View my documents ()
 Home > Insights > Blogs 

CA Community

This Blog

Syndication

Fake Microsoft Updates coming back?

Published: June 16 2009, 11:22 AM
by Rossano Ferraris

It’s been awhile since I saw a fake update email which looked like it came from Microsoft security laboratories.  Some people complained to me about a strange email that asked the user to update their machines because of a recent outbreak of the well-known Conficker worm (see Figure 1 and Figure 2).


Figure 1 - Fake Email (part 1)


Figure 2 - Fake Email (part 2)

Let’s take a look at the body of this email, which is very well written and uses persuasive language. The lure in the message is a Microsoft removal tool that will scan and clean the user’s machine. 
However, I notice a phrase that says “you are advised to disable your already existing antivirus software.”  My spam email reveals itself when I move my mouse pointer over the link “click here to download the removal tool” and I discover that the URL redirects the browser to a Russian server (windowsupdate.microsoft.com.ssl3.pop3.ru), which hosts the remtool_conf.exe.

If we look at the header, we see the following:


Figure 3 - Email Header

The email comes from a certain Microsoft[dot]ssl[dot]com whose IP address is 38.100.66.185. This IP address originates from a server which is located in Texas and is not a Microsoft server.

During the analysis, I download and install remtool_conf.exe:


Figure 4 - Removal Tool License

Then I click on “Accept” and the tool - which seems to belong to Symantec - starts to scan my machine:


Figure 5 - Removal Tool Software

The fake software scans the entire machine, and establishes a hidden connection to the host makemymoneys.com (Figure 6) from which it attempts to download and install the malicious file winupdate.exe, which is detected by CA Security products as “DelfInject CX.”


Figure 6 - makemymoneys.com host hidden connection

CA Security products detect the fake removal tool as “FakeScan A” warning against it and have the ability to remove it.

Although there has been a decrease in the number of fake Microsoft update emails, the current fake emails are more sophisticated and use a very high profile social engineering technique to lure and trap people.  The CA Research team advises users to be aware of these types of spam message and to update their anti-malware products on a daily basis.

Share this post:  EmailEmail
ShareShare

Leave a comment

By: Rossano Ferraris
Rossano Ferraris based in Italy and is the functional lead of the Internet Security Intelligence team, within CA’s Internet Security Business Unit (CA ISBU). His main objectives are to identify emerging and prevalent threats in order to provide strategic security responses to the internet security and...
Read More..

2 people have left comments:

Hey Rossano,

Very good catch and very good explanation and detection methods.

The challenge is that many of our customers are not likely to have the time

or be able to detect those nuances...

I think that one of the easier solution would be to have the SPAM filters

on the gateway detect and alert the user or block mails which:

1. Contain an exact text/subject which is known to be malicious (then there is the issue of the mail

   gateway rules timely updates...)

2. Contains URLs which do not make sense or conflict (Heruistic) - such as a general mail from Microsoft

   and then a URL in a specific .ru domain...

Yours,

Jack.

irft.ca.com/.../irft

Posted by: Jack Bezalel | June 16, 2009 8:27 AM

And yet a third option could be:

The procedural reliance of a trusted service one can always revert to and have his machine inspected for any missing security updates.

In that case even if one gets an alarming mail, they would NOT use the mail to resolve their issue. Instead they will logon to their well known security update portal and use it to scan their machine.

Yours,

Jack.

irft.ca.com/.../irft

Posted by: Jack Bezalel | June 16, 2009 8:46 AM

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  
 
 
Page Tools
ShareShare