Language Selection

English French German Italian Portuguese Spanish

Phishing Scam Targets Windows Update

Filed under
Microsoft
Security

A phishing scam emulating the Windows Update Service hit Australia yesterday, designed to not only emulate the update page perfectly, but circumvent current antivirus, spyware and adware programs.

The spam e-mail directs users to a page that pulls graphics from the Microsoft.com Web site and then recreates the page asking users to download a Windows update that is actually a malicious .exe file.

Director of SurfControl, Charles Heunemann, said the company discovered the virus late last night and that current heuristics and signatures used by core antivirus vendors are not picking up the malicious code.

"We are still trying to get to the bottom of it," Heunemann said.

"It is not a malicious attack for network resources but appears to send a message to the Internet advertising itself as a zombie machine - we think the .exe file pulls other code to turn the machine into a spamming server.

"The actual e-mail looks like a Microsoft e-mail but I don't think it is the practice for Microsoft to ask users to update their operating system by launching a link from an e-mail."

The virus, titled Wupdate-20050401, installs an executable file into the Windows directory and adds a startup service. When it is running the program takes up 100 percent of the CPU power, controlling the CPU by forcing it to perform continuous processes.

Microsoft security product manager Ben English said this is just one of many scams they are currently monitoring, adding that it is not unique.

"There are effective defences against these types of scams and we advise users to follow some simple guidelines," English said.

"Microsoft is aware of the SurfControl notice regarding the spoofing scam of Windows update and our advice to customers remains the same.

"Microsoft never attaches software updates to our security e-mail notifications; we never send notices about security updates or incidents until after we publish information about them on our Web site and if you suspect that an e-mail message is not legitimate, do not click any hyperlinks within it."

Sophos' Asia Pacific head of technology, Paul Ducklin, was aware of the program in question and said despite all the technology in the world, education and informed decisions by users will always be the best resort to stopping malware.

"Even if all other defences are down, with Trojan malware if a person doesn't click on it, it won't work - they all involve, to some extent, collaboration with users," Ducklin said.

"Three ways to block them include having software to prevent a suspicious program, using programs at the gateway to block .exe files and of course user education and information."

More in Tux Machines

Leftovers: OSS

Security Leftovers

  • Secure Server Deployments in Hostile Territory, Part II
    There are a few other general security practices I put in place. First, as I mentioned before, because each host has a certificate signed by an internal trusted CA for Puppet, we take advantage of those certs to require TLS for all network communications between hosts. Given that you are sharing a network with other EC2 hosts, you want to make sure nobody can read your traffic as it goes over this network. In addition, the use of TLS helps us avoid man-in-the-middle attacks.
  • Hackers Can Disable a Sniper Rifle—Or Change Its Target
    At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.
  • Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet
    Yosemite, aka version 10.10, is the latest stable release of the Mac operating system, so a lot of people are affected by this vulnerability. The security bug can be exploited by a logged-in attacker or malware on the computer to gain total unauthorized control of the Mac. It is documented here by iOS and OS X guru Stefan Esser. It's all possible thanks to an environment variable called DYLD_PRINT_TO_FILE that was added in Yosemite. It specifies where in the file system a component of the operating system called the dynamic linker can log error messages. If the environment variable is abused with a privileged program, an attacker can modify arbitrary files owned by the powerful user account root – files like the one that lists user accounts that are allowed administrator privileges.

Open-Source CMSs Appeal To Control-Oriented Media

Snubbed by local media in their infancy for being too rudimentary, news outlets are taking a growing interest in using open-source content management systems like WordPress and Drupal. Media companies’ tech execs say they like the open-source CMS platforms because the software now offers all the extras and options that managed CMS platforms do, while also allowing them more creativity and control. Read more Also: Execs from Kentico and HIPPO debate pros and cons of open source CMS Jahia Provides Open Source User Experience Platform to Samsung Subsidiaries as a Global Platform Partner

Fedora's Rawhide Kernel Adds In KDBUS Support, Ready For Testing

Lennart Poettering announced today that KDBUS is now in Rawhide. "Josh [Boyer] thankfully added it to the Rawhide kernel packages, and our systemd RPMs come with built-in support, too now. If you are running an up-to-date Rawhide system adding "kdbus=1" to your kernel command line is hence everything you need to run kdbus instead of dbus-daemon. (No additional RPMs need to be installed.) If you do, things should just work the same way as before, if we did everything right. By adding or dropping "kdbus=1" to/from the command line you can enable kdbus or revert back to dbus1 on each individual boot." Read more