Fake Microsoft Patch Tuesday malware campaign spreading

Fake Microsoft Patch Tuesday malware campaign spreading

Summary: Malicious attackers are once again taking advantage of event-based social engineering attacks, and are currently mass mailing fake notifications for Microsoft's Patch Tuesday, attaching a copy of Trojan.Backdoor.


Fake Microsoft Update EmailMalicious attackers are once again taking advantage of event-based social engineering attacks, and are currently mass mailing fake notifications for Microsoft's Patch Tuesday, attaching a copy of Trojan.Backdoor.Haxdoor, next to a legitimately looking PGP signature which is, of course, fake too :

"We received some questions from customers about an e-mail that’s circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe. While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor."

Is timing everything when it comes to the success rate of such malware campaigns? Not necessarily.

Despite the touch points aiming to improve the trust factor, like mentioning a real Microsoft employee, spoofed FROM field as securityassurance AT microsoft.com, next to the PGP signature, given the fact that the emails aren't personalized and that spam outbreaks spreading malware by capitalizing on Microsoft's brand have cyclical pattern, namely, they re-appear every year (2005, 2007, 2008) the average end user is supposed to have a basic security awareness of this tactic. More info on the campaign :

Furthermore, this backdoor opens several TCP ports that allow remote attackers to connect to the comprmised PC and execute files, steal information from it, or upload and download files. The attachment’s file name varies, but uses the convention KBxxxxxx.exe, where xxxxxx is a random 6-digit number. Below are some of the file names we’ve seen, and are being used:

KB199250.exe KB246586.exe KB535548.exe KB572906.exe KB763412.exe

Compared to the recent targeted malware attack against U.S schools, and the massive fake CNN news items campaign taking advantage of client-side vulnerabilities, this one is definitely going to have a lower success rate - no matter the timing.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • owning a computer

    these peeps whom click on the email should not be allow to own a computer. period until they go through security training for 1 year
    • It doesn't always take an email.

      I've previously googled for something (something [i]technical[/i] ;-)), clicked on a link, and suddenly had a pop-up appear that claimed to be scanning my C drive before finding a virus! Except that I was browsing on a Linux box at the time...

      There are lots of ways for malware to get onto your PC. Are you confident that you're [i]always[/i] going to be able to spot them [i]all[/i]? What if drive-by malware can get referenced in Google's cache...?
      • You'd have to be dumb

        to hit a link for a MS update, especially when your os tells you if
        new ones are available.
        • You think so?

          You would be surprised at how many people these days who are still not very computer literate. For example, a new PC with Vista was purchased for my mother who is in her 50's so that she could maintain her e-mail account and keep in contact with family and friends and play online card games and whatnot...simple stuff. She can navigate her way around the OS for the most part. But she is one of those people who sees a flashing banner on the web telling her she's won something and will believe it's her lucky day.

          To her credit, she can spot obvious attack attempts such as those e-mails claiming to be a long lost relative from Russia who is trying to regain contact. But I can gaurantee that she would not be able to recognize this type of e-mail for what it is and would consider it authentic. She knows of the automatic updates from Microsoft, but all the fine details she does not.

          So to get back to my main point, stupidity (or being dumb, as you put it) does not apply to all. I agree that it might apply to those who are well aware and fully understand how these things work. But for those that are not so techno-savvy it's a different story.
          • Mother in law with similar problem here...

            Her dual core HP Pavilion is running so slow it's not tenable, and this will be the second time I have to recover her system.

            Since all she really does with her computer is read email and browse the web, I have convinced her to let me install OpenSolaris on her computer. I'll set her up as a user with limited privileges and it won't matter what she clicks on in email.

            I'll let you all know how it works in a few weeks.
          • A guy on the street ask to upgrade your wallet...

            A guy on the street ask to upgrade your wallet. Would you give it to him? Or would your mother give it to him?
            Please explain to your mother to behave as she would do in *real* life.
          • to be more precise...

            a guy on the street walks by with a sign that says "upgrading your wallet, please wait..." and before you can push him away, he already slipped all his coupons in there and a little gremlin that goes out and finds more coupon generators for you.

            that would be more like it if you want to apply a real world type scenario
          • Yes, I do think so...

            These days, it takes more than being computer illiterate. You would also need to be either stupid or living in a cave! The media has covered this sooooo many times. Every time something like this happens they explain how to spot suspicious emails. And not just blogs. I am talking about local and national news.
            Major Havoc
          • Watch what you said.

            She will slap your face so hard that you will get kicked out of my apartment.

            My mom is not stupid or does not live in a cave. Same for Liquidglow and 914four.
            Grayson Peddie
          • Watch what you said.

            LOL - Good comeback. :)
            Major Havoc
        • And yet -

          I get 10 to 35 nigeria scams directed to my business address every day because it is a published contact by my employer. I wouldn't get those if there wern't an awful lot of "stupid" users out there. All it takes is a small fraction of "irrational optimists" to supply the numbers needed to keep those coming out.
      • RE: It doesn't always take an email

        I sometimes get something similar. A pop-up that looks
        like an Internet Explorer window scanning stuff and saying
        I'm infected with spyware. There is one problem, I am
        running Safari on my Mac.

        I even got a pop-up once asking me to install an activex
        control so I could play some video. Last time I checked
        only the Windows version of Internet Explorer uses Activex

        I love my Mac.

        As a side note it seems Apple's Mail can thwart these
        spoofed emails by telling me the actual sender.

        I used to get tons of phony Pay-Pal emails, I knew they
        were fake because of the address it came from even
        though it was spoofed.
        • it dont take mac mail...

          any email program shows the sender. also ou can view source to see headers but for the common joe-email user, put your mouse on the link youre going to click to go to reset your password and notice it is or something wierd looking.

          also, windows live mail marks the phishing emails as phishing emails. and the snozzberries taste like snozzberries.

          i dont like mac but i will say its good that they cant be infected very easily. one of the viruses i read about youget on an im and you have to click it, then click a apple warning aggreeing you want to open the file. so on an apple youd have to be stupid to get a virus. on windows, it dont take much.
      • Another issue is what to do...

        when a site sends you a message that you do need to update flash, adobe, or something, or a message pops up that most likely isn't connected to what you are doing but they want you do do it while you are on line and you just can't be sure if you are looking at bait or not.

        The need to more completely armor the OS on a rom chip so that you can start over clean then update what you need to before anything else can happen is growing.

        If this means only MS, Apple, or your linux distro can touch your OS and your security software I can't help it.

        All your apps should run in a sandbox with high walls anyway.
        • thats pretty paranoid

          i run my laptop vista and suse dual boot. i only use a basic setup for firewall settings and i pretty openly browse websites with not much worry as to what sites i go to. but when you browse pr0n, you need to be careful and run a virus scan and an anti spyware check after just to be sure. i use spybot sd and housecall website for virus scanning. real time protection? dont need it.
    • LoL

      And who's paying for that? =P
    • Not EVERYBODY is a computer whiz, Monosdeja

      A lot of people really don't need more than just e-mail and web surfing - and for them, M$FT is the worst possible system since it's [b][i]so[/b][/i] inherently vulnerable to malware attacks (and even more so thanks to the Homeland Security-level UAC of Vista - talk about "We're inconveniencing you so you THINK you're safer!").

      I wish to Heaven M$ST would work on a simple-stupid and transparently secure OS for Mom-level users - or if they're too arrogant to bother (which given Darth Ballmer as their Lord and Master, they clearly ARE), maybe we should start giving our Moms Linux Netbooks behind secured routers....
      • ...giving our Moms Linux Netbooks

        ...giving our Moms Linux Netbooks?
        That works better that you think!
        The funny thing is that your mother probably want feel any difference between a Microsoft or a Linux with KDE.
      • actually I agree

        a heavily armored linux distro with something like open office and a few other selected aps may be what a lot of people need if they even need that much.

        I'm not sure how many would accept the limits.
    • owning a computer

      They don't have time to go to training. They're too busy taking care of their kids, 'cause they thought "Abstinence" is an effective form of birth control in the heat of the moment.