UNSW Mac caught serving fake Microsoft patch

The School of Media, Film and Theatre at the University of NSW has admitted that one of its Mac servers has been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.

The central IT services organisation for the UNSW discovered an issue with one of its servers on Tuesday morning and alerted the department affected. The server was immediately taken offline, according to network engineer Tim Eden.

"I have basically just blocked the machine that was the target of that link. As to what is on the machine and how it got compromised, I do not have any idea at all," Eden told ZDNet Australia.

Sam Costello, system administrator and computer support for the School of Media, Film and Theatre, told ZDNet Australia that an engineer will be looking at the server to try and establish how and when it was compromised.

Costello said it was "weirder" because it was a Mac system running Apple's latest server operating system.

"That is one of my Mac servers," said Costello. "We haven't had a chance to look at it yet because it just came to our attention this morning. We are leaving it where it is for the comms guy to come and have a look at tomorrow."

Users were directed to the server because of a link contained in an e-mail that was spammed overnight.

One version of the spam seen by ZDNet Australia arrived with the subject line: "Microsoft Windows TCP/IP Protocol Security Issue -- Patch Required" and the "from" address is spoofed to read "support@microsoft.com".

The body of the message claims that Microsoft has discovered a zero-day vulnerability and warns the recipient to follow the link and apply the patch within 24 hours in order to reduce the chances of being exploited.

The link contained in the e-mail appears to point to a file on Microsoft's Web site but actually links to the recently removed UNSW server, which is located in Sydney.