Malware writers tap Microsoft services agreement changes

Malware writers have spoofed Microsoft's recent announcement of impending changes to its web services agreement to direct unsuspecting users to a compromised website.

The Internet Storm Centre (ISC), part of the SANS training and certification organisation, has warned of phishing emails titled "Important Changes to Microsoft Services Agreement".

Links in the emails direct users to websites that run the latest versions of the Blackhole Exploit Kit, described by anti-virus vendor Sophos as "a kind of Swiss Army Knife for compromising vulnerable computers".

The kit attempts to exploit Oracle's Java installations in order to install malicious code on systems.

According to Russ McRee at the ISC, the Blackhole-compromised website delivers a fresh variant of the Zeus malware. Zeus is a keystroke logger and form data grabber that steals banking information. It was first discovered in 2007 and has spread around the world. 

Cloud security vendor Seculert said that by adding the Java vulnerabilities to the popular Blackhole kit, attackers more than doubled their chances of infecting machines visiting the compromised servers.

Tens of thousands of newly infected machines have been spotted, Seculert said, as the Java Zero Day exploit itself had a 75 to 99 percent chance of success.

Oracle has issued security patch for Java and "strongly recommends that customers apply the updates" as soon as possible.

ISC urged users not to click on hyperlinks blindly, and instead hover over them to ensure that they pointed to legitimate sites.

It also recommended that users keep their anti-malware signatures up to date, although it acknowledged that existing security products had a limited ability to detect the Java exploit and new Zeus variant currently.