09 May 2011 04:07 PM
Websense Security Labs™ ThreatSeeker® network has noticed a low-volume threat circulating as a Microsoft update with a very low detection. This attack ties in almost perfectly with the release of patches on the upcoming "Patch Tuesday" from Microsoft. The attack lures the unsuspecting user into following the link provided within the email message, which evidently infects their system as it downloads a malicious executable to the user's machine. The executable (the fake patch) is being hosted on a compromised domain and at the time of writing holds an 11% detection rate as seen here on VirusTotal.
Websense customers are protected by our Advanced Classification Engine - ACE.
The email message looks quite legitimate, as the display names within the headers actually say they originate from Microsoft Canada (spoofed). Other attributes of the message include a sense of urgency with the subject: "URGENT: Critical Security Update". The body of the message is presented in two different languages (English and French): indicative of some effort being put into the creation, making it look more legitimate and targeting a larger audience. Installing the fake patch will result in an infected machine with the Zeus Trojan variant: the Trojan variant calls home to its command & control server at visitortracker.net.in .
Below we have the contents of the message together with the body.
Just as a heads up of what to expect of this "Patch Tuesday"; it's a pretty small update as Microsoft will release only two updates to patch two undisclosed vulnerabilities: a Critical update affecting MS Windows and an Important update affecting MS Office.