Fake Microsoft security updates circulate

By Dawn Kawamoto, News.com
Posted on ZDNet News: Apr 8, 2005 2:40:00 PM

An e-mail campaign designed to lure people to a bogus Microsoft Web site is making the rounds as part of an attempt to install a Trojan horse, antivirus company Sophos said Friday.

Attackers are sending out fake e-mails that claim to come from Microsoft's Windows Update. People who click on the link in the message are steered to a site that looks like Microsoft's security update site, where they are urged to download fake patches.

But should unsuspecting users download the bogus patches, they will infect their computers with the Troj/DSNX-05 Trojan horse, according to Sophos. That, in turn, will let the attackers remotely take control of the infected PC.

"Microsoft does not issue security warnings this way," said Graham Cluley, Sophos senior technology consultant. "They don't send updates in an HTML format, so don't follow the links in an e-mail. If you want to see if an update is real, you need to go to the real Microsoft Web site and check there."

People, however, are likely to click on the phony Microsoft update notices, given that they are making the rounds at the same time as Microsoft is poised to issue its regular monthly security update.

"Next week, Microsoft is going to release their monthly security patches. So with all the news that is out there about it, some people may be tempted to click on the (bogus) link," Cluley said.

Microsoft has posted a notice on its site saying that on Tuesday it will issue some critical patches for Windows, Office, MSN Messenger and Exchange.

The software maker is aware of the bogus e-mails, a company representative said Friday. It is encouraging people to go directly to its Web site for updates, instead of clicking on a link that purportedly takes them there. Once on the legitimate Microsoft site, they can click on the link that provides information on how to tell if a Microsoft security notice is legitimate.

Techniques like the Trojan horse e-mails are not new; malicious virus writers have in the past sent e-mails with attachments proclaiming to contain downloadable security updates. The Dumaru worm was one such example, Cluley said.

And in another example of attackers taking advantage of Microsoft's monthly patch cycle, malicious virus writers sent out bogus e-mails in January that claimed to come from Microsoft and that encouraged users to click on an attachment containing a Trojan horse.

The news spam e-mail started making the rounds on April 2 and continued through as late as 6 a.m. Friday PST, according to Sophos. The company noted that only 582 copies have been received, accounting for 0.04 percent of all spam that was tracked during that time by Sophos.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 136 Talkback(s)

Thread View
Flat View

BS by Tedhall on the money: I could not agree more Tedhall, about your analysis of the BS being written by smart-ass readers! Hold it, perhaps I should have written that I could not agree less? The problems I have with this la... (Read the rest); Posted by: chimpenstein Posted on: 04/27/05 You are currently: Logged In | Log out

I got mine today Squawkbox | 04/08/05

No, just give me a couple seconds here, Squawker ... Judas I. | 04/08/05

Since you own3d my peeceee Squawkbox | 04/08/05

Do we get.. Jeff Spicoli | 04/08/05

So much fun ... Gawd, it MUST be Friday! Judas I. | 04/08/05

Hey OB see post below concerning Friday Squawkbox | 04/08/05

Sure!!!! Why not? Squawkbox | 04/08/05

That is a great wife deterring mechanism Jeff Spicoli | 04/08/05

You should INCORPORATE, Squawker, ... Judas I. | 04/08/05

Here's what it looks like brian@... | 04/08/05

That is a good thing to know Squawkbox | 04/08/05

Squawk... SysAn63 | 04/08/05

I actually don't blame Microsoft for this one.. Xunil_Sierutuf | 04/08/05

You can move your logic further � ... Vily Clay | 04/08/05

Aw man! taliesinangelus | 04/08/05

Haha... ummmm... cheese... Xunil_Sierutuf | 04/08/05

Smart-ass remarks tedhall | 04/08/05

ZDNet has a huge capacity... Anton Philidor | 04/08/05

Anton, where is your 'constructive comment'? (NT) Vily Clay | 04/08/05

Vily, I was talking about ZDNet in that post. Anton Philidor | 04/08/05

Thus, you preferred to be destructive on the ZDNet. Let it be. (NT) Vily Clay | 04/08/05

Guys, if you have nothing to say - what�s the point to write? (NT) Vily Clay | 04/08/05

BS by Tedhall on the money chimpenstein | 04/27/05

If they had had dummy-proof updates to begin with Michael Kelly | 04/08/05

Fool Proof? UncleBubba | 04/08/05

That is GREAT! Jeff Spicoli | 04/08/05

You can lead a horse to water... clifflee | 04/08/05

...but if you can make him float. Then you've got something. UncleBubba | 04/08/05

Dorothy Parker was once asked... Anton Philidor | 04/08/05

You can lead a horse to water, but you can't make a pig dance??? chimpenstein | 04/27/05

Severe Penalties Is The Answer chimpenstein | 04/27/05

effect of trojans could be lessened hipparchus2000 | 04/08/05

Re: effect of trojans could be lessened alterego_z | 04/08/05

clarification hipparchus2000 | 04/08/05

In this case j.m.galvin | 04/08/05

RE: Re: effect of trojans could be lessened nightshade0143 | 04/08/05

Original Microsoft Kernal awhite@... | 04/10/05

and the reason... consumers. net2dave | 04/08/05

maybe a lot of people could do with a thin client instead hipparchus2000 | 04/08/05

or better identity verification hipparchus2000 | 04/08/05

Re: and the reason... consumers. nightshade0143 | 04/08/05

Running with admin priviledges - BAD I_am_hellion_z | 04/08/05

Bad Design Choices Rodney Davis | 04/08/05

maybe this is the case hipparchus2000 | 04/08/05

Arrogance Rodney Davis | 04/08/05

And the security pundit was wrong, big time NonZealot | 04/08/05

I thought I said in a lot of places that SP2 had closed this issue hipparchus2000 | 04/08/05

Steve was wrong NonZealot | 04/08/05

really not clear what you're saying here hipparchus2001 | 04/10/05

The basic home user Squawkbox | 04/08/05

No we don't. Anton Philidor | 04/08/05

It is all in the way you "train em" Squawkbox | 04/08/05

agreed Power User | 04/12/05

False security notices Virupa | 04/08/05

a fool and his money are soon parted Valis Keogh | 04/08/05

.. or by Microsoft.. Xunil_Sierutuf | 04/08/05

Fake update MCTJim | 04/08/05

Good Spoof lcates@... | 04/11/05

An e-mail with fake updates? I'm shocked! Crash2100 | 04/08/05

This isn't about viruses that are sent through E-Mail Grook | 04/08/05

I think it can be solved in almost the same way Crash2100 | 04/08/05

true (almost) Power User | 04/12/05

EXACTLY Valis Keogh | 04/08/05

- NOT - I_am_hellion_z | 04/08/05

Never try to teach a pig to dance. awhite@... | 04/10/05

yep Power User | 04/12/05

Trojans and Social Engineering papatator | 04/08/05

social engineering hipparchus2000 | 04/08/05

Interesting you say this NonZealot | 04/08/05

Oops, typo! NonZealot | 04/08/05

but when it runs, it has access to your outlook.pst file hipparchus2000 | 04/08/05

Ahh, I understand NonZealot | 04/08/05

"non .NET programs completely ignore CAS settings" hipparchus2000 | 04/09/05

Re: Interesting you say this none none | 04/09/05

Yes, the idea is that Hugh Jass | 04/10/05

Another oft-repeated truth: Anton Philidor | 04/08/05

use firefox and only use webmail hipparchus2000 | 04/08/05

Webmail accounts are considered less formal... Anton Philidor | 04/09/05

Webmail vs POP3 awhite@... | 04/10/05

why versus? Do you guys know -ANYTHING- about mail? hipparchus2000 | 04/10/05

HUH? You can make any email system into webmail hipparchus2000 | 04/10/05

Interesting E-Mails? mikez@... | 04/08/05

Advertising and public relations... Anton Philidor | 04/09/05

I'm not sure I understand what you mean native alien | 04/11/05

Clarifying Anton Philidor | 04/11/05

Excellent Point... but awhite@... | 04/10/05

Bummer, Indeed OpaLocka90 | 04/08/05

Perception is Reality awhite@... | 04/10/05

Fake update... viper953@... | 04/08/05

Simple Solution VisualDave | 04/08/05

Re: Simple Solution alterego_z | 04/08/05

Simple Solution VisualDave | 04/08/05

I have XP but haven't registered NonZealot | 04/08/05

Registration vs Activation nucrash | 04/08/05

Won't work Squawkbox | 04/08/05

Hahaha. nucrash | 04/08/05

Repetition for emphasis awhite@... | 04/10/05

This is not new, you do realize that, right? mikez@... | 04/08/05

Hotmail zigmund | 04/08/05

What's the cure if I already was taken in johnnyclock | 04/08/05

the cure Jeff Spicoli | 04/08/05

First - Ask Yourself "What was I thinking" Poser | 04/08/05

Here is your solution Squawkbox | 04/08/05

Thanks ZDNET Dumb Smiley face showed up in the instructions Squawkbox | 04/08/05

Oops. Fixed. S.Howard-Sarin

| 04/08/05

Mucho Gracias Senior Squawkbox | 04/09/05

Maybe it was just a bad dream johnnyclock | 04/08/05

... ahm... Jonathan? That part about... Anton Philidor | 04/08/05

Take off all you clothes and j.m.galvin | 04/08/05

So you're the Trojan. Anton Philidor | 04/08/05

Two step process mikez@... | 04/08/05

Simple solution CobraA1 | 04/08/05

Not e to Self: nucrash | 04/08/05

Fake update from Phishers MCTJim | 04/08/05

Here is your solution 30bob1 | 04/08/05

Sometimes it's tough to gain control of the device. Anton Philidor | 04/08/05

Gawrsh awww shucks (blush) Squawkbox | 04/08/05

Microsoft/Period cynfoxxx | 04/08/05

Should know better ghostpsychlops | 04/08/05

I'm pretty sure I got a fake webpage for CIA in 2001 Qass | 04/08/05

This is good news if you look at it differently. osreinstall | 04/08/05

Hey, Anybody Can Get Caught! joereloj | 04/09/05

Legit business never solicit you for personal info or security updates! osreinstall | 04/09/05

That's a BINGO! native alien | 04/11/05

Huh!?! Social Engeneering has been around forever Squawkbox | 04/09/05

Yes I know that osreinstall | 04/09/05

Oh!!!! OK I sit corrected Squawkbox | 04/09/05

And you replied to my counter reply Squawk osreinstall | 04/09/05

Vicious, Vicious miwi98 | 04/09/05

ms started releasing older os patches seperate from windows update JasonL31 | 04/10/05

In related news michael-t | 04/10/05

shame on me for clicking suspicious link. shame on you for not creating an wessonjoe | 04/11/05

The Solution In Five Words native alien | 04/11/05

Yet another attack at windows I see crashoverride | 04/11/05

Dumb? Bkiser_z | 04/12/05

Fake e-mails Frag_z | 04/14/05

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry