« Why I Never Unsubscribe | Main | Phony Walmart Survey Phishing »

December 03, 2009

As someone whose career consists of converting ideas inside my head into material for consumption by others (in the form of words or software), I think I understand how one malware distributor went off the rails. Sometimes an idea sounds good in your head, but when you try to execute the idea, you discover flaws. The key to success is recognizing and fixing the flaws before exposing your work to the world. One Windows malware distributor ignored that last step.

Exhibit A is an unusually wordy email claiming to originate from Microsoft.com Update Center, titled Critical Security Update. I think the idea inside the miscreant's head was to make the message sound as though this email was a necessary diversion from the usual Windows Update process. But somewhere between his brain and his keyboard, a major snafu occurred:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista and Microsoft Windows 7.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message KB958644-ENU
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner,
Director of Security Assurance
Microsoft Corp.

Doesn't it seem as though the main thrust of this email is to explain why the update is being sent in the mail, rather than downloaded? And yet there is no attachment. Instead, the two links point to a file named Windows-KB958644-ENU.exe on a hijacked Italian web server. Perhaps he believes unsophisticated users will click on anything resembling a link, whether there is an attachment or not (and he's probably right).

I like the unintentionally humorous touch with the last paragraph apologizing for a back order. This line was copied/pasted from another (and old) malicious email that used a delayed shipment of Microsoft Office as the lure (an open-the-attachment-for-details kind of thing).

With a little bit of digging, I eventually got to the bottom of the confusion. You see, this message was used about 14 months ago for a previous malware distribution attempt. That attempt appears to have included an attachment, which followed the message's logic more closely. This year's criminal was too lazy to dream up his own email message — or fully understand the original, for that matter. He did update the list of OS versions to include the new Windows 7, but that's about it. At the start of this posting, I gave the sender way too much credit for having an idea.

Tell every unsophisticated user you know that Microsoft does not send email messages to users about software updates.