Fake Microsoft Update Email

Published: 2008-10-10
Last Updated: 2008-10-10 12:44:54 UTC
by Marcus Sachs (Version: 1)
2 comment(s)

Several readers have alerted us to a fake Microsoft email circulating with a malicious attachment.  If you are blocking executables at your email servers, there should not be a problem.  The email looks like this, but might vary a bit:

Subject:        Security Update for OS Microsoft Windows
From:           "Microsoft Official Update Center" <securityassurance@microsoft.com>

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you
have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Version: PGP 7.1


Notice the legitimate signature block and PGP signature.  Sorry, Steve, I guess you are a popular guy!
Marcus H. Sachs
Director, SANS Internet Storm Center
2 comment(s)


Is the PGP signature valid. Would this not mean that Mr. Lipner's PGP private keys were compromised?
The signature is invalid, and essentially is just ASCII nonsense. You may notice that there is no PGP BEGIN block. As a result, no e-mail client will attempt to verify the signature.

Diary Archives