Security news30 May 2006
Bogus Microsoft security warning leads to malware BeastPWS-C Trojan horse steals passwords from infected users
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a spammed email campaign which claims to be security advice from Microsoft, but actually tries to encourage users to install a keylogger onto their computers.
The spammed emails, which have the subject line "Microsoft WinLogon Service - Vulnerability Issue" and purport to come from patch@microsoft.com, claim that a vulnerability has been found "in the Microsoft WinLogon Service" and could "allow a hacker to gain access to an unpatched computer".
Recipients are advised to click on a link in the email to download the patch. However, the link really points to a non-Microsoft website and initiates the download of the Troj/BeastPWS-C Trojan horse, which is capable of spying on the infected user and stealing passwords.
The spam email claims to come from Microsoft, and includes a malicious link.
When first installed the Trojan horse displays the following bogus message
Microsoft WinLogon Service successfully patched.
but is secretly logging keystrokes and sending them to an email address belonging to the hacker.
"People are slowly learning that Microsoft does not email out security fixes as attachments, but they also need to learn to be careful of blindly clicking on links to download fixes too without checking that the email is legitimate," said Graham Cluley, senior technology consultant at Sophos. "In this case, the hackers made a mistake by referring to 'Microsoft Coorp' rather than 'Microsoft Corp', but its possible that users would miss that typo in their rush to protect themselves."
Sophos recommends that users visit Microsoft's website at www.microsoft.com/security for information about Microsoft security patches.
"The hackers are playing a dangerous game, because if Microsoft finds out who is responsible for besmirching their name in this way they are likely to throw the full force of the law at them," continued Cluley. "Security is becoming a hot topic for the software giant, and they don't want malware and spam to sully the company's public image through this kind of criminal activity."
Sophos has been protecting against the Troj/BeastPWS-C Trojan horse since 12:28 GMT, Monday 29 May and has automatically updated customers.
Sophos advises that companies put in place a consolidated solution to defend against viruses, spyware and spam, and ensure that it is automatically updated as new threats emerge.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com
