Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Just in time for Microsoft’s most recent security advisory, spammers are now distributing yet another fake Microsoft Update. It arrives with the subject Security Update for OS Microsoft Windows and purports to come from the Microsoft Official Update Center. It even includes a Pretty Good Privacy (PGP) Signature block to give it more authenticity.

    A sample email is shown in the following screenshot:

    Figure 1. MS Update spam sample

    Of course, with the email comes the supposedly security update, which is now detected by Trend Micro through the Smart Protection Network as BKDR_HAXDOOR.MX. BKDR_HAXDOOR.MX makes multiple registry entry changes to enable it to run at every system startup (even if the system starts using Safe Mode). It downloads a file containing HTML codes used by the malware to fake legitimate financial-related websites.

    Furthermore, this backdoor opens several TCP ports that allow remote attackers to connect to the compromised PC and execute files, steal information from it, or upload and download files.

    The attachment’s file name varies, but uses the convention KBxxxxxx.exe, where xxxxxx is a random 6-digit number. Below are some of the file names we’ve seen, and are being used:

    • KB199250.exe
    • KB246586.exe
    • KB535548.exe
    • KB572906.exe
    • KB763412.exe

    The first sample was captured around 2:00 PM PST of October 9, 2008, the same day Microsoft released its own security advisory for October 2008. The timing is truly uncanny, making it more believable. Users are advised to download their software updates directly from their vendor’s website, which in this case, is this Microsoft page.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice