After Porn, Microsoft Security Patch Infects Computers with Trojans

After Symantec reported that the Windows Update mechanism can be hijacked by hackers in order to compromise computers, Microsoft's security patch infrastructure is yet again targeted by attacks. However, the difference is that this time the threat does not exploit a flaw in the architecture of Microsoft's update mechanism but instead uses social engineering to get the job done. The approach is nothing new, but has been generally associated with pornographic incentives for Windows instead of security updates. The SANS Internet Storm Center (ISC) warned of the fact that a mass spamming campaign pushes a fake Microsoft Security bulletin to Windows Users. According to security developers Avira only Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP and Windows Server 2003 are at risk of infection. Avira does not consider TR/PSW.Lineag.abi.2 Trojan horse a threat to Widows Vista.

The spammed email messages contain a reference to a valid Microsoft Security Bulletin. "Microsoft Security Bulletin MS06-4 - Cumulative Security Update for Internet Explorer (113742734), Published: June 3, 2007, Version: 1.0, Summary: who should read this document: customers who use Microsoft Windows, impact of Vulnerability: Remote Code Execution, Maximum Severity Rating: Critical, recommendation: Customers should apply the update immediately," is the data associated with the messages as revealed by SANS.

There are of course a few clues that point out that the message is a fake and only masquerading as coming from Microsoft. First off, the Redmond Company never pushes security updates, let alone Critical patches through the email. Microsoft will use either Windows Update or the customized images with every month's updates, downloadable directly from the company as a means to serve the patches. Secondly, all Microsoft security bulletins come with a certain format, in this case "MS06-4" only vaguely replicates the official "MS06-004." And thirdly, because we are in 2007, all patches coming from Microsoft will start with MS07.

"The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal. The executable installs a malicious browser add-on (BHO) "down.dll" on the victim's system in C:WINDOWSsystem32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that is also capable of spying on the user's interactions with certain sites," SANS added.