Sponsored by..

Friday 19 June 2009

FAIL: "Microsoft has released an update for Microsoft Outlook"

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:

From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement


Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:

hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]

The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.

Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.

1 comment:

Irene said...

I received same e-mail. as I read your post. I could escape this trojan. Thanx~