Beware fake Microsoft security advisories, say researchers

Windows users are being warned of fake Microsoft security advisories that actually link to a malicious website.

An email claiming to be "Microsoft Security Bulletin MS06-4," a cumulative security update for Internet Explorer, has been sent to end-users, according to a Friday post on the SANS Internet Storm Center website by handler Lenny Zeltser.

Zeltser, information security practice leader at Gemini Systems, pointed out that an authentic 2007 bulletin from Microsoft would begin with "MS07" and have a three-digit identification number after the dash.

The email includes a link to a malicious executable file on a remote server, which installs a browser add-on on the victim’s PC.

"The scheme is what you would expect: the message includes a link to what it claims is a patch that is supposed to address the issue," Zeltser said on the ISC diary. "The file, hosted on a remote server, is called ‘updatems06.exe.’ It is a UPX-packed executable that is recognised as being malicious by half of the anti-virus engines available to VirusTotal."

Zeltser added that the malicious file, identified by some anti-virus engines as Agent.avk, is a malware-downloader that can also spy on user activity.

A Microsoft spokesperson said today that customers can validate Microsoft websites via SSL.

"Our investigation of the issue has determined that this was a one-time email spam containing a trojan downloader," said the spokesperson. "The sites hosting the files to be downloaded are not currently online, thus the downloader mechanism will fail."

Microsoft is urging affected end-users to visit Microsoft Support for assistance or call the PC Safety hotline at 1-866-PCSAFETY.

Zeltser told SCMagazine.com today that all three websites hosting malicious code for the emails have been shut down.

"What I found interesting about the program being downloaded is that it itself was receiving instructions for what other files to download onto the system, and it was seeking them out on three different websites. None of them were live, but two of them were part of domains that weren’t even registered yet," he said. "This suggested that the attacker was still in the very early stages of setting up the scheme and hadn’t yet registered the names."

Andrew Berkuta, senior security evangelist and strategist at McAfee, told SCMagazine.com today that attacks using similar techniques are nothing new, but the fake security advisory shows attackers are getting smarter.

"Unfortunately, it’s not as new of a technique as one would hope. Banks have been subject to this type of emailing where people would get something from their bank, and it looks legitimate. eBay has been a target of this, and so has PayPal and others," he said. "If it has an inkling of legitimacy, people tend to believe it without checking. You build a better mousetrap and mice tend to see that and you get a smarter mouse."

Sign up to our newsletters