Experts at SophosLabs, Sophos’s global network of virus, spyware and spam analysis centres, have warned of a spammed email campaign which claims to be security advice from Microsoft, but actually tries to encourage users to install a keylogger onto their computers.
The spammed emails, which purport to come from firstname.lastname@example.org, claim that a vulnerability has been found ‘in the Microsoft WinLogon Service’ and could ‘allow a hacker to gain access to an unpatched computer’.
Recipients are advised to click on a link in the email to download the patch. However, the link really points to a non-Microsoft website and initiates the download of the BeastPWS-C Trojan horse, which is capable of spying on the infected user and stealing passwords.
When first installed the Trojan horse displays a bogus message, which reads: ‘Microsoft WinLogon Service successfully patched’. In actual fact, the malware is secretly logging keystrokes and sending them to an email address belonging to the hacker.
“People are slowly learning that Microsoft does not email out security fixes as attachments, but they must also learn to be careful of blindly clicking on links to download fixes without checking that the email is legitimate,” said Graham Cluley, senior technology consultant at Sophos. “In this case, the hackers made a mistake by referring to ‘Microsoft Coorp’ rather than ‘Microsoft Corp’, but it’s possible that users would miss that typo in their rush to protect themselves.”
Sophos recommends that users visit Microsoft’s website at www.microsoft.com/security for information about Microsoft security patches.
“The hackers are playing a dangerous game, because if Microsoft finds out who is responsible for besmirching its name, it’s more than likely to throw the full force of the law at them,” continued Cluley. “Security is becoming a hot topic for the software giant, and it doesn’t want malware and spam to sully its public image through this kind of criminal activity.”
Sophos has been protecting against the BeastPWS-C Trojan horse since 12:28 GMT, Monday 29 May, 2006 and has automatically updated customers.
Sophos advises that companies put in place a consolidated solution to defend against viruses, spyware and spam, and ensure that it is automatically updated as new threats emerge.