Fake Microsoft security update website used to deliver Trojan horse, Sophos reports

April 08, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have warned users to be on their guard against an attempt by hackers to break into their computers under the disguise of being a Microsoft security update.

Sophos's spam labs have intercepted an email campaign intended to direct innocent computer users to a bogus website, posing as Microsoft's official website for critical security patches. However, if users follow the links in the email and try and download updates from the website they are infected by the Troj/DSNX-05 Trojan horse, which allows hackers to take remote control of the infected PC.

Emails sent by the hackers claim to come from "Windows Update" <update@microsoft.com> and include subject lines such as "Update your windows machine", "Urgent Windows Update", and "Important Windows Update".

The body of the email claims to link to Microsoft's Windows Update site but instead links to a website under the control of the hackers:

The email message pretends to come from Microsoft
The email message pretends to come from Microsoft.

"This criminal campaign exploits the public's rising paranoia about the security of their Windows computers. If users fall for it they may put themselves at risk of being spied upon or having their credit card and online banking details stolen," said Graham Cluley, senior technology consultant for Sophos. "We have long recommended that computer users keep up-to-date with the latest security patches, as Microsoft vulnerabilities are often exploited by viruses, worms and hackers. But users must be very careful to be sure they are going to the official update websites, rather than just following links in emails which have been sent by hackers."

The advantages of Sophos's approach to consolidated threats is underlined by this incident. Anti-virus and anti-spam experts at Sophos who work together were able to ensure that customers who ran Sophos PureMessage had the bulk mailing intercepted at their email gateways, and had the Trojan horse blocked from executing on their desktops by Sophos Anti-Virus.

"Microsoft does not issue security warnings in this way - so users should be on their guard whenever they receive an email like this," continued Cluley. "It makes sense to keep your anti-virus and anti-spam software up-to-date, but it is also wise to practise safe computing and be wary of unsolicited communications that might lead your computer into danger."

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.