Print

Spyware poses as Microsoft® Update

Speculating the "Downadup/Conficker lesson" that reminded (please read taught) people to continuously update their systems with the latest patches and fixes, the current malware exploits people's fears and behavioral stereotypes when dealing with computer security.

Microsoft never sends (individual) e-mails announcing the availability of a new fix, but uses its OS integrated automatic update systems - namely Windows Update or Microsoft Update. The current unsolicited message wave bears several characteristics pertaining to the Richmond-based company security bulletins, such as the general content and formatting, which could definitely trick the inexperienced user to follow the supposed update link.

However, upon clicking the link the user is not directed to Microsoft portal, but to a phony Web page that loads from a domain registered in Mexico. If the user clicks the download link of that alleged 80 KB Outlook/Outlook Express update, one triggers, in effect, the download of a horrific piece of spyware - Trojan.Spy.ZBot.UO.

The newest member of the renowned ZBot family it is disguising under the innocent appearance of a .CHM (on-line help) file. Upon launching, it injects code within the winlogon.exe process in order to gain access to the main services, run stealthily on the compromised machine and freely connect to Internet.

For its spyware purposes, it creates a hidden directory within the Widnows\System32 folder, which it populates with three encrypted files. Here it stores the sensitive data it steals from the infected computer, such as log in credentials, including, but not limited to e-banking and e-mail authentication details and content, as well as on-line history. The encrypted files also hold further configuration instructions, remote control and spamming specifications.

The high rate of spreading reveals that social engineering techniques do pay back, especially during crisis, and that users' gullibility could lead to another malware pandemic.