The rogue messages claim to be coming from Microsoft

Oct 20, 2009 07:57 GMT  ·  By

A new rogueware distribution email campaign employs a social engineering trick to scare users into installing malware. The scheme is centered around popular news subjects and brands such as the Conficker worm and Microsoft.

The fake emails have a "Conflicker.B Infection Alert" subject (note the bad spelling of Conficker) and claim to be coming from a "Microsoft Windows Agent." A closer look reveals that the e-mail address in the "From:" field is the same as the "To:" one, suggesting an OS-generated message.

The messages claim that a Conficker outbreak is ongoing and that Micorosft has been informed by the user's Internet service provider about a possible infection on their network. Furthermore, it notes that Microsoft is offering a free system scan and instructs the user to unpack and install the attached file.

"Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation," the emails, signed by a fictitious Microsoft Windows Agent #2 (Hollis) of the Microsoft Windows Computer Safety Division, read.

Executing the attached file will immediately display a warning in the system tray, claiming the system is infected and encouraging users to click on it in order to download antispyware tools. Clicking on the alert will download and install a fake antivirus application called "Antivirus Pro 2010."

Fake security software, also known as scareware or roguware, has the purpose of scaring users into paying for a useless license by lying that their computers are infected with malware. Recent studies have concluded that these schemes are very profitable and the users who fall for them don't just part with a substantial sum of money, but also compromise their credit card information in the process.

The choice of using Microsoft to add credibility to this campaign is a well calculated one. The Redmond-based software giant has captured the headlines of recent security-related news with the release of its free Microsoft Security Essentials (MSE) antivirus program. Its association with Conficker is not coincidental either. The company has just made public the first statistics gathered from its MSE user base, which place Conficker amongst the most common detected infections.

Photo Gallery (3 Images)

Cybercrooks use fake Microsoft alerts to spread their scareware
Fake conficker alert email pushing roguewareFake system tray warning message
Open gallery