Fake Microsoft Security Bulletin -> Malicious Browser Add-On

Published: 2007-06-08
Last Updated: 2007-06-11 21:19:42 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Dave Edwards let us know about an email message that claims to be a Microsoft Security Bulletin:
Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0


Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.
Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06".

The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.

The executable installs a malicious browser add-on (BHO)  "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that is also may be capable of spying on the user's interactions with certain sites.

Update 1:

After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like:
The remote command.php script seems to assist the program in creating a local configuration file that gets saved in %System%\commands.xml. The program uses the XML file to determine how to download and execute other programs from remote locations, saving them as %System%\file.exe.

None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign.

Update 2:

Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue:

Update 3:

Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
0 comment(s)


Diary Archives