October 9th, 2008
Posted in Uncategorized
As most of you know, Microsoft doesn’t distribute it’s software updates via e-mail. Although this recently received bogus message would try to convince us differently. It claims to be from Steve Lipner who actually is a Director of Microsoft’s security engineering team. It even explains that the reason for the update being delivered via e-mail is to help prevent malicious software and that this is a new experimental feature. This is a malicious application so delete it immediately!
Perhaps it’s just a coincidence but it popped up the same day as Microsoft’s official advance notification for the October security bulletin. From a social engineering viewpoint it could help lend credibility to the attack. If a person used a search engine they could easily find the announcement of an upcoming update. On the other hand they may just find our blog and warning. I should point out that this isn’t the first time we’ve seen messages with malicious attachments pretending to be from Microsoft – they’ve been around a long time.
The message has a fake PGP signature to try and gain credibility. The file attached has a naming convention such as KB123456.exe and the number can change. Running it in a Sandbox environment shows it makes a HTTP request to ulm-haafeulm-haa.com and social-bos.biz to download additional files. It modifies the registry, deletes cookies and listens on ports 6051 and 6052.
From: Microsoft High-priority update
Subject: Security Update for OS Microsoft Windows
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
—–BEGIN PGP SIGNATURE—–
Version: PGP 7.1
M4XC05P4GNTSPRNX5BBJ1ZOFVQ10EHTRIEWJHPPHRF2KBFPOCSGDBDQSRN397EZUS
9464UVDHFLO91E293JVSGP3H19J7WC0YZ7IQAB094Z60CTYCNK18EE90OTSJD82UT
F3AQK5YM71P9F50XR673ZX02PMGN5K96J2NONS65ICK8DCJ45IKV6TQPQLZ6TXR4B
7280CTE7XV7JUGYTI9MBBVBLT70TNAP6BXDADC1KPWN4L1PA2SHP7SSHJG8GSCPVV
0CU2KJU20L2GCJUX821EFF8EVND7GO56640==
—–END PGP SIGNATURE—–
While I’m on the subject of Malware -we’ve been seeing the “Statement of Fees” malware campaign since August. However, inn the past few hours there was a change to the payload being delivered so the latest variant is more likely to be missed by AV software and end up in your inbox. The Trojan Downloader installs AV XP 2008.
Subject: Statement of fees 2008/09
Please find attached a statement of fees as requested, this will be
posted today.
The accommodation is dealt with by another section and I have passed
your request on to them today.
Kind regards.
Heidi
Tags: malware, microsoft, trojan
April 7th, 2008
Posted in Uncategorized
Once Promising Proposals for a Final Ultimate Solution to the Spam Problem (FUSSP)
“Two years from now, spam will be solved.”
That was Bill Gates’ famous pronouncement back in 2004. Microsoft, Yahoo and the open source community devised two techniques that they believed would eradicate spam. The first was sender authentication, which allowed email senders to provide a list of the servers permitted to send email for users within their domain. The idea was that sender authentication would eliminate spammers spoofing legitimate email addresses, and allow for the creation of a permanent, ironclad white list of trustworthy domains that never send spam, thus allowing recipients to simply block everything not on the white list and end spam forever.
Another idea pitched in 2004 was the computational challenge. Senders would, upon connecting to a receiving email server, have to spend considerable CPU cycles computing the answer to a mathematical challenge provided by the receiving server. Bill Gates believed this approach would stop spam by making it cost too much to send the high volumes of email required to make spamming profitable.
Unfortunately, neither sender authentication nor the computational challenge technique resolved the spam problem. Computational challenges were rejected as being too costly for legitimate bulk email senders (airlines, banks, open source mailing lists, etc.) And sender authentication while eventually enjoying wide-spread adoption in the form of DKIM and SenderID, proved prone to errors. As as result it has remained useful mostly for the acceptance of legitimate email and phishing protection rather than the rejection of spam.
By 2005, what the anti-spam community was getting right was content filtering. When spam filters had reached above the 90 per cent accuracy level, spam transitioned from a problem of content to a problem of volume, the spammers simply send more spam. And they can do this because the recipient pays the cost of content filtering rather than the spammer.
The cost of a resource-consuming filtering system increases during high traffic loads. If you block spam content, spammers will find new ways to get around it. Bill Gates was right, the only way to stop them is to create difficulty by making spam too costly to send. If you do spammers are left to find new targets that are easier to hit.
NEXT: Post #4 Spamonomics: The Economics of Spamming
PREVIOUS: Post #2 Prohibition Induces “Botlegging”
Tags: accuracy, anti-spam, bill gates, content-filters, dkim, economics, high traffic loads, microsoft, spam, spammers, spamonomics, yahoo
January 31st, 2008
Posted in Uncategorized
This morning I checked an old Hotmail account and I was surprised to see an e-mail from Bill Gates. The From header was “Bill Gates (billgates_2008lottery@yahoo.fr)” which was a little surprising. I would have thought that Bill would be sending it from a Microsoft or at least a Hotmail address and not a competitor such as Yahoo. I put that thought at the back of my mind since I was excited to see why he was e-mailing me. Here’s the message I received:
The content of the message was in French. I put this down to the fact that Microsoft is based in Redmond, Washington which borders us here in Canada and perhaps some French Canadian influence had started to spread across the border in the USA?
After reading the e-mail, I discovered I was a winner of the “BILL GATES FOUNDATION LOTTERY FOR INTERNET EXPANSION IN AFRICA”. I realized this was quite a big deal since capitalization was used in the name! All I have to do is contact Claude Verges at the “law firm” and provide my name, address, phone, fax, e-mail and a copy of my national identity card or passport. All of which would be very useful for identity theft so I think I’ll pass on this occasions. Sorry Bill!
Tags: bill gates, hotmail, microsoft
December 14th, 2007
Posted in Uncategorized
IBM published their mid-year report for 2007 with details related to spam and phishing attacks. It’s quite a long report so I picked out some of the points I found interesting.
There’s a synergy between spam and virus activity since a wide spread virus has the ability to turn hundreds of thousands of personal computers into spam spewing zombies. The virus writers exploit vulnerabilities to gain control of a machine. IBM commented that “more than half of the vulnerabilities in the first half of 2007 would allow an attacker to gain access to the host after successful exploitation”. An interesting point is that the top 3 vulnerability vendors in the first half of 2007 were Microsoft, Apple and Oracle.
As part of the spam analysis they looked at the average byte size of spam. This of course correlates with the surge in attachment spam over the past couple of years in the form of images, pdf’s, mp3′s etc.
They also provided a plot of the countries that host the spam websites:
Tags: apple, microsoft, Phishing, spam
December 6th, 2007
Posted in Uncategorized
Some of you may be familiar with MailChannels’ “PingedIn” service. Every night, we survey the mail servers of approximately half a million companies worldwide, using a proprietary algorithm to determine the kind of email server software they are using to receive email.
Recently I was reviewing historical data stretching back to mid-summer, when I noticed a strong trend:
The lime green line shows that there has been a 50% increase in the number of companies using Google to host their email. This is a really impressive rate of growth in what has been a fairly stagnant industry for the past few years.
Other interesting observations:
- The decline of software: more and more companies are outsourcing their edge email solution to someone else. The only exception we found to this rule was MXLogic, who appear to have lost about 5% of their customers since mid-summer (according to our data — please don’t sue us).
- The flattening of IronPort: There has been virtually no growth at all in IronPort’s installed base since they were acquired by Cisco. That said, at least they haven’t lost ground.
- Continuing high rate of churn: Not shown on the graph, but tracked by PingedIn is the rate at which companies move from one solution to another. We are continuing to see an approximately 20% annual churn rate in the email boundary market.
Now, even though Google’s growth may appear spectacular, it should be taken with a grain of salt. There are more than 17,000 sites in our database running Barracuda email appliances. Google still has just 1800. But at their current rate of growth, Google should surpass Barracuda some time in 2010. By the same token, even though there are still 42,000 Sendmail sites in our database, at its current rate of decline, Sendmail will be all but extinct in 2015.
Okay, 2015 is a really long way away. Sendmail is going to be with us until the end of time.
Tags: barracuda, exchange, google, ironport, messagelabs, microsoft, postfix, postini, sendmail
