Trojan Horse Rides in on Fake Windows Update
"It is child's play to create a fake Web site which looks like someone else's. Even a semi-competent technical person could do it in an hour or two," said Graham Cluley, Sophos senior engineer.
04/11/05 9:08 AM PT
As computer users get more sophisticated, so too do the schemes to ensnare them. Security company Sophos warned Friday that a bogus Web site, set up to look like the Microsoft Windows Update page, was luring Windows users into downloading a Trojan horse.
The scammers sent e-mails with subject lines such as "Urgent Windows Update," "Update your windows machine" and "Important Windows Update." The e-mails encouraged people to update their Windows software immediately and included the link to the bogus site.
Windows Quarterly Updates
Microsoft does not notify users of updates through e-mails, but it is believed that the messages may have been timed to take advantage of Microsoft's scheduled quarterly updates, which will be released tomorrow.
"More and more users are realizing that unsolicited e-mail attachments can be malicious, and so the technique used in this instance is to not have an e-mail attachment but to link to a bogus Web site instead, rather like a phishing attack," Graham Cluley, Sophos senior engineer, told TechNewsWorld.
The site has since been shut down, which is the Web community's greatest defense against this combination e-mail/phishing scam, but it is not difficult to re-create, Cluley said.
"It is child's play to create a fake Web site which looks like someone else's. Even a semi-competent technical person could do it in an hour or two," he said. "The difficulty for the hacker is keeping the Web site active. Once a malicious attack like this occurs then there will be pressure from ISPs and the security community to have the Web site shut down to prevent the malware from being spread any further."
If a user went to the site and tried to download the bogus Windows update, their PC would instead be infected with the Trojan horse Troj/DSNX-05. Troj/DSNX/05 gives remote control of the infected PC to the hackers.
Once they have control, hackers can do a number of malicious things, including spying on a user's activity. Keystroke monitoring can allow hackers to get a hold of credit card and bank account information. The PC can also be used to send spam or launch denial of service attacks.