[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft’s update site, but is clearly not to be trusted. So the
[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft’s update site, but is clearly not to be trusted. So the take-home messages are (1) don’t trust links in a message if you can’t be dead certain it comes from the source it seems to come from: go to a known authentic URL, or use the update mechanism within Windows itself (2) Check the link below on how Microsoft really disseminates update information.]
[Update 2: Spanish speakers might like to check out ESET Latin-America’s version of this blog, now at http://blogs.eset-la.com/laboratorio/2009/10/22/falsos-correos-de-microsoft-propagan-malware/. Nice that we can give them something to write about occasionally rather than vice versa!}
A trusted source (thanks, Steve!) has just sent us (among other security organizations) an example of a fake windows update. It claims to be an out-of-cycle security update sent from Microsoft, but redirects to an executable on a site which has, of course, nothing to do with Microsoft, and which ESET products detect as Win32/Injector.ACX.
For information on what Microsoft really does when it sends information on security updates, see http://www.microsoft.com/protect/yourself/phishing/msemail.mspx?wt_svl=10233EWNa1&mg_id=10233EWNb1
From: Microsoft [mailto:[email protected]] [This is spoofed, of course]
Sent: 22 October 2009 11:49
Subject: Update : DNCSKEUPXR [I’d presume that this is a randomized string, meant to foil simple filtering by subject]
Importance: High
Security update
When necessary, Microsoft provides a new security update on the second Tuesday of each month and publishes a bulletin to announce the update.
Occasionally, updates are released more often.[This is true, of course. However...]
The links below go to the latest update download.[…the link, which I’ve removed, is not to a Microsoft site.]
(Privat secured new link)
[removed]
Each bulletin includes links to the security updates.Microsoft has submitted a new update for all Windows OS web browsers, which brings a more stable and secure application, Internet Explorer version 7.0.195.24.
The new version has no new functionality but fixes one security vulnerability that has been classified as “high”, the highest level.
Vulnerability refers to the possibility of external attacks through Internet Explorer and Outlook Express . We recommend installing the update to keep you and your system safe .[Obviously, it would be a mistake to take any of this af face value!]
Thank you, Adrian King Director of Security Assurance Microsoft Corp. [There was an Adrian King at Microsoft who was Director of Operating Systems Products: he left many years ago. Messages like this commonly cite the same job title with different names.]
IHSOHKWZMNFOKEXCNRKOOGUBQZDDJQBIOTCRIL [Presumably randomized, probably as a simple “hashbuster”.]
David Harley
Director of Malware Intelligence
