14 DAY TRIAL // With the monthly Microsoft patch cycle drawing near, fake security updates addressing a vulnerability in the company's latest operating system, Windows Vista, spammed in connection with the security updates scheduled for June 12 2007, are infested with malware. According to F-Secure, at the end of May, emails masquerading as a security update for Windows Vista and various other titles of the Windows platform are designed to infect users with Backdoor:W32/VanBot.CA. The Redmond Company's monthly security bulletin cycle is exploited and used as incentive to spread malware.
The spammed emails seem to originate from Microsoft Support, and even feature the [email protected] address, containing information of an actual vulnerability affecting Windows 2000, Windows XP, Windows Server 2003 and Windows Vista. Among the seven vulnerabilities in GDI, there is also the Windows Animated Cursor Handling flaw, rated with a severity rating of critical by Microsoft and patched in April 2003.
The first clue pointing to the fact that the email alleging to be a security update notification from Microsoft is a fake is the actual message. "Critical WMF-Exploit patch. In program maintenance of Microsoft corporation, a critical vulnerability has been found in processing WMF-files. Exploits using the "SetAbortProc" GDI function were discovered in May 2007. The function, which registers an error handler normally intended for use when a print job is canceled during spooling, allows arbitrary code added to a WMF image to be executed without the permission of the user," reds a fragment of the text.
Additionally, there is no text formatting that would give a hint to whether this is a valid Microsoft update or not. There is no reference to the official "Security Bulletin MS07-017" designed to patch the GDI vulnerabilities. The email also contains a direct download link to an .exe file, and promises to update Windows 98. As Windows 98 is no longer supported by Microsoft, users will no longer receive security updates. At the time of this article, F-Secure had already revealed that the malicious file was no longer in its initial location.