SophosLabs alerted a spam campaign that seemed to originate from a a different unknown security and anti-virus company.
The messages have a variety of subject lines, such as:
Windows Defender: Important System Update -
requires immediate action
AVG Anti-Virus Free Edition: Important System Update -
requires immediate action
AVG Internet Security 2012: Important System Update -
requires immediate action
Kaspersky Anti-Virus: Important System Update -
requires immediate action
Microsoft Security Essentials: Important System Update -
requires immediate action
All emails being sent look pretty much the same, claiming to include
an important security update to overcome “the new malware circulating
over the net”.
Important System Update – requires immediate action
It’s highly important to install this security update due to the new
malware circulating over the net. To complete the action please double
click on the system patch KB923029 in the attachment. The installation
will run in the silent mode. Please pay attention to this matter and
inform us in case there is a problem.
Don’t be fooled
This email uses a
CryptoLocker ransomware that locks your files and then makes you may them back to obtain them.
There is no “system patch KB923029,” and even if there were, neither
Microsoft or any other security company would send you a reminder for a
security update through an email attachment.
Also, if you are a native speaker of English, you should spot the grammatical errors and misuse of words.
→ The fact that an email is grammatically flawless, in English or any
other language, is not an indicator of legitimacy. But language
blunders in English, in an email purporting to come from the New York
office of a legitimate software company, are a strong indicator of
bogosity. If the crooks can’t even be both to trying rite and spel
decent, you may as well use their linguistic sloppiness against them.
The ZIP file contains an EXE (a program file); that program file is one of the many variants of the
Zbot malware, also known as
Zeus, that we see on a regular basis.
You’re expected to open the ZIP and run the program inside, which has a name like this:
HOTFIX_patch_KB_00000...many digits...56925.exe
There’s nothing wrong with having an EXE inside a ZIP file.
But a ZIP that contains only an EXE, and that was delivered by email,
is just as suspicious as a plain EXE that arrives as an attachment.
If you do run it, the EXE installs itself into:
C:\Documents and Settings\%USER%\Application Data\
with a random filename, and adds itself to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
so that it gets launched every time you reboot or logon.
We shouldn’t need to remind you, but we’ll do so in case you want to remind someone else:
- Don’t open email attachments you weren’t expecting.
- Don’t believe emails that claim to be sending you a security patch – by email.
- Don’t ignore clues such as poor grammar or spelling in emails that claim to be official.
- Don’t neglect to keep your software patches up to date – but never by email.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+
References:
Spam from an anti-virus company claiming to be a security patch? It’s Zbot/Zeus malware… – Naked Security
http://nakedsecurity.sophos.com/2013/11/21/spam-from-an-anti-virus-company-its-zeus-malware/
The holiday shopping season is the busiest time of year. Finding the perfect gift is on everyone’s to do list.
