The recent numbers of operating system and application vulnerabilities popping out have prompted some security conscious users to download security patches from Microsoft. But watch out—the patch that you may try to install may be more than meets the eye…
Just a couple of hours ago, we received a suspicious looking email claiming that it is a security advisory from Microsoft. Complete with instructions on where to download the patch and how to install it, the email further claims that it will solve a vulnerability found in the Windows TCP/IP protocol. Check out the full text of the email body below:
Dear Customer,
Our anti-virus labs have detected a new 0-day vulnerability in the Microsoft Windows TCP/IP protocol, that could allow an attacker to takeover an unpached computer.We dont have too many details, since we have recently become aware of the vulnerability, but if patch is not applied as soon as possible, you risk your computer to be exploited. Because the vulnerability affects the kernel of Microsoft Windows, we cannot provide the patch using the Microsoft Update Service, so we have decided to notify all our customers that have registered their Microsoft Windows Operating System about this new threat. Because the security of our customers is very important to us, we have developed a patch to fix the kernel of Microsoft Windows, and to prevent your computer from being attacked.
Please click on following link, download the patch and follow the instructions
[DOWNLOAD LINK HERE]
- Download the patch on your Desktop.
- Run the patch.
- Reboot your computer.
Each customer has an unique link to download the patch that will expire in 24 hours, so you have to apply within 24 hours after you receive this email. If you fail to do so, you risk your computer to be attacked and exploited by hackers.
Thank you
Microsoft Corp.
At this point it should be obvious that this email did not come from Microsoft at all. Here are some telltale signs which signals us that the email is not what it claims to be:
- Presence of a typographical error (unpached?)
- No technical details mentioned. No links for technical details
- Although it is not shown in the email details above, a bogus Microsoft URL is used
The file which is downloaded from the specified link is not a security patch. Rather it is a keylogger that can monitor keystrokes and send the captured information to an attacker through email.
This spammed email is using social engineering techniques to increase the chances of spreading the malware. As a measure to prevent future attacks, we are advising users to be aware of such methods.
Trend will be detecting this malicious file as TSPY_DELF.CFC. A detection pattern is currently in the works for this new piece of malware. We’ll keep you posted for updates.
Update (Jasper, Tue, 01 Aug 2006 03:42:45 PM)
The detection pattern for this malware is now available in CPR 3.630.03
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
