Bogus Microsoft security alert hides keylogger Trojan

Spammers have launched a campaign of bogus emails claiming to be security alerts from Microsoft, but which actually distribute malicious keylogger software.

The spammed emails, which purport to come from 'patch@microsoft.com', claim that a vulnerability has been found "in the Microsoft WinLogon Service" and could "allow a hacker to gain access to an unpatched computer".

Recipients are urged to click on a link in the email to download the patch. However, the link points to a non-Microsoft website and initiates the download of the BeastPWS-C Trojan, which is capable of spying on the infected user and stealing passwords.

When first installed the Trojan displays a bogus message which reads: " Microsoft WinLogon Service successfully patched." But the malware is secretly logging keystrokes and sending them to an email address belonging to the hacker.

"People are slowly learning that Microsoft does not email out security fixes as attachments, but they must also learn to be careful of blindly clicking on links to download fixes without checking that the email is legitimate," said Graham Cluley, senior technology consultant at Sophos.

"In this case, the hackers made a mistake by referring to 'Microsoft Coorp' rather than 'Microsoft Corp', but it is possible that users would miss this typo in their rush to protect themselves."

Cluley urged users to visit Microsoft's security website for information about patches. 

"The hackers are playing a dangerous game because, if Microsoft finds out who is responsible for besmirching its name, it is more than likely to throw the full force of the law at them," said Cluley.

"Security is becoming a hot topic for Microsoft, and it does not want malware and spam to sully its public image through this kind of criminal activity."

• vnunet.com interview: Microsoft security boss Mike Nash
• Microsoft ships OneCare maintenance suite