This morning we have seen an e-mail that was supposed to contain a Windows update for the vulnerability in the Kodak image viewer, which could allow arbitrary code to be remotely executed.
The e-mail seems to come from Microsoft Corp, though the domain from which it was created has no relation with this company:
The email subject is “Boletнn de seguridad de Microsoft MS07-055 – Crнtico”, though it is possible that there are more e-mails referring to different updates. The message contains real information about the security bulletin called MS07-055. However, the links included in the text lead to a different website, which is almost the same as Microsoft’s.
This is the website to which we are redirected. If we don’t pay much attention to the web address, we will be downloading a backdoor detected as Bck/Bandok.BO:
A really curious thing is that this malware is in fact installing the real MS update, plus a free backdoor to open your system to the bad guys. This is what you see when you run it:
Microsoft Official Update
MS07-055 WindowsXP-KB923810-x86-ENU.exe
MD5: a2d27a703f93c860e842af732ff3d93f
Fake Microsoft Update
MS07-055 WindowsXP-KB923810-x86-ENU.exe
MD5: b59d788bc907d9aecb15375abe09c606
Thanks to Fernando de la Cuadra and Xabier Francisco for this one!
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
