Memo to Microsoft: Left hand, meet right hand
This week, I thought I had another bogus e-mail -- one purporting
to be from Microsoft, but really sent from a spamhaus. Well, I was part
right. The source of the e-mail is also the source of so much spam that
I filter any messages that specifically name the domain into the trash.
Let's look at the consequences.
I had originally titled this piece "Spam? Worm? Virus? Don't
take the bait." It started this way: Here's another interesting
little message. On first glance, it looks like it comes from Microsoft.
We've spent a lot of time telling you about security
updates and the message from Microsoft claims to be offering a link
to the WindowsUpdate site along with a link to an e-mail notification service
and
a KnowledgeBase bulletin.
"WRONG! WRONG! WRONG!" I wrote. Here are the clues that
sent me on a snipe hunt.
See most of the images in a larger version by clicking them.
 |
|
The message didn't "sound" right. It didn't sound like it
had come from Microsoft. And it didn't look like any
message I've ever received from anyone at
Microsoft. Additionally, Microsoft has never
previously sent a warning like this. Granted, the
recent security problems have been serious,
but it didn't seem to fit Microsoft's method
of operation.
I still don't think it fit's Microsoft's method of operation and I wonder
if the security folks even knew about this message. |
 |
|
So I looked at the message a little more carefully. In
the text of the message I noticed 3 links, but when
I hovered my mouse over them, I saw that all 3 actually went to the
same location. Odd. Even knowing now that the message is "legitimate", it still
strikes me as a very strange practice to show three
separate links in text and to intentionally disguise
these links. If you want to raise anyone's suspicions, this
is an excellent way to do it. |
 |
|
And then there was that little smudge all the way at the bottom
of the message. Electrons don't smudge. About the
only thing that might do that would be a Web bug (an invisible graphic
used to track messages)
and Microsoft doesn't use Web bugs.
Or so I thought. Microsoft may not use Web bugs, but it
appears that the company hires people who do. |
 |
|
Where do the 3 links go? Well, not to Microsoft!
They go to "email.microsoft.com" which then appears to be redirected
elsewhere. While you might think (reasonably) that "microsoft.com" and "email.microsoft.com" should
resolve to the same IP address (or at least addresses
in the same block) they don't. More on that in a bit. Now this struck me as exceedingly odd. How could someone
manage to get the MX record for "email.microsoft.com"
pointed to an alternate domain without Microsoft's
permission. That's why I asked Microsoft to verify the message
before I went public with the story. |
 |
|
My next stop was the message headers. "Reply-to: windowssecurity@email.microsoft.com" makes
the message look legitimate, but keep in mind that Microsoft doesn't
use "email" in front of their domain name. The message's point of origination
is revealed here: Received: from [209.11.138.97] by 10.203.1.116
(mh.microsoft.m0.net) with SMTP; 04 Aug 2003 20:42:36 +0000 Usually
there is a name associated with the IP address, but
not this time. The message came from 209.11.138.97
and was delivered to "mh.microsoft.m0.net". There's a name I recognize. M0.Net may not be a spamhaus, but it sends enough advertisements
that I don't want to find itself on my list of places
from which I do not accept mail. |
 |
|
M0.net is a domain I have permanently blocked because
a great
deal of spam comes from that address. It's a company called "Digital Impact". |
 |
|
Because it seemed unlikely that Microsoft would send
any messages via m0.net, the next step was to find
out who 209.11.138.97 is. The IP is in a block that belongs to Digital
Impact. Well, isn't
that a surprise! The message came from an m0 internal
server. You can just imagine how much of surprise this was to me! My even larger surprise -- a real one this time -- came when I discovered
that this company does do work for Microsoft. |
 |
|
Remember the Web bug I mentioned seeing at the bottom
of the message? The bug reported back to m0.net.
|
 |
|
The creator of the message made a critical error in displaying
the so-called article link. There was a break in the
text (between "security/" and "security_bulletin").
URLs cannot contain embedded spaces. If you patch
it all back together, you do get a legitimate URL: http://www.microsoft.com/security/security_bulletins/ms03-026.asp. For someone who's already suspicious about a link that displays
as "Microsoft" but actually goes elsewhere, this was significant. |
Earlier I mentioned email.microsoft.com and microsoft.com.
|
 |
|
Tracing microsoft.com resolves to 207.46.155.17. |
 |
|
And, no surprise, 207.46.155.17 is registered to Microsoft. |
 |
|
But tracing email.microsoft.com resolves to 209.11.133.147.
Do you think that will resolve to Microsoft? |
 |
|
Not exactly. It's owned by Globix, the upstream provider for our "good friends", M0.Net
in San Mateo, California. |
Then, I wrote: What do you get when you follow the
link? I don't know. If you did, your computer may now be infected with
a virus or worm. A Trojan
application may have been
installed. Or maybe you were just treated to an advertisement. If you
had all security patches in place, you're probably OK, but you should
check the
computer. And what if M0.Net did nothing more than serve you an ad? If it wasn't
a worm, a virus, or a Trojan? Even if it was just an advertisement,
it was unethical.
Even if it was just an advertisement, it could be considered a violation
of Microsoft's trademark because the message claimed to be from Microsoft.
What's Microsoft's opinion of this?
I asked Waggener Edstrom, Microsoft's primary
public relations agency, for confirmation that Microsoft was responsible
for the message. The pr person who replied to my message (and later
asked not to be identified by name) checked with Microsoft and
provided this answer from
the company:
- We have been, and continue to be very vocal in informing users that Microsoft
will never send patches or updates through email.
Authentic security bulletins will always refer readers to a complete version
of the bulletin
on our website.
More information on the Microsoft policy on software
distribution is available at: http://microsoft.com/technet/security/policy/swdist.asp
Also, information
on identifying fake security bulletins can be found
at: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/secur
ity/news/patch_hoax.asp
- The W32.Lirva.A@mm worm is a malicious mass-mailer worm that propagates
through the distribution of fake Microsoft Security
Bulletins via email. More detailed descriptions of this issue can be below
and on the following
sites:
Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;812811
Symantec: http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.lirva.a@mm.
html
- The vulnerability that this worm attempts to exploit was patched in Microsoft
Security Bulletin MS01-020. Users who have deployed
this patch will be protected from this worm. To find out more about how
to protect yourself
from this issue,
see the prevention methods addressed at: http://support.microsoft.com/default.aspx?scid=kb;en-us;812811
- The W32.Lirva.A@mm worm was originally addressed in January of 2003.
The worm arrives as an attachment to a fake Microsoft Security Bulletin,
which instructs users to download and run an executable
file that is supposedly
a patch for vulnerabilities in Microsoft Internet
Explorer, Microsoft Outlook,
and Microsoft Outlook Express. Once run, the worm
tries to disable some antivirus and firewall applications that may be running
on the computer and
may attempt
do one or more of the following: Add entries to the
registry, copy itself to the system folder, send itself to address book
entries or collect
cached passwords and then send them to the attacker.
- Users whose computers have been infected with this virus should contact
Microsoft Product Support Services or their preferred
antivirus vendor for help with its removal. For information about how to
contact Microsoft
Product
Support Services, visit the following Microsoft Web
site: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
- Microsoft is committed to keeping customers' information safe. In order
to do so, Microsoft strongly encourages all users
and administrators to follow general security best practices, one of which
is utilizing a thorough
patch
management strategy to ensure that systems are properly
patched and up-to-date. For more information on security best practices,
visit http://www.microsoft.com/security/.
Wrong! Wrong! Wrong!
(See, I got to use that subhead after all.)
At this point, I sent an alert to the Technology Corner mailing list. But
I still had some reservations about my warning. For one thing, the
message of denial from Microsoft looked more like a canned reply
-- it was clearly a canned reply to a question I hadn't asked. I
had asked about a specific message with links, not about messages
that arrive with "patches" from Microsoft.
Another point of concern was that the message "from" Microsoft arrived at
an address that would not easily be guessed by spammers (and bulk e-mailers
who do not consider themselves to be spammers). The address is one that
I knew Microsoft had access to. Taken together, those points suggested
the message might be legitimate after all.
The canned message warned about something I already knew and have frequently
warned people about: Microsoft's policy is never to send
executable files to clients by e-mail. If
Microsoft has a file they want you to get, they will send you an e-mail
with directions
about how to get to the file on the Microsoft website. That's exactly
what the message purported to do, but it went to a non-Microsoft site
and was then (apparently -- I still won't follow the link) redirected
to Microsoft.
It's apparent now that Microsoft did hire an outside firm to send a security
warning. How or why any manager approved this madness at a time that is rife with
concern about forged messages calls into question the manager's logic and
Microsoft's overall management model.
Bad, bad decision Microsoft!
What finally helped to solve the mystery was not a reply from Microsoft or
Microsoft's PR agency. I had also sent a question about the original
message's legitimacy to the security team at Microsoft, but I didn't
receive an answer until well after my warning went out. No, what solved
the mystery was another message from "email.microsoft.com".
That message admonished me
for not yet signing up for a technical conference. It was wrong;
I have signed up for the conference, but
the arrival of the message revealed that Microsoft is using M0.net to
contact its customers. And it let me know where M0.Net got my private e-mail
address.
Does that mean I will now trust messages that claim to come from Microsoft? No,
it does not. If anything, it means I will do exactly the opposite.
If a message claims to be "from Microsoft", it will be
carefully vetted before I give it any credibility whatsoever
-- and it has originated anywhere other than a Microsoft
IP address, it will be terminated with extreme prejudice.
Microsoft is a company with a lot of smart people working for it. People who
should be smart enough to recommend that having a company other
than Microsoft send out messages dealing with security
issues is
something that should be cleared with top management. It would also
be helpful if, when incredibly dumb decisions like this are made, that
they would be communicated to Microsoft's internal
security staff and its external PR representatives so that their
answers to questions will not make it obvious that they are operating
in the dark.
After 12 more hours ...
My 3rd message to Microsoft's public relations agency has
gone ... ... unanswered. (See below for the rest
of this story.)
My 3rd message to Microsoft security finally
produced a response that indicated someone had read and understood
what I said:
Hello Bill,
Thank you for contacting Microsoft Customer Service.
I am sorry for the confusion! The message you received is legitimate, and
did come from Microsoft. It was sent with our authorization and on our behalf
by one of our vendors, as a courtesy to our customers.
However, I do understand your concern, as spoofing our security announcements
is a common way some unscrupulous individuals attempt to distribute malicious
code, such as viruses. We will never send out security patches or updates
in an actual e-mail as an attachment; we will always simply provide a link
to our site where the patch can be downloaded.
If you receive something claiming to be from Microsoft which contains an attachment,
please treat it with suspicion.
For more information regarding this Security Bulletin, please visit http://www.microsoft.com/security/security_bulletins/ms03-026.asp
Thank you, Bill, for using Microsoft products and services.
PheeBee
Microsoft Online Customer Service
Sometimes companies are just too damn big for their own good.
And now the rest of the rest of the story
On Friday, the Waggener Edstrom pr person who shall not be named was able
to confirm what I had essentially confirmed on
my own two days earlier:
"[I]f you're looking for confirmation, Microsoft did send out
a reminder for customers to apply the patch
described in MS03-026. Distribution of
the reminder
was outsourced to a third
party. There are a total of three issues/emails:
"1. The digitally signed security bulletin, MS03-026 issued July
16.
"2. A reminder email that Microsoft outsourced and had sent in
the last week.
"3. A hoax mail that is completely unaffiliated with Microsoft.
"Please let me know if this does not address your questions, or
if you have additional ones."
I did have an additional question
So I wrote again to the Waggener Edstrom pr person who shall not be named,
who was probably becoming somewhat tired of hearing from me:
What I'm looking for is some comment from Microsoft on the logic of sending
out a message with a disguised URL that claimed to be a Microsoft link but
that went elsewhere (even if later redirected to Microsoft) at a time when
bogus messages are being sent out. This just strikes me as being incredibly
short-sighted and illogical.
In other words ...
- People like me spend a fair amount of time telling users not to
trust executable files from MS because they
aren't from MS.
- Several security bugs within the past few weeks have specifically
indicated that serious flaws exist
in MSIE (and other MS applications) on just about every version of
Windows ever
made. The way most of these
bugs
might be exploited
would involve
tricking a user into visiting a rogue website.
- With the background of 1 and 2, Microsoft outsources a mailing
that displays a "microsoft.com" website in plain text, but the URL
to which this is secretly linked is NOT a Microsoft site (although
it may redirect
to
a Microsoft site). This is **PRECISELY**
the technique used by crackers who want to attract a
victim to a rogue website.
- Even worse, the person who would follow a link like this without
checking it out would be exactly the type
of person the Internet creeps want
to victimize. At the very least, the person who follows a link
like
this and DOESN'T
get burned this time will be much more
likely to follow a similar link
in the future.
Given all of that, how can anyone at Microsoft have thought this to be an
intelligent decision?
That's the question for which I'm seeking an answer.
After checking again with Microsoft, the Waggener Edstrom pr person who shall
not be named returned with this:
"In response to your question, Microsoft is doing all it can to
encourage timely patch application. While
Microsoft is erring on the side of over communication, the company
realizes that the email tactic could have
been executed better
and has learned from this
process."
What does that mean? Those who have been around long enough to remember looking
closely at pictures of the communist party leadership standing atop Lenin's
tomb in Moscow on May Day to determine who's gaining power and who's losing
power, or those who believe in reading tea leaves, may find in those 44 words
some deeper meaning than I saw. But it's probably as close to "We really screwed
up that time, didn't we?" as you're likely to hear from Microsoft.
Let us know what you think about this program! Write to:
Bill Blinn --
(wtvn@blinn.com still works)
Joe Bradley -- |
