Beware: Funnniest Video Ever and Fake Microsoft Updates.

Oh brother, don’t tell me you fell for that one! All capital letters, lots of exclamation marks, the classic signs of bad news. Yeah, Halloween is around the corner and it is about time for the fake e-cards to make their rounds and the emails with links to “videos” that are not really videos at all. This happens every year.

If you receive an email purporting to be an e-card make sure it is addressed to you specifically. Make sure the email comes from someone you know. You will not get a legitimate e-card from “a friend”, “a family member”, “an admirer”, or anyone else not explicitly stated by name. Next make sure the link to the e-card points to a legitimate e-greeting site. If you don’t know then either don’t click on the link or do some research.

The next attack will be the fake video. This is the scariest, the grossest, the funniest, the freakiest… “Hey check this out” and so on. In most cases these links will either tell you that you need a video codec or start a fake scan and tell you that your computer is infected, or both.

You effectively never need a new codec, it is virtually always a scam designed to install malicious software on your computer. If you need a new codec than download the current version of your media application and it will have the appropriate codec 99.999999% of the time.

The twist this year is the malicious emails, tweets, instant messages, and social networking site messages that come from someone you know. A lot of webmail accounts and social network accounts have been hijacked in recent times. This means that the message will come from the account of someone you know, but they won’t really be the ones who send it. If you receive a link to an e-card, a video, a song, whatever, from someone you know via Hotmail, Gmail, Yahoo mail, any web mail, or from IM or social networking sites, talk to your friend before you click on the link. Make sure it really is the person you know who deliberately sent the link and not an imposter who hijacked their account.

Watch out for Twitter this Halloween. I will be shocked if Twitter is not used extensively to send links to malicious websites. The medium is perfect for this type of abuse and the extensive use of obfuscated URLS makes it so easy to hide the malicious links.

Finally, before you click on anything make sure your operating system is fully patched and your antivirus is current. For Windows go to http://update.microsoft.com, even if you have automatic updates turned on it is a good idea to periodically check and make sure it is working. Automation breaks. But you are not done yet for home users your next stop is either http://secunia.com/vulnerability_scanning/online/ or the more thorough http://secunia.com/vulnerability_scanning/personal/ to make sure all of your other applications are fully patched. Yes, some of the websites the links point you to will infect your PC when you simply visit the site if you are not patched.

Have a safe Halloween and don’t take candy, e-cards, videos, or tweets from strangers.

Randy Abrams
Director of Technical Education

[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft's update site, but is clearly not to be trusted. So the take-home messages are (1) don't trust links in a message if you can't be dead certain it comes from the source it seems to come from: go to a known authentic URL, or use the update mechanism within Windows itself (2) Check the link below on how Microsoft really disseminates update information.]

[Update 2: Spanish speakers might like to check out ESET Latin-America's version of this blog, now at http://blogs.eset-la.com/laboratorio/2009/10/22/falsos-correos-de-microsoft-propagan-malware/. Nice that we can give them something to write about occasionally rather than vice versa!}

A trusted source (thanks, Steve!) has just sent us (among other security organizations) an example of a fake windows update. It claims to be an out-of-cycle security update sent from Microsoft, but redirects to an executable on a site which has, of course, nothing to do with Microsoft, and which ESET products detect as Win32/Injector.ACX.

For information on what Microsoft really does when it sends information on security updates, see http://www.microsoft.com/protect/yourself/phishing/msemail.mspx?wt_svl=10233EWNa1&mg_id=10233EWNb1
 

From: Microsoft [mailto:team@microsoft.com] [This is spoofed, of course]
Sent: 22 October 2009 11:49
Subject: Update : DNCSKEUPXR [I'd presume that this is a randomized string, meant to foil simple filtering by subject]
Importance: High

Security update

When necessary, Microsoft provides a new security update on the second Tuesday of each month and publishes a bulletin to announce the update.
Occasionally, updates are released more often.[This is true, of course. However...]
The links below go to the latest update download.[...the link, which I've removed, is not to a Microsoft site.]

(Privat secured new link)
[removed]

Each bulletin includes links to the security updates.Microsoft has submitted a new update for all Windows OS web browsers, which brings a more stable and secure application, Internet Explorer version 7.0.195.24.
The new version has no new functionality but fixes one security vulnerability that has been classified as "high", the highest level.
Vulnerability refers to the possibility of external attacks through Internet Explorer and Outlook Express . We recommend installing the update to keep you and your system safe .[Obviously, it would be a mistake to take any of this af face value!]

Thank you, Adrian King Director of Security Assurance Microsoft Corp. [There was an Adrian King at Microsoft who was Director of Operating Systems Products: he left many years ago. Messages like this commonly cite the same job title with different names.]
 
IHSOHKWZMNFOKEXCNRKOOGUBQZDDJQBIOTCRIL [Presumably randomized, probably as a simple "hashbuster".] 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/