14 DAY TRIAL // Malware distributors continue resorting to the fake software update lure for their email spam campaigns. The latest attack poses as a notification regarding a Windows security bulletin, which links to a malicious executable.
The rogue emails impersonate Steve Lipner, Microsoft’s Director of Security Assurance, who allegedly informs the receiver about a high-priority security update for all versions of Windows. "Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 2000, Microsoft Windows Millenium [sic], Microsoft Windows XP, Microsoft Windows Vista and Microsoft Windows 7," the fake message reads.
There are some more or less subtle signs that this email is fake, depending on who's at the receiving end. For example, for an IT professional, the poor technical language used or the fact that Windows Millennium is no longer receiving updates since 2006, when its product life ended, will ring alarm bells. However, the message is credible enough to trick an average user.
As expected, the email goes on to recommend that the security update be installed immediately and provides a link to download it. It even tries to explain the reason for the message reaching your inbox in the first place, by claiming that "your computer is set to receive notifications when new updates are available."
The Windows-KBxxxxx-ENU.exe executable file linked in the email is generically detected by Sophos as Mal/EncPK-LL. "The executable itself is a Delphi executable packed using a custom packer but it seems to be malformed and caused errors while executing on my test system. Additional testing would be required for a detailed analyses of the cause," Vanja Svajcer, Sophos' principal virus researcher, explains.
This spam run is a reiteration of an older one that circulated back in October 2008. Just as in this case, the 2008 campaign was timed to hit right before Microsoft released its monthly security bulletin, a day known in the industry as "Patch Tuesday."
The security updates theme is a recurring one with malware distributors. Back in June, we reported on two similar email attacks that offered a bogus Microsoft Outlook security update and a Microsoft-developed removal tool for the infamous Conficker worm. Security experts advise against following direct links to executable files sent through email.