« Back to News (Sorta) | Main | Phony Anti-Virus Software »

August 21, 2008

Two flavors of phony Windows update notices have been arriving in the past few hours.

The first arrived with a variety of Subject: lines, such as:

• Important Microsoft Windows Update
• Critical Microsoft Windows Update

Message bodies also varied a little, but generally followed the format of this one:

Dear Microsoft Customer,

You are receiving this message because your version of Microsoft Windows is affected by a dangerous security vulnerability.

In order to prevent possible risk of system instability, Microsoft urges you to update at your earliest convenience.

We are providing a free update to all Microsoft Windows users.

You can update your system for free by visiting the offical website for this patch, at http://updatemanagement.[removed].net/?customerservice
Thank you for your understanding in this matter.

Regards,
Wilton Silver
Business Relations Rep.
Microsoft Corp.
http://updatemanagement.[removed].net/?customerservice

The domain name, which includes the words system and update, was registered today, and the supposed registrant is [get this] "Government of St. Vincent and the Grenadines."

Almost anyone in the PC biz would know that Microsoft, itself, would never publicly label any vulnerability as "dangerous." But it's a good word to get the attention of the less technically aware.

Onto the second attempt, which arrived here in rapid succession with the same Subject: and message body:

Subject: Free Update For Windows

Dear dannyg@dannyg.com, Free Update for Windows Xp,Vista
http://[IP Address Removed]/setup.exe

Each message was sent from a different botnet client, in a not atypical fire hose spray of spam. All of the messages I received pointed to the same IP address hosted in Moldova. To my surprise, the account at that address had been shut down pretty quickly—a responsible response I'm not accustomed to seeing from those environs.

At the two destinations, the techniques for infecting visitors' machines were quite different, with the first one being far more elaborate. It may be that two crooks/gangs happened upon the same email approach within hours of each other. Whether this was serendipity or an orchestrated event doesn't matter to users. Identifying bogus notices should matter a great deal.

Be it now and forever known that major operating system vendors (e.g., Microsoft and Apple) have spent oodles of money to build system updating mechanisms into their operating systems. If there were such a dire need to update an OS that it caused the companies to send emergency email messages to their customers (a near zero likelihood, BTW), both companies would direct customers to use the internal updating mechanisms, and not provide a link to visit to download the update.

There must be, however, a goodly number of Windows users out there who use pirated copies of XP and Vista. The internal Windows Update mechanism isn't available to them because their OSes fail the "genuine advantage" test. Heaven knows what else was delivered with the pirated OS already, but their users would probably be tempted to download a supposedly free update that lets them avoid Microsoft's laser-eyed stare. I don't have a lot of sympathy for the pirate users, and getting their systems pwned by a botnet might feel like Justice...except that it means that their systems will be used to flood my inbox with spam and perhaps attack my web sites. Vigilantism on the Internet usually backfires on the vigilantes.