With a Trojan HorseAn official Microsoft security update designed for Internet Explorer infects Windows computers with malware. According to security company Symantec, an original IE patch is used as an incentive for potential victims to download and deploy malicious code on their machines. Spammed emails, masquerading as Microsoft Security Bulletins claim to offer a patch for Internet Explorer. That is not the case, explained Vikram Thakur, Symantec Security Response Engineer. The email either contains an attachment or delivers the link to the malicious download, and urges users to update immediately. In order to throw suspicious users off track, an official Microsoft update is included in the download.
"The installer distributed via this spam message did indeed include an original Windows patch distributed publicly by Microsoft. However, that wasn't the only file in the archive. If one tried to run the executable, in addition to the digitally signed patch, another piece of malware was installed on the host computer. This file is detected by us as Downloader. It in turn downloads and installs a Browser Helper Object (BHO) for Internet Explorer. This BHO is loaded whenever one runs Internet Explorer and makes contact with third-party hosts. A simple lookup of this site on your favorite search engine shows that this site name has been used by malicious applications several times in the recent past," Thakur revealed.
There are a few erroneous pieces of information included in the message of the email that will alert an astute user. First off, the update claims to have originated on September 9, 2007. This date, while in the proximity of the actual Microsoft monthly patch cycle, should have coincided with September 11 in order to be accurate. Additionally, not only does MS06-602 not exist, but security bulletins for 2007 start with MS07, while the MS06 is a reference of the past year. And finally, in September, Microsoft did not release any security patches for Internet Explorer. Users should exercise caution with all emails claiming to come from Microsoft, and to offer updates and patches.