Re: Microsoft fix distribution opening up holes for spreading trojans?

[Robert Wesley McGrew <wesleymcgrew () gmail com>]

Just a quick update on this, since most of the useful followup
conversation was off-list.

I was contacted by the MS Security Engineering Group within 25 minutes
of posting the original email here on dailydave, and was put through
to the MS Security Support Group.  Turns out, as I suspected (against
all indications that it was some sort of subtle scam), it was a
legitimate email from update support.  Some quotes from the emails:

"I've confirmed it is a legitimate response from Microsoft Windows Update
support. I'll concede the methods used to communicate and share files do
not seem to be conventional. I have pulled in the management team for WU
Support to investigate."

and later:

"WU Support management team is on top of this and "coaching" the
individual(s) involved.
We really appreciate your raising these non-standard techniques to our
attention. With thousands of (clever) support technicians in our group,
there are some who occasionally stray from the standard policies."

...which sounds good to me.  They could have been a black hole and
just taken the post and dealt with it without any feedback (they
apparently didn't need anything else from me).  The MS security guys
that have been in contact with about this have been friendly and
appreciative, and I'd like to thank them for that.

Observations/Lessons Learned:
- If you're giving support, be mindful of how you distribute
fixes/patches/etc., as you might be opening up the door for someone to
distribute malware in a similar fashion

- If you're recieving support, be aware of how things are usually
distributed by your providers, keep an eye out for things like this,
and report it.

- Microsoft apparently didn't need the case number, email addresses,
or anything else I obfuscated in the original post to confirm it as a
legit response or to find the "individual(s) involved".  I guess a
quick grep through their mail for "mail.yahoo.com" was sufficient

- As of a moment ago, the yahoo account is still active.  I've gone in
and taken a bunch of screenshots for posterity (not much interesting
there, just the one email discussed in the first post).  Maybe I'll
work them into a slideshow for a lecture.

- If you make a post like this to dailydave, FD, or similar, prepare
to be entertained for hours by a pile private responses wanting you to
give them the dirt on everything you obfuscated.  Gave us a few
chuckles.

-- 
Robert Wesley McGrew
http://cse.msstate.edu/~rwm8/
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave