Fake Windows

Fresh on the trails of a new zero-day Windows


They say that the road to hell is paved with good intentions. True, but the saying must be slightly adjusted to go with our story: it’s actually a mix of apparently good intentions and users’ absentmindedness. This is the story of patches getting into the spotlight.

The updates and patches piece of advice is, in a way, the underdog of online safety guides: it does not make it too high on the list and as an actor on the e-threat fighting scene, its chances of getting an Oscar are quite slim. It definitely (and, somehow, understandably) gets overshadowed by advice on safe online banking, for instance, because it does not have “money loss” written all over it. It’s like the small print that you never read, although you should, unless you really like surprises, especially the ones that hurt.

The rule says that you should activate the automatic update download option in the software that you use or otherwise download updates, patches or fixes from the official web site of that specific application’s manufacturer. In this case, it’s a Windows® operating system patch, so, most probably all users have to do is click the Windows® update notification icon to allow its automatic installation.

Assuming that their automatic update option is disabled, the official Microsoft® website is the alternative recommended download source. So what’s the problem, after all? It’s KNOWING that updates and patches are not likely to be delivered through e-mails with embedded links, as in the example below.

The text of the spam message used in this scheme is built according to the highest social engineering standards. First, mention a convincing issuing authority: “Microsoft’s security team”. Check. Second, add panic and terror: “[…] a new zero-day flaw that exposes Windows users to blue-screen crashes or code execution attacks”. Check. Reassure the poor mortals that they will be safe, after all (this is where the 34 holes do their trick) and give them not one, but TWO patch download links. Add the aura of verisimilitude created by the officially acknowledged vulnerability and you’ve got the winning formula


Win patch virus

Fig 1. The spam e-mail promoting the complex patch and two nasty links


If you try to directly download the patch by accessing the win.exe embedded link, you’ve got yourself a nice spamming bot, identified by BitDefender as Trojan.SpamBot.CAL. Once installed, this little wonder provides a remote user with control over the victim’s computer, which is transformed into a true spam machine spreading unsolicited e-mails through the SMTP server of Yahoo!®.

If it takes you a second try to get the coveted patch and you need to access the other embedded link, then you’ll be fitted with a downloader, baptized by BitDefender as Trojan.Downloader.Agent.ABFG., which will try to bring all sorts of malicious friends over.

Until our next e-hazard discovery, stay safe and surf wisely!

This article is based on the technical information provided courtesy of Sabina Datcu and of Iulian Muntean, BitDefender Virus Researchers.

All product and company names mentioned herein are for identification purposes only and are the property and may be trademarks of their respective owners.

About the author

Ioana Jelea

Ioana Jelea has a disturbing (according to friendly reports) penchant for the dirty tricks of online socialization and for the pathologically mesmerizing news trivia. From gory, though sometimes fake, death reports to nip slips and other such blush-inducing accidents, her repertoire is an ever-expanding manifesto against any Victorian-like frame of thought that puts a strain on online creativity. She would like to keep things simple, but she never does.