Counterfeit Microsoft Security Bulletins Install Malware
As Tuesday (June 5, 2007) - the day Microsoft Corp. would release its monthly patch - was approaching, scammers started circulating e-mails giving counterfeit security bulletins while trying to install corrupt code on victims' computers.
The e-mails discuss a "Cumulative Security Update for Internet Explorer" that patches a serious hole in the browser. It provided a link named "Download this update". The link is malicious because on clicking it the user is redirected to a corrupt server that installs malware dubbed as Trojan-Downloader.W32.Agent.avk.
After a deceptive technique downloads the Trojan onto the victim's computer, more treacherous things happen. It downloads additional malware and harmful software on the affected PC. Further, it tries to creep into other PCs via the Internet and installs malicious software on them as well.
On Thursday June 7, 2007 night, the SANS Internet Storm Center received its only report about the scam. But, elsewhere the Chinese Internet Security Response Team blog posted a second specimen report.
The two samples of e-mails that were reported carried some obvious errors that technically familiar users could detect. For instance, though the Zeltser patch claimed its release in June 2007, it was tagged as MS06-4 rather than the more reasonable MS07-004.
When software giant Microsoft issues security bulletins it certainly sends out notification e-mails where links in them lead users not to executable files but to the bulletins alone.
The scams would be successful by fooling just a small number of victims, said Lenny Zeltser, security practice leader at Gemini Systems in New York. PC World published Zeltser's statement on June 11, 2007. One may wonder if the manner of writing the fake security notification e-mails that don't tally with the actual ones really matters. For, people who would be able to spot them would probably not submit to the link, Zeltser added.
Zeltser is sure that the criminals pushing the scam are preparing for more dangerous activity. The Trojan searches three separate servers where two of them link to domains, unregistered as yet. According to Zeltser's speculation, the scam authors might be thinking of registering those domains before launching a bigger campaign.
Related article: Contract Killer Spam Scam
» SPAMfighter News - 21-06-2007