Spam poses as Internet Explorer 7 download |
 |
By Bill Brenner, Senior News Writer
30 Mar 2007 | SearchSecurity.com |
|
|
|
|
|
|
|
Clicking on the image, however, doesn't download the real beta -- but malicious code straight from the hackers.
Graham Cluley,
Senior Technology Consultant, Sophos
|
|
|
|
|
|
|
|
|
|
Spammers are trying to trick users into opening a fake invitation to download Internet Explorer 7, which will instead infect the victim's machine with malware.
That warning comes from UK-based antivirus firm Sophos and Clearwater, Fla.-based security vendor Sunbelt Software. The malicious spam comes in the form of an email from "admin@microsoft.com" with the subject line "Internet Explorer 7 Downloads."
The email displays an image that invites users to download beta 2 of the browser. But those who click the image will instead download a file called ie7.0.exe, which is infected by malware Sophos calls W32.Grum-A.
Grum infects executable files referenced by run keys in the Windows registry, Sophos said. When run, it copies itself to winlogon.exe and makes changes to the registry. It also edits the hosts file, injecting a thread into system.dll, and attempts to patch the system files ntdll.dll and kernel32.dll.
|
| Internet Explorer 7: |
Web Browser Security Learning Guide: This learning guide identifies the inherent flaws of Internet Explorer and Mozilla Firefox, introduces viable Web browser alternatives, and provides tools and tactics to maximize your Web browsing experience.
Phishing risk seen in new IE 7 flaw: Microsoft said it is investigating a flaw in Internet Explorer 7 (IE 7) attackers could exploit to launch phishing expeditions.
Microsoft warns of new Windows zero-day: Attackers are exploiting a new zero-day flaw in Windows, Microsoft confirmed Thursday. Vista is affected, and Microsoft advises caution when opening email attachments.
|
|
|
|
|
Sophos Senior Technology Consultant Graham Cluley said attackers continue to use such tricks successfully because many users still haven't learned to be suspicious of unsolicited emails.
"The problem is that to the casual observer the email looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its Website to promote Internet Explorer 7," he said on the Sophos Website. "Clicking on the image, however, doesn't download the real beta -- but malicious code straight from the hackers."
Sunbelt President Alex Eckelberry also warned about it in his blog. The entry offers a deeper analysis of the malware.
This is the latest in a series of threats to plague Windows users in recent weeks.
Thursday, Microsoft acknowledged that attackers are using a new, unpatched flaw in Internet Explorer to compromise machines running a number of versions of Windows, including Vista.
Craig Schmugar of McAfee Inc.'s Avert Labs said in a blog posting that the lab has received a sample of one piece of malware that targets that flaw.
"Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack," he said. "Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
Last week, Microsoft also acknowledged last it's investigating reports of another flaw in Vista. That flaw reportedly affects Windows Mail on all versions of Vista. Cupertino, Calif.-based antivirus giant Symantec Corp. said attackers could potentially exploit a design flaw to delete files or shut down the victim's computer.
And two weeks ago, Israeli vulnerability researcher Aviv Raff warned of a flaw in Internet Explorer 7 that could be used to launch phishing expeditions.
|
|
|
|
