Fake Microsoft patches themed malware campaigns spreading

Fake Microsoft patches themed malware campaigns spreading

Summary: Researchers from Computer Associates (NASDAQ:CA) and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

SHARE:

Researchers from Computer Associates (NASDAQ:CA) and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

The first one is spreading as an "Important Windows XP/Vista Security Update" and is offering a bogus Conficker removal tool, the second is using an "Outlook re-configuration" -- also spammed earlier this month -- and the third one is using an out-of-the-band "Update for Microsoft Outlook / Outlook Express (KB910721)" theme, which in reality is nothing else but a trojan.

The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec's original removal tool in an attempt to build more legitimatecy into the campaign.

A similar fake "Conficker Infection Alert" spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the "Microsoft security update/patch" social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn't.

The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.

With a well known pattern of abusing the momentum advantage for malicious purposes by hijacking emerging news stories or events (Swine flu email scams circulating; The Web's most dangerous keywords to search for; Cybercriminals syndicating Google Trends keywords to serve malware; Cybercriminals hijack Twitter trending topics to serve malware), it shouldn't take long before Iran's massively covered election starts appearing in malicious campaigns.

Topics: Microsoft, Malware, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • You have to be a complete idiot to....

    download some bogus "patches" from an untrusted email.
    All current windows operating sistems have Windows Update. Why the hell would anybody download "patches" from a untrusted email, when it can be done automatically via Windows Update.
    NeoGeneration
    • Sadly

      There are still users untrained as to properly identify spam/malware threats. That doesn't make them complete idiots...


      I often have expressed my desire to see everyone who users computers daily, weather at home or at the workplace to take a course at school or via your employer, designed to help those people understand computers a little bit better, including internet threats.
      The one and only, Cylon Centurion
      • I Couldn't Agree More

        I always surprises me how little some people know about the technology
        that they use everyday.
        yobtaf
        • Bogus Patches...

          I have heard of people trying to download patches from Microsoft and everything timing out due to lack of bandwidth. So I can see the unknowlegeable types downloading from any source that will give them a decent download speed not realising that they are downloading malware.
          Lost Cause?
        • Here's some technology you use everyday

          How have you been doing at fixing your own car? Tested, repaired or replaced the ECM or Fuel and Emmissions systems on your vehicle lately? Get you head out of you bum and join the real world!
          stillgolfing
        • Why should they?

          Most people aren't interested in computers or technology, the same way they aren't interested in cars, cookers etc. They all "just work", until they stop working, at which point they either get them serviced/repaired or they buy a new one.

          For many, they don't know and don't care about security. On the one hand, why should they?

          On the other hand, they have to learn how to drive a car and get a licence...

          But most treat a computer like a fridge or hair dryer, it is just another piece of equipment that makes their life easier. They don't care how it works. If somebody sends them an e-mail saying that their machine is a risk, they'll click on it.

          Just look at the cold callers offering to resurface drive ways, repair the shingles, clear the gutters etc. A lot are con men and either don't do the job properly, or the job doesn't need doing. Malware is the computer equivalent and an equally large proportion of users are gullable enough to fall for "repairing" their computer as there are to have their gutters cleaned or shingles repaired...
          pico_D
    • Yoyr name says it all NeoG...

      Not every user is tech savvy. I live in a senior community and the place is full of retirees of various ages. They are all busy using their PCs, that are often bought by their adult kids, to keep in touch with friends and family. Are they naive users/ You bet they are. I spend a fair bit of time getting them out of trouble.

      You may be NeoGeneration now. What will you be 40 years from now? Just another gray haired out of touch has-been?

      I'm a retiree too. I used to be employed in the PC business and try to keep up. That's why I subscribe to Zdnet. Wait until some brash hotshot trashes you because you are not up on the latest greatest doodad of the future.

      cbmjb
    • Windows update is only about 98% reliable

      It fails, sometimes due to overzealous security apps and the "quickclick" syndrome, sometimes due to a "feature" in the code combined with an unreliable connection, and occasionally a patch is missed. Systems health management apps (like Norton for example) may come back and say that the system requires a patch. If that user happens to have received an email that says "get patch here" the rest is easy to imagine...
      914four
    • a complete idiot

      What you forget is that the "audience" consists of many newbies, gullible and even desparate people who are not yet experienced and don't even yet know the information they need is available to them. Many first timers will even go for a year or more without updating their protection-ware so add ignorance and the brilliance of some egoes to the mix and you have a large audience just for the picking. It's still the case that e-mail seems so "official" and couldn't possibly have anything "bad" in it.
      Come on, everyone has to go through the learning process. It's like backing up; most don't bother to think about it or do anything about it until there's been a disaster. Education could nearly put spammers out of business, but it just isn't there and in the few cases it is, it's unusual so can't be that important.
      You have a jaded outlook on the situation.
      twaynesdomain-22354355019875063839220739305988
  • RE: Fake Microsoft patches themed malware campaigns spreading

    These techno terrorists depend on non literate computer users.

    It only takes a careless moment even for the most educated of users to end up with an infected machine...

    Do not criticize the uninformed, inform them!
    info@...
    • True.

      This is same for all things. The financial terrorist took advantage of us for our lack of understanding of financial things so we left in this economic wasteland.
      Yes, we need to give good information to all people since all you need one person to be misinformed and get infected and then many other systems get infected.
      Remember, it is not the system is the issue here but the criminal/terrorist that take advantage of the system and people for their lack if in depth understanding of those things.
      phatkat
  • RE: Fake Microsoft patches themed malware campaigns spreading

    Information Technology, is just that, the ability to extract and understand information. Some folks are'nt privy to all kinds of resources as well as education. I think of it like Health Care, if you live in a neighborhood of good practitioners, your more then likely going to be able to contact a good DR. So, I think most posters to this topic would've been commenting on about specific application loop holes instead of blaming the patient.
    donaldfiander@...
  • RE: Fake Microsoft patches themed malware campaigns spreading

    I have a question, or obervation, my Windows Admin has our systems configured for auto downloads from Microsoft the auto updater. I do not trus that mechanizem, should I be concerned?
    theguru1995@...
    • It depenz...

      ...mozly on if you are ever likely to walk away from from your computer during the time your are scheduled to update without saving what it is you are working on. While it is probably a good idea to save every time you get up from your computer and several times in between, if your state of mind tends to follow your muse rather than your technical common sense, you might consider disabling auto-update. If you know you will NEVER be in the middle of something so deep that your inspiration will be lost forever if you don't keep at it when update forces a reboot, then I would keep auto-update on.
      valvestate@...
    • yes, be concerned

      Totally auto-update without user intervention is a bad idea. Client machines should be set to alert the user of an update but do nothing else.

      If you have centralized admin they should have set clients to do no automatic updating, download/test updates as they come along and push the needed ones out to the clients after confirmed good.

      Admins of larger enterprises that let every client automatically download and install every update should be reassigned to sharpening pencils for the mail room boy.
      catseverywhere@...
      • yes, be concerned

        Thank you catsE!

        Now I know I am not the only one...
        theguru1995@...
      • While I agree with you...

        ...there are many on this site who would cry "heresy!" based on your post. "Those who have drunk the koolaid" will claim that not having everything fully automatic is a bad idea. I have given up trying to reason with these folks but there are many out there.
        914four
    • No

      The chances of something breaking are more remote. It is a very bad idea to turn AU off, most of the infected machines out there are a result of that.
      The one and only, Cylon Centurion
  • RE: Fake Microsoft patches themed malware campaigns spreading

    @valvestate
    @catseverywhere

    Neither of you know anything about theguru1995's systems, and theguru1995 may not know the details of what his/her admin has setup. You know nothing about whether there's a company IT policy in effect. In short, neither of you know anything except how to give crappy advice. Maybe it's a SUSE push after evaluation, maybe he's in a small workgroup and not a domain. Setting autoupdate may be the best solution for a small shop. Now you've gone and told him that it's okay to turn off autoupdate.

    @theguru1995:
    Leave autoupdate on. The chances that you're going to get a microsoft patch that messes anything up are much smaller than being vulnerable to malware like the conficker worm, which onnly affected unpatched systems. If you have concerns about autoupdate, talk to your windows admin and voice your concerns.
    DrMicro
  • RE: Fake Microsoft patches themed malware campaigns spreading

    So far, nobody seems to have picked up on the fact that the word "Conficker" is a combination of a French obscenity ("con") and a German one ("Ficker"). This has led me to conclude that the evildoer is an Alsatian. :-)
    rlohmann@...