"Microsoft Security Update"

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Noted in my email this morning: a purported message
from Microsoft Security Update with a URL for me to
follow-up immediately for a "critical update."  I
googled on the "originating IP" number and found no
hits.  This number is,

Does it ring a bell with anyone here?  ??

(I didn't try this ...opportunity.)

Thanks -- mha  [comp.security.misc 2008 Aug 21]

Re: "Microsoft Security Update"

Martha Adams wrote:

Quoted text here. Click to load it

the ip range belongs to amazon...doesn't mean much, except one of those
thousands of possible computers is infected and
is being abused for spaming.

more interesting is the url/IP they want you to go to...


OrgName:    Amazon.com, Inc.
OrgID:      AMAZO-4
Address:    Amazon Web Services, Elastic Compute Cloud, EC2
Address:    1200 12th Avenue South
City:       Seattle
StateProv:  WA
PostalCode: 98144
Country:    US

NetRange: -
NetName:    AMAZON-EC2-3
NetHandle:  NET-67-202-0-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Assignment
Comment:    This network is a member of a dynamic hosting
Comment:    environment. See http://ec2.amazonaws.com /
Comment:    All reports MUST include:
Comment:    * src IP
Comment:    * dest IP (your IP)
Comment:    * dest port
Comment:    * Accurate date/timestamp and timezone of activity
Comment:    * Intensity/frequency (short log extracts)
Comment:    * Your contact details (phone and email)
Comment:    Without these we will be unable to identify
Comment:    the correct owner of the IP address at that
Comment:    point in time.
RegDate:    2007-08-02
Updated:    2008-03-25

RAbuseHandle: AEA8-ARIN
RAbuseName:   Amazon EC2 Abuse
RAbusePhone:  +1-206-266-2187

RNOCName:   Amazon EC2 Network Operations
RNOCPhone:  +1-206-266-2187

RTechHandle: ANO24-ARIN
RTechName:   Amazon EC2 Network Operations
RTechPhone:  +1-206-266-2187

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-2187

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-2187

Re: "Microsoft Security Update"

Quoted text here. Click to load it

Its doubtful that anything at Amazon is infected. The EC2 is a cloud
of machines that anybody can rent cheaply and with virtualy no
questions asked to run anything on. You can complain to them to the
abuse contacts (which I cut out of your original).

I would guess that several sysadmins are just blocking all the AMazon EC2
IP ranges for email because there's been several times that abuse has come
out of there...

Re: "Microsoft Security Update"

Quoted text here. Click to load it

Well, for anyone who is interested, here is the whole

Dear Microsoft Customer,

You are receiving this message because your version of Microsoft Windows
is affected by a dangerous security vulnerability.

In order to prevent possible risk of system instability, Microsoft urges
you to update at your earliest convenience.

We are providing a free update to all Windows users.

You can update your system for free by visiting the offical website for
this patch, at
Thank you for your understanding in this matter.

Cathy Rhoades
Business Relations Representative
Microsoft Corporation

(Copy ends.)

I haven't tried to follow this url because I don't
feel ready to cope with possible consequences.

Cheers --  mha  [comp.security.misc 2008 Aug 21]

Re: "Microsoft Security Update"

Quoted text here. Click to load it

Domain "system-updates.net" was registered today.

   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS5.SECUREDNS.CN
   Name Server: NS6.SECUREDNS.CN
   Status: clientTransferProhibited
   Updated Date: 20-aug-2008
   Creation Date: 20-aug-2008
   Expiration Date: 20-aug-2009

The owner (registrant of the domain) is listed as:

    Government of St. Vincent and the Grenadines

The DNS servers for the domain are in China.

It should be obvious that this is a fraudulent domain, the listed
registrant is bogus, and the domain is controlled by cybercriminals.

Re: "Microsoft Security Update"

Quoted text here. Click to load it

Oho, oho, oho.  Sometimes I've felt maybe I'm unreasonably
paranoid, myself being not all that much a techie.  Well,
now I'm feeling more like lightning struck right beside
where I'm sitting.  Thanks, Neil!

Titeotwawki -- mha  [comp.security.misc 2008 Aug 21]

Quoted text here. Click to load it

Re: "Microsoft Security Update"

Quoted text here. Click to load it

It's a scam to get you to visit the website and install malicious software.
Microsoft never sends out email to users with security warnings.

Re: "Microsoft Security Update"

Quoted text here. Click to load it

I've been getting those emails regularly for at least a decade.  The OP
must be really new to the net if she's never seen this before.

Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: "Microsoft Security Update"

On Thu, 21 Aug 2008, in the Usenet newsgroup comp.security.misc, in article

Quoted text here. Click to load it

and googling for 'Microsoft Security Update email' should turn up
several hundred thousand previous posts about this problem.  It's a
_very_ common scam.

Quoted text here. Click to load it

Neither does your anti-mal-ware company, bank, credit-card issuer, or
eBay.  This is also very well known. but the spammers keep trying.

Quoted text here. Click to load it

Same here - and if the O/P looks at the headers of Barry's post as well
as mine, you'll notice neither of us is using windoze - so why would
microsoft bother mailing us?

Likewise, if you have microsoft Messenger enabled on your windoze box,
you may be seeing pop-up messages warning you (for example)


   To FIX this problem:
   Open Internet Explorer and type:  www.SPAMMERS_WEBSITE.com
   Once you load the web page, close this message window

   After you install the cleaner program you will not receive any more
   reminders or pop-ups like this.


These are also scams - they've been around for years, as has the trivial
fix.  Despite this, several spammers are still trying this fraud hoping
there is someone gullible enough to bite.

        Old guy

Re: "Microsoft Security Update"

"Moe Trin" wrote:

Quoted text here. Click to load it

Plenty of people do bite otherwise spammers wouldn't bother.

An examination of the unpacked executable, RequiredUpdate.exe, at the
OP's link (not to mention the Javascript and Java exploits linked from
the page) reveals strings like this...

 %s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.
 %s Bot installed on: %s.

 %s Flooding %s:%s for %s seconds

and some like this...

 [MSN] Message & Zipfile sent to: %d contacts.
 [DDoS]: Failed to start flood thread, error: <%d>.
 [USB] Infected drive: %s

from a possible list of options like these...


Pstore refers to Windows protected storage where account details like
usernames and passwords for email and web sites and are kept.

Re: "Microsoft Security Update"

Quoted text here. Click to load it

It doesn't even have to be "plenty".  Spam is so cheap to send, they can
make a profit with something like 0.1% success rate.

Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Site Timeline