FYI...

- http://www.us-cert.gov/current/#false_micr...ils_circulating
November 15, 2007 - " US-CERT is aware of false Microsoft Update email messages being publicly circulated. These messages contain multiple links that may direct a user to a malicious web site. The impact of following these links is currently unknown, more information will be provided as it becomes available. US-CERT encourages users to take the following measures to protect themselves:
> Do not follow unsolicited web links in email messages
> Follow the Microsoft guidelines* for recognizing fraudulent email messages ..."
* http://www.microsoft.com/protect/yourself/...ng/msemail.mspx

- http://atlas.arbor.net/briefs/index#-1494625952
Microsoft MS07-055 Trojan Emails
Severity: Elevated Severity
"...The message states that users should install the Kodak Image Viewer patch for advisory MS07-055. The user is directed to a website not owned by Microsoft and told to download a patch. The binary includes the real MS07-055 Windows XP patch, together with a Bandok Trojan. We are working with vendors and security companies to address this issue.
Analysis: This is a potentially serious problem due to the fact that the original Trojan binary is not recognized by any AV tools. Once unpacked, however, the Bandok Trojan is properly recognized by many AV tools. We are working on site takedown."



This post has been edited by AplusWebMaster: Nov 16 2007, 08:27 AM

FYI... (It continutes because this fraud works! Spread the word!)

- http://sunbeltblog.blogspot.com/2008/01/fake-ms-update.html
January 21, 2008
"...(another) fake 'MS update spam' seen in the wild today...Payload is IRC.Backdoor.Trojan..."

(Screenshot available at the URL above.)

They just keep comin'...

Spotted in the wild: Rogue Microsoft Update site
> http://www.f-secure.com/weblog/archives/00001374.html
February 6, 2008 - "Watch out for this one. It's -not- the real Microsoft Update site... Note the real url (cfm48.com) and the spelling errors ("Please intall"). If you click the Urgent Install button, you get a file called WindowsUpdateAgent30-x86-x64.exe. Which is not signed by Microsoft. This is a fast flux site and uses a wide range of IP addresses..."

(Screenshots available at the URL above.)

> http://www.us-cert.gov/current/#fraudulent...pdate_web_sites



This post has been edited by AplusWebMaster: Feb 6 2008, 01:09 PM

FYI...

- http://blog.trendmicro.com/before-patch-tu...e-were-malware/
April 6, 2008 - "...A new spam run emerges as a threat to Web users before Microsoft’s Patch Tuesday. And not because it exploits soon-to-be named vulnerabilities. What this spamming operation takes advantage of is the anticipation itself for the release of patches by Microsoft... The email, which first of all claims to be sent by Microsoft itself, informs users of a zero-day vulnerability in all versions of Microsoft Outlook and Microsoft Exchange Servers and asks users to download a patch to fix the bug. Installation of the patch is said to prevent systems from being compromised or exploited by malicious users. To install the said “patch” would mean system infection..."

(Screenshot available at the URL above.)

FYI...

- http://www.us-cert.gov/current/#email_atta...ing_microsoft_s
April 7, 2008 - " US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan..."

FYI...

MySpace - Maximus root kit downloads...
- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-22 22:26:50 UTC - "...A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.
“Clicking anywhere on the page (on large css layer on top) and your browser initiates a download session from an ftp at microsofpsupports .cn and you are asked to download and/or run (no!) the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
hxxp ://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus
Virustotal results here:
http://www.virustotal.com/analisis/3a29d07...4e8aa77bc81e6bb ..."
Result: 10/32 (31.25%)

- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-23 17:56:24 UTC ...(Version: 3)
"UPDATE - Thanks to Ned who pointed out that "!Maximus" is the name of the heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."



This post has been edited by AplusWebMaster: Apr 23 2008, 12:39 PM

FYI...

- http://blog.trendmicro.com/bogus-microsoft...-file-infector/
May 31, 2008 - "Even though Patch Tuesday is still two weeks from now, crimeware authors are already sending out fake Microsoft “critical updates.” The TrendLabs Content Security Team recently found a hoax purporting to be from Microsoft that urges users to update their computers due to a “critical security issue”. The email, which has the subject heading Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026), urges recipients to install the latest security update to avoid a successful attack which could result in comprising the recipinets’s PC. If the unlucky victim clicks on the file name, WINDOWS-KB946026-X86-ENU, they won’t be getting any security patch — but rather, malware detected by Trend Micro as PE_VIRUT.XZ. PE_VIRUT.XZ is a pretty old variant that appends its code to EXE and SCR files, making a pretty big mess depending on where it is executed..."

(Screenshot available at the URL above.)

Once again - more...

Fake Microsoft patch SPAM
- http://securitylabs.websense.com/content/Alerts/3122.aspx
06.30.2008 - "Websense... has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update... The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor... An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems... It is important to add that Microsoft -never- sends security update notifications through emails..."

(Screenshots available at the URL above.)

FYI...

Another fake MS spam
- http://sunbeltblog.blogspot.com/2008/07/an...ke-ms-spam.html
July 15, 2008 - "...The file being pushed, free.exe, is an installer for Antivirus XP 2008, a nasty rogue antispyware program... SPAM has stopped just being a nuisance, and become a serious potential security threat..."

(Screenshot available at the URL above.)