Friday, September 25, 2009

Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website » would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp:// uses a refresh-type redirect to this url:

The page microsoftupdate.html from and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to, which in turn resolves to, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:

More here.

No comments:

Post a Comment