Win32/Haxdoor Email Scam: Don't be Fooled

A new variation of a fake Microsoft security notification email is reportedly being circulated.

Attackers appear to be taking advantage of Microsoft's Patch Tuesday to send legitimate looking emails claiming to be a security email from Microsoft with an executable file attached, which it claims is the latest security update. It encourages the recipient to run the attached executable so their computer will be safe.

The email is different than previous versions as it claims to be signed by Steve Lipner, an actual Microsoft employee, and has what appears to be a PGP signature block attached to it. The attached executable is actually malware containing Backdoor:Win32/Haxdoor.

Some Reminders From Microsoft

Microsoft NEVER sends attachments with their security notification emails. If you receive an email with an attachment claiming to be a Microsoft notification, delete it immediately. An authentic Microsoft security notification email directs you through links in the email to the online Security Bulletin. You should always get Microsoft updates through links in the security bulletin or through Microsoft's deployment tools (Microsoft Update or Windows Update, Windows Software Update Services (WSUS) or Systems Center Configuration Manager).

Microsoft security notification will always come in plain text format, not HTML. If a Microsoft security notification comes in HTML format, delete it.

Microsoft uses Pretty Good Privacy (PGP) to sign their security notification emails, but the mere presence of a PGP signature block in an email does not mean that the email is authentic. To authenticate a PGP signed email claiming to be from Microsoft, get a copy of their current PGP signature from TechNet Security and use the PGP software to check the PGP signature against their signature.

Every security notification email sent by Microsoft is ultimately sent from the TechNet security site. An example of the fake email, as well as an explanation of damage the malware can do is available from Trend Micro and Microsoft.

Visit Bill's Links and More for more great tips, just like this one!