General discussion

New Microsoft Service Agreement

Just got an e-mail from Microsoft about this. Does it affect average person, is this real?

Discussion is locked
Reply to: New Microsoft Service Agreement
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: New Microsoft Service Agreement
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Blackhole Targeting Java Vulnerability via Fake Agreement
Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish


Published: 2012-09-01,
Last Updated: 2012-09-01 01:22:41 UTC
by Russ McRee

Thanks to Susan Bradley for reporting this to ISC.

We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.

The legitimate version of this email is specific to a services agreement seen here, per a change to Microsoft services as of 27 AUG.

The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.

I'll walk you though the full sample set I analyzed. Susan sent us an email including the following header snippet:

Received: from [] ([]) by (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166

A legitimate header snippet:

Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4900) is in China, is Microsoft.

The legitimate email will include a hyperlink for, which points to the above mentioned services agreement.

Obfuscated to protect the innocent: The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post.

Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:034:034:02:065:071:034"/></applet>

The VirusTotal link for Leh.jar is here, and the VirusTotal link for the Zeus variant offered is here.


1. Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
2. Contemplate disabling Java until the next update is released.
3. Review email headers if in doubt for messages you receive that seem suspicious.
4. Keep your antimalware signatures up to date. While limited at the moment, detection for both the Java exploit and the Zeus variant is increasing.

- Collapse -
New Microsoft Service Agreement

I'm with "itsdigger". Is this for real.

I noticed in this "aggreement" that if I do not "agree" to this new policy, but continue to use Microsoft systems after Oct. 29, I will automatically agree to the "new" service agreement. They will have legal access to all of my computer data that was installed using the Microsoft systems (Microsoft Office, etc.). If you cancel this "service" or "do not agree", you will no longer be able to retreive the data you have installed using any of their systems. They can download add-ons without my approval. Privacy policy doesn't apply to them.

I do not want to use Microsoft systems. What is an alternative to Microsoft? HELP!!

- Collapse -
We know there are alternatives.

CNET Forums