Wednesday, February 20, 2008

Make sure it's really Microsoft Update


The innovation on the part of the bad guys continues to amaze. Per SC Magazine, these folks are using some URL obfuscation to get you to a Microsoft Update imposter site. F-Secure is credited with finding the bad site, and there are lots of details on their blog site.

Finnish anti-virus firm F-Secure warned Friday that a new malware-laced Microsoft Update page has appeared in the wild and is hosted on a URL that incorporates the actual Microsoft Update address – microsoft.com/cfm48 – with a period substituted for a forward slash.

The slightly modified URL takes the victim to a fake Microsoft Update “welcome” page that prominently features an urgent notice telling the visitor to install a “critical Windows XP/2000/2003/Vista update!” Install is mispelled on the bogus update page (“intall”), F-Secure reported.

An “Urgent Install” button appears in the fake notice, next to a prompt reading “Get critical update (obligatory).” Users who click on the button receive a file labeled WindowsUpdateAgent30-x86-x64.exe, which installs a trojan-dropper on the victim's PC. F-Secure said the bogus update page is a “fast flux” site and uses a wide range of IP addresses attached to the “cfm48.com" portion of the URL.

If you are a consumer, what to do? Basically, make sure you launch Microsoft (or Windows) Update yourself. DO NOT click on a link that you get via email. Launch Microsoft Update and then it will take you to the correct update site. Scrutinize the address in the bar and make sure it's really a Microsoft site.

And just be aware. That's usually the best defense.

No comments: