News
'Experimental' Security Fix is Malware, Microsoft Says
Redmond warns of phoney e-mails claiming to include Windows security alerts.
By Robert McMillan, IDG News Service (San Francisco Nureau)
October 14, 2008 — CSO —
Scammers are sending out phoney e-mails that claim to include critical Windows security alerts, Microsoft warned Monday.
The fake alerts describe themselves as part of a new "experimental private version of an update for all Microsoft Windows OS users," Microsoft said in a note on the scam, posted Monday.
The e-mails then instruct the victim to download an attachment, which is actually a malicious Trojan Horse program known as Win32/Haxdoor. This software records sensitive information such as passwords and credit card numbers and sends this data back to the attackers who are running the scam.
The malware is detected by antivirus programs as well as Microsoft's free Microsoft Malicious Software Removal Tool (MSRT).
The warning comes the day before Microsoft is set to deliver 11 genuine security fixes. These updates, due Tuesday at around 10 a.m. Pacific include critical security updates for Windows Active Directory, Internet Explorer, Excel and the Microsoft Host Integration Server.
But they will be delivered via Microsoft's standard automated update tools. Major software vendors such as Microsoft simply do not distribute security patches via email.
"As a matter of company policy, Microsoft will never send you an executable attachment," wrote Microsoft spokesman Christopher Budd in a blog posting on the scam. "If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof."
Microsoft does, however, send out security notification emails to customers who have asked to be told whenever patches are released or updated. These emails are in plain text and never contain any sort of attachment, Budd said.
Users who have doubts about any security notification email they've received can go to Microsoft's TechNet security Web site, which contains the same information as its e-mail notifications.
Other stories by Robert McMillan
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
- Make Compliance Regulations an Ally Not an Enemy
- Protecting Sensitive and Confidential Information with Endpoint Security
- Endpoint Security: Compliance at the Endpoint
- Revolutionizing Endpoint Security with a Single Agent
- Data Protection: Challenges for the Traveling User
- View Gartner Video: Best Practices on Web Application Security
- Unlock the Power of Device ID to Combat Online Fraud and Abuse
- Network Security Services: Outsourcing considerations for maximizing network protection
- File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
- Configuration Assessment: Choosing the Right Solution
- IT Service Management: Metrics That Matter
- Effective Security with a Continuous Approach to ISO 27001
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
