Fake Microsoft Security Bulletin -> Malicious Browser Add-On
Dave Edwards let us know about an email message that claims to be a Microsoft Security Bulletin:
The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.
The executable installs a malicious browser add-on (BHO) "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader thatis also may be capable of spying on the user's interactions with certain sites.
Update 1:
After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like:
None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign.
Update 2:
Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue:
http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx
Update 3:
Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server.
Microsoft Security Bulletin MS06-4Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06".
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0
Summary
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.
The executable installs a malicious browser add-on (BHO) "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that
Update 1:
After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like:
http://[server_name]/command.php?userid[REMOVED]The remote command.php script seems to assist the program in creating a local configuration file that gets saved in %System%\commands.xml. The program uses the XML file to determine how to download and execute other programs from remote locations, saving them as %System%\file.exe.
None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign.
Update 2:
Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue:
http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx
Update 3:
Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server.
Keywords:
0 comment(s)
×
Diary Archives
Comments