Fake Update for Microsoft Outlook/Outlook Express (KB910721)

On the 22nd June I posted about the importance of securing the human element in an organization, and in that same week, the universe, or more correctly cyberspace, decided to provide a real world example of some of the points that I raised.

There was an email being circulated about an update released by Microsoft for Outlook and Outlook Express. The email shown in Figure 1 looks pretty legitimate, showing a KB number which actually exists and is indeed an update for Microsoft Outlook. It also offers a hyperlink that seems to be pointing to update.microsoft.com which is the domain that one expects to go to for actual Microsoft patches. However despite looking pretty legitimate the email is fake and will instead download malware if the link is clicked.

 Figure 1

While this email looks pretty convincing there are a number of items that show it for what it really is. For starters we have the timing of it. Microsoft release patches on a specific schedule, mainly on the second Tuesday of the month, the so called Patch Tuesday. This email however shows that the publishing date is 24th June. Granted Microsoft do issue updates from time to time outside the  second Tuesday timeline but this happens in very urgent cases only and you can rest assured that you’ll hear about the issue long before you see the patch when that happens.

Another more revealing aspect of this deception is the Delivery vector. Unless one subscribes to updates notification, Microsoft will not know your email address and even if they did, you can rest assured that they will not email you without your permission. I  often see a lot of emails promising that Microsoft will pay 2c  each time an email is forwarded, and other types of emails which suggest that Microsoft is an all knowing, omnipotent entity and while they are indeed a big corporation, they aren’t all knowing (if they were would we have updates in the first place?) It is therefore easy to deduce that they do not in fact know everyone’s email address and so one should be very wary when confronted with an email which pretends to come from Microsoft or anyone else really, unless one has subscribed to such emails.

The third, and perhaps most revealing, clue is the investigation of the link itself. In HTML a link has two parts – the actual link and that which is displayed. In more technical terms a link in HTML (which is the language used to generate said email) looks as follows <a href=actual link”>link displayed</a>.  The actual link pointing to a resource and the text displayed describing said link can differ and the idea behind it was to have a system where people can display a simplified version of a link or even a title instead of the whole complex link. Unfortunately this can also be used to manipulate people into believing that they are actually going to a particular link when in fact they are going to another. 

If we analyze the link in this email we see that this is the case here: <a href=”http://update.microsoft.com.il1ilf.com.mx/microsoftofficeupdate/…”>

http://update.microsoft.com/microsoftofficeupdate/…</a>.

What does this tell us? The malicious person wanted us to believe that the link points to update.microsoft.com when in fact it is pointing to update.microsoft.com.il1ilf.com.mx. Clearly a fake.

Luckily most email systems as well as browsers have long realized this deception vector and so generally if you hover over the link without clicking, the real link will be displayed as a hint or in the task bar like it is shown in Figure 2. 

Figure 2

So what happens if one were to click on the link? The link will download a malicious file of 81kb. The malware in question was submitted to virustotal for analysis and the results are shown here http://www.virustotal.com/analisis/988e317ff5b4698910d80369472ac922752636de136a040a4a6e25fc0fdaa2e8-1245699634

The malware seems to be a Zbot Variant. What does this mean? Zbot is a Trojan and as such it’s mostly used to steal login details and passwords including banking details. It can also offer full control of a system to the perpetrator who can then further compromise your system and possibly gain access to the rest of the network using the compromised system as a stepping stone.

What can be done to reduce the risk posed by these attacks?

First and foremost ensure that your network is protected against viruses and Trojans. This is achieved by having email solutions that detect these malicious emails and blocking them thus preventing them from reaching the users. Next in line would be to educate users by having policies in place about software installation. This should also include patches and updates. Finally it is important that your work stations are protected by using antivirus solutions. This is your last line of defense, because if the email does reach the end user, and s/he clicks on it and tries to install the malware then you certainly want an antivirus solution to detect that and stop it.

As with everything in security, it’s always a decision based on how well you want to secure yourself. The above is what I would personally consider to be the bare minimum. Further steps would include a disaster recovery plan in place that deals with Trojan / virus infections. An effective backup strategy and a centralized storage system for documents and source code would also ensure a higher degree of safety by allowing an infected machine to be reinstalled instead of trying to salvage data and thus increasing exposure. And finally storing images of work stations can have a system up and running quite quickly too.

In conclusion, policies and user education as well as appropriate antivirus protection can help in preventing these type of dangers and as with everything else prevention is better than cure.