We've received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of "a new vulnerability [that] has been discovered in the Microsoft WinLogon Service". It further states that the vulnerability can allow an attacker access to the unpatched system.
Of course, the user is advised to install the patch which can be downloaded from the included link.
As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:
http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe
At the time when this diary was written, the site was still up and serving malware. AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:
AntiVir 188.8.131.52 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 184.108.40.206 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 220.127.116.11 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer
Does all this sound familiar? Sure, it's (almost) the same story that the Swen worm (or Gibe.F) tried to "sell" to the users. Hopefully this one will not come close to doing what Swen did.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019
May 30th 2006
1 decade ago