F-Secure Alerts against Bogus Windows Update Sites
On February 8, 2008, the antivirus company F-Secure alerted that another malicious software-implanted page of Microsoft Update has come out in open and is being hosted by a URL which includes the actual address of Microsoft Update - microsoft.com/cfm48 - only a dot replacing the forward stroke.
The somewhat altered URL leads the target to a phony Microsoft Update home page that distinctly carries an urgent announcement asking the victim to 'install an important Windows XP/2000/2003/Vista update!' According to F-Secure, the word 'install' is spelled incorrectly on the fake update page ("intall").
The bogus notice has "Urgent Install" simulated button, beside a flashing cursor saying, "Receive important update (mandatory)." When a visitor clicks the button, he gets a file named WindowsUpdateAgent30-x86-x64.exe that loads a Trojan on the PC of the victim.
As per F-secure's security experts, the fake update page is actually "fast flux" Website and exploits various computer addresses included in "cfm48.com" part of URL. The malware conveyed through the Trojan dropper is a formerly notorious part of malicious software named Backdoor:W32/Agent.CVU.
Though cfm48.com, the actual domain of the Website, is still working, but the page is not in service now. The domain is listed in the name of a person in California. There is no proof of his participation or whether the Website was infected by a virus. But according to F-Secure, the Website is a part of a "fast flux network," implying that the computer address for the domain alters very fast. The Website's DNS administration would have to be fully corrupted.
In January 2008, researchers at McAfee cautioned against a phishing attack on MySpace wherein victims got "friend" invites that tried to attack them with nasty content masked as Microsoft update. Users opening the profile of an individual seeking to make friends with them were forwarded to the page carrying a fake Windows pop-up window assuring automated Windows updates that, when opened, embed a malevolent blend of viruses on the target's computer.
F-secure's researchers recommended the people to stay updated with the new security fixes, since Microsoft flaws are often used by worms, viruses, and cyber-terrorists. Besides, people should be very cautious and ensure that they are visiting the authorized update sites, instead of just pursuing links in messages that have been dispatched by cyber-terrorists.
Related article: F-Secure: Filing E-Tax Has Its Own Risks
» SPAMfighter News - 18-02-2008