My PC was recently honored by a visit from the message you see on this page. It represented itself as being from Microsoft and supposedly dealt with a worldwide buffer under-run problem in Internet Explorer, version 3.0 and above.
My Zone Alarm Pro program caught the thing and stopped it cold. But curiosity got the best of me, so I went to the Web site in question to check it out. (I erased the questionable IP addresses in the screen shots.)
I know that all true security experts out there are looking at this thinking, "How could anyone be fooled? There's a million things wrong with this site." But most people -- myself included -- are not security experts. And most users are even more vulnerable to a hacker's dirty tricks, especially today, with so many employees bringing home work on laptops, then plugging back into a network with downloads that can bypass many of the enterprise-wise security protections you have put in place.
So how do you know whether a Web site is legitimate or not? In this particular case, the first thing that might tip you off is the spelling of Internet Explorer in lowercase, as in "the popular web browser internet explorer." Does Microsoft ever refer to any of its products in small letters? Did you notice the language of the message itself: "Before any malicious damage is done to computers across the world." This just isn't Microsoft's style.
Another giveaway is how the message is signed -- just plain "Microsoft" -- and where it comes from. It's not from the official Microsoft Windows Update site, where critical security updates originate, but from a counterfeit "Microsoft Download Center."
The next red flag is that Microsoft does not provide an emergency messaging service that notifies everyone in the entire world that they don't have a patch installed. You can sign up for Microsoft's Security Notification Service by editing your profile at Microsoft.com and signing up to receive the latest security information about Microsoft products. You can turn on automatic updating in XP Professional. And you can use the critical update message service in Microsoft Windows Update to notify you when a critical update is available.
But Microsoft never sends out messages with links to a "download patch."
You can set up XP Pro to automatically download itself and have XP Pro notify you when a patch is downloaded and ready to be installed. You can even have this done as a background service, although you may run into problems with this method (and you shouldn't install patches that don't affect your machine and the processes running on it anyway).
You can also use PGP (Pretty Good Privacy) technology to help users verify the legitimacy of a Microsoft Web site, since Microsoft digitally signs all its security bulletins using PGP. You can download Microsoft's PGP key here to include the fingerprint. But while Microsoft's use of PGP is a good clue about the authenticity of a Microsoft security bulletin, PGP would probably not protect against the type of attack that could emanate from a fake Microsoft site -- or any other software provider.
The reason for this is not a flaw in PGP, but because there is no digital signature from the counterfeit site that would allow PGP to tell you that the bulletin or download file is bogus. You can use file-signature verification in Windows 2000 if this particular attack tries to overwrite a signed, critical system file, but if it doesn't do that, your server or desktop PC probably won't catch it.
Your virus checker might also halt an attack, but that would depend on exactly what is being downloaded or whether you've been keeping your virus checker's data files up to date.
Ironically, when I reported the phony Web site to Microsoft, I received some (polite) resistance. My regional center at first told me this was indeed their Web site and IP address. When I asked to talk to a supervisor, I received the patronizing, "You're a nice guy; please go away" treatment. (I used to work on a help desk, so I'm familiar with it and actually understand it, since they receive a great many calls in a day.)
Being old, crotchety and stubborn, eventually I obtained an e-mail address to which I could report the problem. The next day I received a courteous, professional reply verifying that this was not a Microsoft site and informing me that the problem had been passed on to the appropriate security people.
Few network admins can afford to be so cavalier about potential security risks to their enterprises. As you all know, educating users about what to download and what not to download is a critical part of any security initiative. Just be sure to include a lesson on how security updates are actually delivered by Microsoft or any other software provider as a part of your users' security curriculum.
About the author:
Douglas Paddock, MCSE, MCT, MCSA, is a CIW security analyst and CIW certified instructor. He is also A+ and N+ certified. He teaches at Louisville Technical Institute in Louisville, Ky. He encourages readers to circulate this article to users in their enterprise. Just make sure you credit TechTarget Inc. as the source.