|
|
|
|
Did I Just Get a Patch or a Bug? Sophos and Websense Security Labs report that malicious websites are distributing a new form of malicious code in the guise of a fake patch for an alleged infected system. The intent of the attack is to lure users into downloading malicious code by sending them an e-mail as part of a security campaign. End users receive an email claiming that their system is infected or has been spamming other users with infected email. The user is encouraged to click or follow a link to receive an update or patch. It appears as though the same group that was behind the widespread attacks July 4th, that used greeting card lures to spread, are behind this also. The July 4th greeting card had more than 250 sites that were hosting a variety of malicious code. The Websites are using the exact same JavaScript obfuscation technique and exploit code as the greeting card run also. All e-mails use URLs that send users to an IP address that will attempt to exploit the users if their browsers are vulnerable. If the browser is not vulnerable the exploit code will not work, however the page will attempt to get the user to download a file called patch.exe by displaying a message: "If your download does not start in approximately 15 seconds click here to download." Subject lines seen so far include : a) Virus Detected!; b) Trojan Alert!; c) Worm Alert!; d) Worm Activity Detected! It is important to remember that this campaign uses social engineering, like many campaigns, to lure end users into unsafe behavior. Microsoft, ISPs, administrators, and other authorities will never: 1. Send an email with a link to download a patch or
update End users should use the same discretion in opening an email, much less downloading a patch, that they would with a stranger at the door. Microsoft and other vendors all either use Windows Update or require end users to go directly to their web sites to download patches and updates Source: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=786 |
