Outlook “Patch” Spam Leads to Keyloggers

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

downloadpage_cropHot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.

Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”

Uh huh. Highest levels like a fox!

The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.

Like virtually all the Progdav samples we’re seeing in recent months, this information-stealing Trojan is a universal data thief. It steals login passwords for Web sites, both as you enter them and from the Protected Storage area, where the browser keeps your “saved” passwords; stored Web browser cookies; FTP account details; POP3 email usernames and passwords; and it keeps track of the Web sites you visit. It disables the Internet Explorer anti-phishing filter, and monitors the contents of the Clipboard, so passwords you copy from one location and paste into another location aren’t safe, even if you never actually type them into a login page from an infected PC.

Our standard advice remains in place here: Avoid following links sent via email regarding updates to standard Windows components. Microsoft doesn’t email its customers about updates, and has other mechanisms, including Automatic Updates, to ensure that the folks who need them will get updates. Don’t download patches or updates to Microsoft products from anywhere other than Microsoft.com, and if you’re really concerned, double-check the Knowledge Base “KB” number to make sure you’re getting what you expect.

And when an untrustworthy link leads you to an untrustworthy page which begs you to “Please download and install the file…” please, don’t.

wordpress blog stats

13 thoughts on “Outlook “Patch” Spam Leads to Keyloggers

  1. Pingback: Fake Zbot Site Poses as H1N1 Flu Vaccine Info « Webroot Threat Blog

  2. Pingback: Fake Zbot Site Poses As CDC H1N1 Flu Vaccine Info | Business Computing World

  3. Pingback: Facebook Phishing Campaign Wants Your Passwords « Webroot Threat Blog

  4. Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog

  5. Pingback: A Look Back At The Worst Infections Of 2009 | Business Computing World

  6. Pingback: Zbot Desperately Seeking AIM Users « Webroot Threat Blog

  7. Pingback: Zbot Fakes ABA Banking Site, Seeks a Stimulus Package « Webroot Threat Blog

  8. Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog

    • Scott — this blog item does not describe a legitimate Microsoft Outlook patch update. It is a scam that installs a keylogger on your computer. Do NOT install any update to Outlook that comes from anywhere other than http://update.microsoft.com

      If you have already downloaded and attempted to run such an update, you may already be infected. Scan your computer immediately, and use a different, uninfected computer to change any passwords that may have been used, or are stored, on the infected computer.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s