marshal8e6's TRACElabs have intercepted a spam campaign that's issuing bogus "Conficker Infection Alerts" and redirecting users to rogue security software upon clicking on the links.

The event-based social engineering campaign is also impersonating various Microsoft security departments in order to improve its truthfulness. This is the second attempt in recent weeks to hijack anticipated traffic, following last week's campaign consisting of typosquatted conficker removal tool domains aiming to impersonate the legitimate ones.

Here's the message, its associated subjects and related rogue security software domains used in the spam campaign:

"Dear Microsoft Customer,

Starting 04/01/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please visit the Windows Computer Safety Center by simply clicking here to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards, Microsoft Windows Agent #2 (Hollis) Microsoft Windows Computer Safety Division Email Ref Code: RANDOM NUMBER"

Typical messages include: Infection Alert; Conficker Infection Alert; Microsoft Alert; Security Breach, with the end user redirected to the following scareware domains upon clicking on the links: antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com.

Such event-based scareware/malware/spam campaigns are constantly evolving from the static theme picked up from the front page of a major news portal, to the real-time syndicating of hot keywords and hijacking of popular titles in order to occupy the top search positions at a specific online video sharing service. Ironically, the original Conficker variant was directly aiming to monetize the infected hosts by pushing rogue security software and earning revenue in the process, at least temporarily until the affiliate network went in a cover-up phase, and Conficker introduced a new variant that was no longer generating so much noise that could potentially result in more leads to the original authors -- they wish.

Ignoring the Conficker copycats and the scareware distributors for a second, yesterday, the latest Conficker variant introduced a new payload with TrendMicro continuing to investigate its real intentions. These cosmetic changes are prone to take place in the weeks to come, until the Conficker authors start monetizing the infected hosts by either partitioning the botnet, or directly start offering managed cybercrime facilitating services.

TrendMicro's assessment proves one thing - that the cybercrime ecosystem is way too small even for big botnet operators to avoid each other. The changes made to WORM_DOWNAD.E. attempts to download another encrypted file from a well known domain of the Waledac botnet, which on the other hand is also known to have been sharing infrastructure with the original Storm Worm botnet.

Topics: Operating Systems, Microsoft, Security, Windows, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • I see the Hyenas have come to feed

    on the scraps left by the Lions.

    The feeding frenzy has begun. By the way Dancho I didn't bother reading your article but did you mention whose operating system these opportunists are feeding on?
    kozmcrae
    • ^ speaking of hyenas

      Looks like the trolls have shown up, too.
      ejhonda
      • It sure does!

        Someone posts a comment and a troll immediately jumps into action.
        InAction Man
        • And another TROLL jumps to defend the first...

          Ah yes. Just another day on ZDNet...
          Wolfie2K3
          • And another one counter attacks

            What a moron!
            InAction Man
          • How pleasant...

            It's so nice to see what are presumably grown adults, possessed of the higher capacity for thought and emotion, joining in such intelligent and reasoned conversation. All this talk of Trolls leads one to believe that, were it not for the beneficent care and provision of some people's parents in providing ample basement space to maintain living quarters for such D&D deluded deviants there might be a day which could go by without these tender guttersnipe moments shared by you all...
            ReadWryt (error)
          • A basement... you would like to have one wouldn't you?

            However, a sewer dweller will always be a sewer dweller, his basement ownership aspirations will always remain mere aspirations.
            InAction Man
          • The ability to troll

            has nothing to do with basements, D&D or parental involvement. I know perfectly reasonable, intelligent and successful adults who play D&D (AND own their own houses) who are more than capable of "intelligent and reasoned conversation". On the flip side of that, I have also seen a lot of narrow-minded, clueless people who can's see past their own little world of stereotypes and who do more damage to society than all the 'trolls' on this forum board put together. Educate yourself before you type such drivel.
            wcb42ad
          • You're new here, aren't you.

            Emotionally adult people rarely make an appearance here. They've got better things to do, like having a life. If you post here regularly then you don't have a life. Don't bother denying it. People who have lives don't talk about it, they do it. And if you think I don't know I'm talking about myself as well as you then you haven't seen some of my other posts about the futility of this activity.
            kozmcrae
  • 'effected' ha ha, how about 'affected'?

    "We are supplying all effected Windows Users . . ."

    you gotta know there is something amiss in these bogus warnings when they choose the wrong word or fail to spell one correctly - damn Russian idiots, can't they even hire someone who speaks good English? LOFL
    eggmanbubbagee@...
  • RE: Fake

    Oy. Anyone else wish that we could live in a world without malware? Why do people have to do this, is beyond me.
    The one and only, Cylon Centurion
  • RE: Fake


    "Fake "Conficker Infection Alert" spam campaign circulating"

    ...so this is as opposed to, say, a Real "Conficker Infection Alert" spam campaign circulating? I would think that the fact it is spam should suffice to qualify it as fake...*Shrug*
    ReadWryt (error)
    • 1 plus 1 equals 2

      The title of this message is spammy, and thus
      following your logic it is incorrect.
      [b]YAY[/b]!!!!!!!!!!



      Edit: needed more exclamation points.
      AzuMao
  • RE: Fake

    I don't get the purpose - Why, what's the motive?
    To make money - How?
    To hurt people and companies - Why?
    To prove they are smart ?
    Why would obviously clever people do this?
    JohnGroot@...
  • It is not a fake

    I made a full scan and AVG found no 1 or 10 but 2001,
    yes sir, 2001 files infected with the same virus even those with no importance like the MS games (the name, if I remember well, was Virut or something)
    It became impossible, after the scan, to open the OS. I reinstall Vista and now with no anti-virus program. With or without AVG, Norton, Mcaffee ... this guy who made it, is clever, stupid, but clever. His philosophy, "why infect a key program in system 32, if I can infect all files multiplying the virus?"

    Romano, Rio, Brasil
    Romano4444
    • You should see GuidingLight.

      He posts here often. He claims to be running Vista without anti-virus software and never, that's right, NEVER gets infected! He doesn't mention if his computer is connected to the Internet though.
      kozmcrae
  • RE: Fake

    How, pray, does "impersonating various Microsoft security departments" allow it to "improve its truthfulness"?
    Improve its plausibility, perhaps. But it is anything but truthful.
    dougseaton
  • Who owns domain names?

    "...end user redirected to the following scareware domains upon clicking on the links: antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com. ..."

    And who is the registered owner of these domains? Should they not be arrested?
    graham.lv
  • Confickker For Macs!

    That's what I'm hearing in the inner circles!

    http://fakesteveballmer.blogspot.com/
    Loverrock Davidson
    • RE; It's not a fake

      Wow. 2001 infections. Never heard of anything like that. Did you never update Windows? Is it a legit copy? Is it a legit story?
      Col Mustard