Just in time for Microsoft’s most recent security advisory, spammers are now distributing yet another fake Microsoft Update. It arrives with the subject Security Update for OS Microsoft Windows and purports to come from the Microsoft Official Update Center. It even includes a Pretty Good Privacy (PGP) Signature block to give it more authenticity.
A sample email is shown in the following screenshot:
Figure 1. MS Update spam sample
Of course, with the email comes the supposedly security update, which is now detected by Trend Micro through the Smart Protection Network as BKDR_HAXDOOR.MX. BKDR_HAXDOOR.MX makes multiple registry entry changes to enable it to run at every system startup (even if the system starts using Safe Mode). It downloads a file containing HTML codes used by the malware to fake legitimate financial-related websites.
Furthermore, this backdoor opens several TCP ports that allow remote attackers to connect to the compromised PC and execute files, steal information from it, or upload and download files.
The attachment’s file name varies, but uses the convention KBxxxxxx.exe, where xxxxxx is a random 6-digit number. Below are some of the file names we’ve seen, and are being used:
The first sample was captured around 2:00 PM PST of October 9, 2008, the same day Microsoft released its own security advisory for October 2008. The timing is truly uncanny, making it more believable. Users are advised to download their software updates directly from their vendor’s website, which in this case, is this Microsoft page.