June 18th, 2009
Fake Microsoft patches themed malware campaigns spreading
Researchers from Computer Associates (NASDAQ:CA) and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.
The first one is spreading as an “Important Windows XP/Vista Security Update” and is offering a bogus Conficker removal tool, the second is using an “Outlook re-configuration” — also spammed earlier this month — and the third one is using an out-of-the-band “Update for Microsoft Outlook / Outlook Express (KB910721)” theme, which in reality is nothing else but a trojan.
The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec’s original removal tool in an attempt to build more legitimatecy into the campaign.
A similar fake “Conficker Infection Alert” spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the “Microsoft security update/patch” social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn’t.
- Go through related posts: Fake WordPress site distributing backdoored release; Fake CNN news items malware campaign spreading rapidly; Waledac botnet spamming fake SMS spying tool; Fake Windows XP activation trojan goes 2.0; Malware poses as fake Yellowsn0w iPhone unlocker
The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.
With a well known pattern of abusing the momentum advantage for malicious purposes by hijacking emerging news stories or events (Swine flu email scams circulating; The Web’s most dangerous keywords to search for; Cybercriminals syndicating Google Trends keywords to serve malware; Cybercriminals hijack Twitter trending topics to serve malware), it shouldn’t take long before Iran’s massively covered election starts appearing in malicious campaigns.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
