Dailydave mailing list archives
Re: Microsoft fix distribution opening up holes for spreading trojans?
From: Robert Wesley McGrew <wesleymcgrew () gmail com>
Date: Thu, 11 Aug 2005 09:25:13 -0500
Just a quick update on this, since most of the useful followup conversation was off-list. I was contacted by the MS Security Engineering Group within 25 minutes of posting the original email here on dailydave, and was put through to the MS Security Support Group. Turns out, as I suspected (against all indications that it was some sort of subtle scam), it was a legitimate email from update support. Some quotes from the emails: "I've confirmed it is a legitimate response from Microsoft Windows Update support. I'll concede the methods used to communicate and share files do not seem to be conventional. I have pulled in the management team for WU Support to investigate." and later: "WU Support management team is on top of this and "coaching" the individual(s) involved. We really appreciate your raising these non-standard techniques to our attention. With thousands of (clever) support technicians in our group, there are some who occasionally stray from the standard policies." ...which sounds good to me. They could have been a black hole and just taken the post and dealt with it without any feedback (they apparently didn't need anything else from me). The MS security guys that have been in contact with about this have been friendly and appreciative, and I'd like to thank them for that. Observations/Lessons Learned: - If you're giving support, be mindful of how you distribute fixes/patches/etc., as you might be opening up the door for someone to distribute malware in a similar fashion - If you're recieving support, be aware of how things are usually distributed by your providers, keep an eye out for things like this, and report it. - Microsoft apparently didn't need the case number, email addresses, or anything else I obfuscated in the original post to confirm it as a legit response or to find the "individual(s) involved". I guess a quick grep through their mail for "mail.yahoo.com" was sufficient - As of a moment ago, the yahoo account is still active. I've gone in and taken a bunch of screenshots for posterity (not much interesting there, just the one email discussed in the first post). Maybe I'll work them into a slideshow for a lecture. - If you make a post like this to dailydave, FD, or similar, prepare to be entertained for hours by a pile private responses wanting you to give them the dirt on everything you obfuscated. Gave us a few chuckles. -- Robert Wesley McGrew http://cse.msstate.edu/~rwm8/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Microsoft fix distribution opening up holes for spreading trojans? Robert Wesley McGrew (Aug 09)
- Re: Microsoft fix distribution opening up holes for spreading trojans? Robert Wesley McGrew (Aug 11)