Schonhose

Today I found a rather strange email from Microsoft detailing information about an important security update for a wide range of their operating systems. The email explained the reason for sending out this email and urged to install the attached security update to protect my computer from any malicious software attacks.

At that time some sirens and red flashing lights were going of in my head. Let’s see if my suspicion is really justified. First of, how would Microsoft know I’m using Windows as an operating system? Secondly, how would they get my address in the first place? The mail mentions the following “As your computer is set to receive notifications when new updates are available, you have received this notice.“.

Right, that disturbs me a bit, because basically what it says is this: “You thought we only send you notifications about updates but in the mean time we also uploaded private information on our servers like your email address“. Well, there you have it: mistake #1. If Microsoft indeed would have tried to do this it would have been publicly known on the internet. Remember the fuss about WGA a couple of years back? And by the way, the word “notifications” in itself suggest a one-way connection.

Let’s go on and dissect the message and the attachment some more. The so-called security update is about 33kb in size. Yes, I know what you’re thinking and you’re right. It is small, especially if it contains the fix for 5 different OS versions dating back to 1998. That is just another clue this is just a scam.

Furthermore Microsoft will never (and I do mean never) send out security updates through email attachments. All official updates are from either the genuine Microsoft website or from the automatic update processes (which coincidentally connects to the same genuine Microsoft website).

And finally the last reason why this is a scam. The attachment is named KBxxxxxx.exe where “xxxxxx” is a number. This number corresponds with an article in the knowledge base. The attachment I received is named “KB575544.exe” and guess what? Here is a link to the nonexistent KB article.

So if you have recieved this mail and installed the software you are infected by a trojan as mentioned by Graham Cluley’s blog (at Sophos).

Below is the full mail I received today (without attachments obviously).

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.