ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Fake 'Conficker.B Infection Alert' spam campaign drops scareware

By | October 19, 2009, 3:01pm PDT

Summary: An ongoing spam campaign is once again attempting to impersonate Microsoft’s security team — the same campaign was first seen in April — by mass mailing Conficker.B Infection Alerts (install.zip), which upon execution drop a sample of the Antivirus Pro 2010 scareware. Whereas the theme remains the same, the botnet masters have slightly modified the message: “Dear [...]

An ongoing spam campaign is once again attempting to impersonate Microsoft’s security team — the same campaign was first seen in April — by mass mailing Conficker.B Infection Alerts (install.zip), which upon execution drop a sample of the Antivirus Pro 2010 scareware.

Whereas the theme remains the same, the botnet masters have slightly modified the message:

“Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected. To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your  prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division”

The use of email as propagation vector for scareware campaigns (The ultimate guide to scareware protection), and in particular the use of email attachments is an uncommon practice, compared to the single most effective way of hijacking traffic through blackhat search engine optimization where the cybercriminals rely on real-time news events.

The campaign is an example of a — thankfully - badly executed one in the sense that with Microsoft’s Security Essentials recently gained momentum, even the average Internet user would notice the suspicious timing of the offered “antispyware program”.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft Windows, Cyberthreats, Internet, Spyware, Spyware, Adware & Malware, E-mail, Security, Spam, Viruses And Worms, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
68
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Fake 'Conflicker.B Infection Alert' spam campaign drops scareware
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Conficker.B Alert: Why is MS not doing something
sasthana@... Updated - 20th Oct 2009
This spam is clogging my mail box since yesterday.Not sure what the software giant doing about this.

Of late spam purporting to be from Sony Electronics, DHL, Fedex, Western Union, Microsoft, Walmart are attempting to distribute malware in large numbers. Are these companies taking steps to stop misuse of their brand for illegal purposes or choose to do so only in the print/mainstream media?

Brand recognition carries some responsibilities too.
0 Votes
+ -
How do you propose they do that?
unredeemed 19th Oct 2009
Would they send in some covert operators that
track them down and kill them? Higher some
leading security firms to track the origin on
the spam?

Realistically, the odds of capture and
prosecution are small.

Best just to invest in good corporate anti-spam
technology at the gateway, use something your
ISP provides, or whatever your AV vendor
provides.

Common email etiquette, if you don't know who
it's from, don't open it.

If it still comes through, you're doing it
wrong.
0 Votes
+ -
RE: How do you propose they do that?
fatman65535 21st Oct 2009
Your first sentence says it all!

Would they send in some covert operators that
track them down and kill them?

(sarcasm)
I wish that were possible. Summary execution for spammers, identity thieves and malware authors!
(/sarcasm)

But in reality, that will not happen. (But one can wish!)
0 Votes
+ -
Ya, a recreation of the Salem witch trials would be so great.
AzuMao 21st Oct 2009
"HE SPAMMED ME!!"
Boom, dead.

"I TOLD HIM IRL NOT 2 EMAIL ME BUT HE DID NWAYS"
Boom, dead.



Ya.. no.
0 Votes
+ -
Not much they can do.
CobraA1 19th Oct 2009
Not much they can do.

Email was never designed for security, and it's
HARD getting everybody on the same page with a
solution that works, because basically every
solution we know of pretty much requires
everybody to use it. But, unfortunately, it's
difficult convincing people running email
servers to implement a common solution.

So, we're stuck with what we've got. A system
that is broken to the core with no end in sight
for a solution.
0 Votes
+ -
Two things they can do;
AzuMao 21st Oct 2009
1) Stop this spam in the email service they run
(hotmail) and the mail client they provide
(outlook).

2) Make Windows stop being infected by malware,
and do so in a way that isn't so annoying that
users disable it.
0 Votes
+ -
Re: Two things that can do:
rtk 21st Oct 2009
1. impossible and pointless, they'll just move on.

2. Done in Vista, improved in Win7. A very small percentage disabled it.
0 Votes
+ -
Improved?
AzuMao 21st Oct 2009
1. To what.. fax?

2. Annoying enough in Vista that many disabled
it.. and in 7 it doesn't even work;
http://google.com/search?
q=Windows+7+UAC+injection

Oops, I forgot, everything non-Microsoft is
evil and can't be trusted.. so here you
go, straight from your holy horse's mouth;

http://bing.com/search?q=Windows+7+UAC+injection
0 Votes
+ -
Improved.
rtk 22nd Oct 2009
1. to other accounts, and other servers.

2. You say many, I say very few. Google, bing or yahoo searches don't tell us anything about the numbers. The web is full of misinformation.
0 Votes
+ -
Ya...
AzuMao Updated - 22nd Oct 2009
1. Okay..? And? That's like saying their reason
for not making Windows secure is that the other
OSs would be hacked if they did. Such an outcome
would cast a favorable light on MS's stuff.

2. Sorry, but since working binaries and source
code are provided, there's not much room for
misinformation. silly


P.S. did you even look before replying?
0 Votes
+ -
oh ya...
rtk 22nd Oct 2009
1. Every public email service has abuse, it's unavoidable. It's been years since spam hit my mail client from hotmail. Outlook isn't used by any spammer as a tool for UCE, that's mostly done by botnets these days.

2. You wrote "Annoying enough in Vista that many disabled it.". I replied "you say many, I say very few".
0 Votes
+ -
Did you reply to the wrong post?
AzuMao 23rd Oct 2009
1. Yes the others will still get it. But the
question was what can Microsoft do, and if their
own services are being used as attack vectors they
can do something about that.

2. What's that have to do with the fact that UAC
has been weakened (not improved, like you claimed)
in Windows 7?
0 Votes
+ -
errrr
Gis Bun 20th Oct 2009
How about complaining to your ISP about the spam and maybe not throwing your Email address around like it's nothing.

Ain't Microsoft's fault you're on a spammers list.
0 Votes
+ -
re: errrr
creeker2 20th Oct 2009
Thanks for that tip, I'm just not as savvy as some but am learning rapidly.
0 Votes
+ -
Not much they can do.
Al_nyc 21st Oct 2009
I don't think you understand how email works. If you did, you would know that there is not much those brands can do. Most of those emails are coming from offshore servers, so out of our jurisdiction. The only thing that really helps is education. People need to know enough to discard those emails without opening any attachements.
0 Votes
+ -
This is up to the Internet caretakers to deal with
ejhonda 20th Oct 2009
And so far, they don't have the stomach to take the necessary steps to stop it. They're all content to sit around wringing their hands, or going into a lab and working on some weak countermeasure that's ineffective.

But hey, it keeps us security guys employed, so don't rock the status quo boat.
0 Votes
+ -
I'm bad, but agree with ejhonda
boomerking 21st Oct 2009
It's always more of the same. It provides employment for us poor security guys.
0 Votes
+ -
RE: Fake 'Conficker.B Infection Alert' spam campaign drops scareware
whisperycat Updated - 20th Oct 2009
The problem is that Microsoft Windows security exploits are the norm. It is completely normal for users to hear that they are in danger again from a Microsoft WIndows exploit and this living in expectation of the next Windows exploit in a never ending series of Windows exploits is the actual vector. People have been conditioned to expect buggy software from Microsoft, and that, sadly, is what they get.
0 Votes
+ -
Buggy software comes from everyone.
Erroneous 20th Oct 2009
Not just Microsoft. You imply with your consistant posts that only Microsoft has errors while you know full well that is false. It is people like you that give these forums a bad name.

This has nothing to do with buggy software or an exploit. This has to do with how stupid some end users are an how they still open every attachment sent to them.
0 Votes
+ -
It's not so black and white.
AzuMao 21st Oct 2009
Acknowledging how insecure Microsoft's software is
doesn't mean you think no other company has ever
made mistakes. Just that Microsoft makes very
insecure software.
0 Votes
+ -
Perhaps even more scary is all the Apple users ...
de-void-21165590650301806002836337787023 20th Oct 2009
... who've been lulled into a false sense of security that they're using an impenetrable OS that has not malware.

At least Windows users are cognicent of the fact that there are threats. Most Apple users I know thing that they're completely immune.
0 Votes
+ -
Not only immune but
Erroneous 20th Oct 2009
think there is nothing out there in the wild. They would get nailed and never even have a clue.
0 Votes
+ -
Devoid of thought as usual it seems.
AzuMao 21st Oct 2009
You don't have to think your computer is
perfect just to know it's better than
Windows trash.

It isn't that black and white.

Just because somebody uses an OS that is much more
secure than MS's garbage, and knows it, doesn't
mean they think it 100% perfect.
  • Flagged
0 Votes
+ -
Just because
tikigawd 21st Oct 2009
Just because somebody uses an OS that is much more versatile and useful than Apple's garbage, and knows it, doesn't mean they think there's absolutely nothing wrong with it. That's why the average Windows user takes certain precautions to protect against viruses, trojans, social attacks, etc.

You go ahead and keep believing OSX is magically more secure. I'll keep following my own protocols to make sure my computing experience is actually more secure than yours.
0 Votes
+ -
Magically more secure?
sternieman 21st Oct 2009
I'm a long time user of both platforms.

Straight out of the box a mac is more secure than windows. Both OS's
have updates yes, but I feel confident using my mac without the need
for a spyware or virus protection program running at all times. Mostly
because there isn't a virus around every corner of the web trying to
infect my machine.

All systems are open to idiot user attacks, (click here for free
XBox360, or a free pc tuneup or to watch this video).

The only thing a PC will do better than a Mac is play games (which is
pretty much the only reason I have a PC). Everything else a common
user could want comes on a Mac right out of the box.

I'm glad you have your own protocols to keep yourself safe. How
many users come close to following your protocols? For every 1
intelligent, smart user, there is 1000 idiot users.

I've been in this game over 10 years. I've had to remove 2 worms
(including the conficker b) from our network of 2000+ PC's. I've
never had to remove any type of virus/spyware from the macs we
have.

As an end user and a tech I'd much rather be using a Mac.

At the end of the day you can't honestly say that a PC is just as safe
and secure as a Mac. At least for now.
0 Votes
+ -
Straight out of the box,
rtk 21st Oct 2009
apple fell at pwn2own via first party applications. It took till day three and third party for Windows to fall.

So, out of the box, Vista is more secure than OS X.
0 Votes
+ -
Don't forget
tracy anne Updated - 21st Oct 2009
There was a third Operating System, that was never pwned. So I guess it is more secure than Mac OSX and Windows.

Incidentally in the 8 and half years I've been using versions of that Operating System I have never heard of a single virus infection on that Operating System, let alone massive virus infections, such as we are used to reading about occuring on every version of Windows, up to and including Windows Vista.
0 Votes
+ -
Agreed, but also don't forget
rtk 22nd Oct 2009
That is wasn't that the other OS survived the onslaught, if I remember correctly, it was never challenged.

It's like living in the city vs hidden in the woods, you're more likely to hear all kinds of horrible stories in the city, but horrible things happen in the woods occasionally as well, just far less often by virtue of population density.

I'd say Linux is the safest, but it's actual security (on the desktop) hasn't really been tested in the marketplace at large.
0 Votes
+ -
Given that
tracy anne Updated - 22nd Oct 2009
The prise was the computer + the money. It makes sense that the people doing the exploiting choose the system that is easiest to crack, I'm not surprised that the Mac, even with it's Unix core was pwned, I am surprised that it was easier to crack than Windows.

The thing is the security paradigm on Linux is completely different than it is on the Mac and Windows. On the other hand, the person breaking in didn't have to actually break into root, merely the current user's account, and read a file planted there for the purpose of the demonstration.

I suspect that the vector used to break into Windows could have worked on the Linux machine, as it used an exploitable hole in an Adobe product (and Adobe are not known for building the most secure products). The difference is that on the Windows machine (I'm not sure about the Mac) this access could have been used for additional exploits, simply because Windows security wouldn't stop code that belongs to the user from running. While on the Linux machine it's highly unlikely unless the user assisted.

Depending on the security context of the Adobe product on the Linux machine (Ubuntu uses some AppArmor settings to control access of users and applications), even had they exploited the security hole in the adobe application, they might still have not been able to access the file.

I admit this is conjecture, but my experience with Windows and Linux leads me to conclude that the probability is low that the Linux machine would have been easily compromised. Which is why it was left unchallenged.
0 Votes
+ -
Great idea, base your entire opinion on one event.
AzuMao 22nd Oct 2009

0 Votes
+ -
@AzuMao One example, not one event
rtk Updated - 22nd Oct 2009
Repeatedly when security through obscurity (or rarity, sparse population density, whatever) is taken out of the equation, Apple falls first and hard.
0 Votes
+ -
@tracy anne
rtk 22nd Oct 2009
I was just replying to the claim that OS X, straight out of the box, is more secure than windows, which is patently false. It may be more safe, but relative safety isn't security.

I agree fully that Linux is far better positioned to respond to any breach than Apple or MS.

The only other comment I have is that if anybody had succeeded on day one, the increased prize money would have paid for two of the Macs with some money to spare, overtop of what the prize money was on day two.


0 Votes
+ -
@rtk
AzuMao 23rd Oct 2009
Everything was taken out of the equation. Only one
guy in that event knew how to hack and he attacked
OSX first, so of course it fell first. Duh.
0 Votes
+ -
Hmm.
sternieman 23rd Oct 2009
According to this article

http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-
day-1---safari-internet-explorer-and-firefox-taken-down-by-
four-zero-day-exploits

Safari, IE8 and Firefox all were exploited on the first day and
pwn2own.

Maybe "secure" is not the correct word. As someone stated, Mac is a
safer bet right now. A general user is 99% more likely to get a virus or
spyware on a Windows PC than a Mac.

Sure Linux is the safest bet right now, but as both mac and linux
become more widely used, I'm sure they too will be just as riddled with
malware as Windows is.
0 Votes
+ -
More widely used?
AzuMao 23rd Oct 2009
Almost everything on the entire Internet is
already ran by Linux. I'm pretty sure it's a big
enough target already.
0 Votes
+ -
@AzuMao
rtk Updated - 23rd Oct 2009
Everything was taken out of the equation.

It was open to any takers, with the prize money taking marketshare out of the equation.

Only one guy in that event knew how to hack and he attacked OSX first, so of course it fell first.

Funny, he stated he attacked OS X first, on day two, because it was the easiest. He took Windows on day three with the help of third party bugs, which explains why he also stated he believed the hack would have worked on all three.

I can't help but wonder what your comments would have been had he chose to attack Windows first.

As for the claim that Linux isn't widely used, it was obvious that the OP meant on the desktop. Servers are managed by more competent people than the average home consumer. Web servers that power the internet aren't used locally by the admin to hang out on facebook.
0 Votes
+ -
@rtk
AzuMao 23rd Oct 2009
You're actually going to base your whole opinion
on the entire OS industry on the personal
opinion of one single hacker? Why?




As for the claim that Linux isn't widely
used, it was obvious that the OP meant on the
desktop. Servers are managed by more competent
people than the average home consumer. Web
servers that power the internet aren't used
locally by the admin to hang out on
facebook.
Most desktop users depend on servers.
Also, all computers are always going to be
vulnerable to user error (unless nobody is
allowed to use them), so obviously the important
thing is which one is more secure when the user
is competent.
0 Votes
+ -
Try again. I never said all Windows users think Windows is perfect.
AzuMao 21st Oct 2009
I'm just rebuking de-void's claim of all OSX users
thinking OSX is perfect.


Excluding one does not imply the other.
0 Votes
+ -
Get real - PCs get infected - Macs not so much - PC fans upset by truth
richardw66 30th Oct 2009
Most users out there are not IT experts and shouldn't need to be.

The more important question is how many dumb PC users have
infected PCs - in my current experience somewhere near 20%.

How many Dumb Mac users have infected Macs? Somewhere near 0%.

OS X warns users about every downloaded app.

OS X is not magically more secure - it is less vulnerable currently.

You picked the vulnerable OS - and you like others to have to jump
through ridiculous hoops, just like you, to stay safe - no wonder you
are in denial about OS X.

PS - I also use windows PCs, and have had to manually remove
infections after the anti-virus software missed them and failed to
remove them when found.

I also have cleared up other people's PCs that have Anti-Virus
software and need 2 or 3 different Anti-Virus packages to clear them
up to the point where they are at least functional, but not clean. So
unlike you I speak from quite a bit of experience of both systems.
0 Votes
+ -
One clear advantage of Mac
rahbm 21st Oct 2009
...is a spelling checker that works. Funny how so many of the rabid
Microsoft bigots on here are not cognisant of the many spelling and
grammatical errors they make. Perhaps they don't "thing" they need to
bother.
0 Votes
+ -
That's rather irrelevant since most people post in their browsers.
AzuMao 22nd Oct 2009
And last time I checked Safari was multi platform.
0 Votes
+ -
System Wide doesn't mean Safari
richardw66 30th Oct 2009
OS X spell checks, Safari just lets it do it's thing.

This means that to build an app with spell checking is the same as
building an app without spell checking. This also means that the spell
checking is consistent and you don't end up with a heap of dictionaries
on your computer.

A small app then also benefits from spell checking.

So what does that have to do with Safari being multi platform?
0 Votes
+ -
Thing is spelled right,
rtk 22nd Oct 2009
a spelling checker wouldn't help what is clearly a typo, one that is very simple to decipher.

Grammer and Spellin trolls are about the worst kind.
0 Votes
+ -
A decent one would take context into account.
AzuMao 23rd Oct 2009

0 Votes
+ -
Bugs?
tikigawd 21st Oct 2009
Sounds like a social attack attack to me...

What bugs are you referring to?
0 Votes
+ -
RE: Fake 'Conficker.B Infection Alert' spam campaign drops scareware
wcallahan@... Updated - 20th Oct 2009
I'd like to think my users are pretty savy. The sample message was factually and grammatically wrong on many levels. I'm sure some day a spammer will get the grammer correct, but in this case just reading the sample message was enough to send it to the waste basket.
Example: I'm pretty sure my provider would not be informing Microsoft that my network is infected.
And quoting the sample message: "We are supplying all effected Windows Users..." I'm sure the word should have been "affected".
0 Votes
+ -
The first thing that
Erroneous 20th Oct 2009
jumped out at me was the date format. Other than that the big things is that Microsoft doesn't just send out emails like that.
0 Votes
+ -
That and the grammatical error...
mgp3 Updated - 20th Oct 2009
We are supplying all effected Windows Users...

Should be "all affected Windows users..."
0 Votes
+ -
Not to mention the date is in European format.
hueta 20th Oct 2009
Last I heard MS was still polluting Redmond...
0 Votes
+ -
RE: Fake 'Conficker.B Infection Alert' spam campaign drops scareware
creeker2 20th Oct 2009
Thanks for the heads up. My ISP just changed something and I received no less than 10 E-mails from MS (who referenced my ISP),and my ISP requesting that I either click a link to put this change into effect, or: MS asking that I download and install a zip file so that Outlook could accomodate the change. What a mess. Fortunately my cynical instincts won. Don't touch! LWB
0 Votes
+ -
RE: Fake 'Conflicker.B Infection Alert' spam campaign drops scareware
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix