Fake Windows Update Loose in the Wild

 

The past few days have brought another mid-sized spam wave impersonating update reminders for the Windows operating system. Building on the awareness campaigns initiated by anti-malware vendors, cyber-crooks are now attempting to serve Windows users various OS updates that in the end prove to be rigged with malware.

While most spam campaigns use sloppy text that often makes no sense for a native English user, this time cyber-crooks invested a lot of effort into giving a touch of “authenticity” to this social engineering attack. And this specific wave of messages can easily mislead the untrained eye of a user who wants an operating system update.

For instance, the first and the last part of the message body are copy-pasted from the official Microsoft site; the sender’s address seems trustworthy; not to mention that the wording is extremely good, compared to the quality of many spam waves composed by non-English speaking attackers. 

Pic1. Fake critical security patch notification

The dissimilarity comes in the specifications provided under the Quick Details section, which have little to no relevance for an inexperienced user. Therefore it would be no surprise if people fell into the trap and clicked the link that would lead them to malware – while perfectly certain of the fact that they are installing a software update for their OS.

Rather than bundling a malicious attachment which can easily be filtered by a corporate firewall, the e-mail provides a link which, when clicked, will lead to a piece of malware, identified by BitDefender as Trojan.Agent.ARVQ. This is a .rar archive packed with UPX that writes 3 files (termsrv.dll, java.reg and core.vbs) into %system32%. The fake termsrv.dll replaces the original one from the %system32% while the core.vbs script sets several registry keys, as instructed by the java.reg file.These registry keys and the patched termsrv.dll are set for the purpose of granting access on the infected PC to multiple parallel remote desktop connections or sessions in Windows XP.

Once the remote desktop connections availability is in place, Trojan.Agent.ARVQ connects to http://19[removed]1/ip.php (a legitimate site which was tampered with by the cyber-crooks) where it reports the IP of the infected machine. It, then, creates individual usernames and passwords for each infected PC and adds these unauthorized users to Administrators Group. This way the remote attackers will have all the necessary means to access the compromised systems.

Losing control of the system is critical and such a threat should not be taken lightly. However, if the user follows a few simple steps, such social engineering attacks will stand no chance at all:

• Be extremely cautious with spam e-mails. Most of the times, if a message lands in the Junk folder, there is a good reason for that. Often, spam messages expose you to dangerous attachments, even when attachments seem totally harmless. jpeg, html or pdf files may also be used as infection vectors;
• Install an anti-malware solution to take care of scanning your attachments or downloaded files;
• Use the “lazy method” to update your operating system: Windows already comes with Windows Update, an automated system for downloading and installing system updates. This way, you can be sure that system updates are downloaded from the authorized repository only;
• If you are a “techie” and you prefer to download stand-alone Windows updates from third-party websites, you should check the file’s digital signature, which is the ultimate guarantee that the file is a genuine Microsoft application and that it hasn’t been modified in any way.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.