12345

1/28/2011

Zeus botnet vs SpyEye botnet

1. Introduction

The most widely spread botnet is Zeus. This malicious file is mainly aiming at stealing user account information, and toolkits for generating malicious files are spreading via black markets.
Since 2010, SpyEye has appeared against Zeus botnet and has been upgraded so far.


SpyEye was activating from 2010 after that Harderman get the source codes from Slavic, Zeus developer. Integrating process between SpyEye and Zeus' source codes are on progress. Furthermore, SpyEye has special function "Kill Zeus" to kill Zeus as it is. Can user be safe with using SpyEye toolkit from Zeus botnet? Let's find functions on SpyEye.

2. Interface of SpyEye

SpyEye botnet toolkit's interface is as following.


The most attractive function is "Kill Zeus". With this function, it can kill Zeus, however, the actual functions are revealed as same as Zeus'. Of course, the latest version 2.0 on Zeus supports against "Kill Zeus", and it supports "Encryption key" for encrypting on generating botnet and "UPX" to compress.

After setting the preference, generated malicious file has the same function as Zeus', it can be spread via tampered web site and attachment of e-mail. Generated botnet by SpyEye toolkit can remove Zeus botnet and intercept data transferring Zeus C&C server.

* It can require serial number on running.


* Releasing upgrade version is still on progress.

<Releases various versions>

3. How to prevent

These toolkits are still generating botnet, and consecutive version upgrade is still on progress.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1/24/2011

Be careful on malicious file aiming at web vulnerability.

1. Introduction

Recently, "Nateon(Instant messenger of Nate)" malicious file, which was being spread through instant messenger or message, is now inducing user to certain internet forum and using web browser's vulnerability.
Its spreading technique is more sophisticated and sophisticated.


Nate is a South Korean web portal, developed by SK Telecom. In 2003, Nate acquired the online community service Cyworld, and in 2004, it achieved first place in local page views with a total of 3.8 million, surpassing rival Daum for the first time.

2. Spreading path and symptoms of infection

Infected user will send message including malicious link.
If uninfected user clicks that link, depending on the applied status of Microsoft security patch, and web brower(Internet Explorer, Firefox).

Message contains certain URL and user can access with clicking that link.





This forum consists of malicious html files.
Furthermore, this forum is deduced from the exposure of zeroboard vulnerability

zboard.php(before decoded)



zboard.php(decoded)



pop.html, top.html files are including following JavaScript code.






main.html(decoded)
Decoded script contains malicious URL as following.



kr1.html will download malicious 38.jpg file with using vulnerability of MS10-018, kr2.html will use MS09-002's.



Following figure is decoded Script file of kr1.html, kr2.html. We can find malicious URL.



User can access to ff10.htm from in.js.



ff10.htm can perform malicious behavior with using vulnerability of certain web browser.



On certain web browser, it can download cosplay.swf.



Downloaded cosplay.swf seems to be normal Flash file, however, it contains malicious code and can download malicious 38.jpg file.



38.jpg file will perform malicious behavior.


Downloaded 38.jpg will create files on following path.

[Generated files]
C:\WINDOWS\system\winpingying.ime
C:\WINDOWS\system\Lcomres.dat
C:\WINDOWS\system\Lins.log
C:\WINDOWS\system\winweng.exe

[Register registry value for on booting]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Value name : "Default"
- Value data : "C:\WINDOWS\system\winweng.exe"

winweng.exe generated by 38.jpg.exe will kill certain Anti-Virus program. Besides, it will run winweng.exe to kill following Anti-Virus Softwares on every booting.

- AhnLab (V3)
- EstSoft (ALYAC)
- Virus Chaser
- Kaspersky

Besides, this malicious file can perform malicious behavior with injecting winpingying.ime on iexplorer.exe, including stealing online game account as following games.

- Maplestory
- Aion
- Hangame
- Pmang
- Lineagea1
- Lineagea2
- Mabinogi
- DNF

4. How to prevent

Since this kind of malicious file can perform on internet and can cause financial damage, latest patch including MS Windows is essential.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1/21/2011

Continuous appearance of ransomware variants.

1. Introduction

Ransomwares are getting spread these days. In the midst of prevalent malicious wares, peculiar ransomware which locks user's desktop and induces user to pay.
The biggest feature of this kind of Ransomware is generating malicious file on certain path and rebooting victim's computer on infected.

Previous malicious files focused on leaking information and destroying internal files, however, Ransomware induces user to pay.

2. Spreading path and symptoms of infection

Currently found malicious file can be downloaded from certain web site, even if the domain address are not same.




Downloaded file name is pornoplayer.exe.



Furthermore, on executing this malicious file, system will be rebooted and desktop will be locked.
As a result, it will make that accessing desktop is impossible.



It will show "Warning" message and induce user certain amount of money. After payment, victim will be received release code then victim can unlock his desktop.

* Flow of general "File-typed Ransomware"


  
Executing downloaded pornoplayer.exe will create malicious file on following path.

[Generated file]
C:\Documents and Settings\(User account)\2639420692\2639420692.EXE

Besides, registering registry value will infect victim's PC on every booting.

[Register registry value for working on booting]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 - Value name : "ZDF2639420692AWrt2639420692AdsWrt2639420692aAdsWrtenZDF2639420692_26394206920"
 - Value data : "C:\Documents and Settings\(User account)\2639420692\2639420692.EXE"

3. How to prevent

To use PC safely from ransomware, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.PornoPlayer.47616




* How to remove manually


1. Enter safe mode on booting
2. Move to C:\Documents and Settings\(User account)\2639420692\.
3. Remove that folder or 2639420692.EXE.
4. Windows "Run -> regedit".
5. Remove following registry value.
   HKEY_CURRENT_USER
       ㄴ Software\Microsoft
              ㄴWindows
                   ㄴCurrentVersion
                         ㄴRun
                              ㄴ ZDF2639420692AWrt2639420692AdsWrt2639420692aAdsWrtenZDF2639420692_26394206920
6. Reboot.


company

Twitter worm is getting spread via goo.gl.

1. Introduction

On Jan 20, 2011, Fake Anti-Virus SW called "Twitter worm" has been reported.
So users who are geeking in SNS need to be careful on using Social Network Services. This "Twitter worm" has been spread via Twitter especially using Google's shorten URL service, goo.gl.



2. Spreading path and symptoms of infection

This fake Anti-Virus SW is known as spreading via Twitter and SNS. Because it especially uses goo.gl shorten URL, user can't know where to be moved before clicking.


Clicking shorten URL can redirect downloadable address, and user can install fake Anti-Virus SW.


Fake warning screen infected by 31 warnings will appear after installed fake AV.


As same as usual malicious SWs, it will induce user to pay.


3. How to prevent

This kind of fake anti-virus SWs can commonly induce user to pay. Furthermore, lately found fake anti-virus SW uses its spreading path to Twitter or SNS.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Script-HTML/W32.Agent.TM
- Trojan/W32.FakeAV.253952.B
- Trojan/W32.FakeAV.313104.B

1/20/2011

Ransomwares are booming in these days.

1. Introduction

A variant of ransomware has been found again.
As you know, Ransomware locks user's desktop and encrypt certain file on user's PC.
It induces victim to input code for unlocking desktop and to pay for getting unlocking code.



2. Spreading path and symptoms of infection

Ransomware can be spread via various ways including attachment of e-mail or link, even applications such as Adobe reader, Java, QuickTime Player and Adobe Flash Player.

Recently found malicious file is disguised its name as a movie-related file name.


As same as general ransomwares, it locks desktop and required to be inputted key.


Besides, it will appear after reboot.

3. How to prevent

Even though the damage case of ransomware hasn't been reported so far, to use PC safely from security threats of these ransomwares, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1/19/2011

Cloud-based malicious file interfering Anti-Virus has appeared!

1. Introduction

Jan 18, 2011, Microsoft official blog has announced cloud-based malicious file which may interfere Anti-Virus behavior to be spreading.
Lately reported this malicious file seems to be adopted social engineering technique, and it has been revealed first type of aiming at cloud system and expected new security threats.



2. Malicious file info

This malicious file can deceive user as a movie file with its icon.


Upon executed, it will show installation written by Chinese to deceive user.


Furthermore, it will run screen such as a movie player.


Currently, damage case of this malicious file hasn't been reported so far, however, the attention of first cloud-based malicious file must be needed.

3. How to prevent

This malicious file has been reported aiming at Chinese security cloud server of company including Kingsoft, Rising, and so on. Besides, this malicious file adopted modifying to bypass detection.

If this malicious file causes tampering on certain module, update process can be wrong.
Modifying module transferring cloud server for diagnosis on malicious file can cause wrong decision on diagnosis status.
Furthermore, it can download additional malicious files.

With an appearance of emerging malicious files aiming at Chinese cloud server, the possibility to be caused by additional malicious files still remains on cloud system.
Security companies already adopted cloud system or considering adpoting must be concentrated on possible security threats.

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.FakeAV.2295397
 - Trojan/W32.FakeAV.2229503


1/18/2011

Malicious files are spreading via online shopping and file sharing web sites.

1. Introduction

On Jan 11, 16, 2011, there was a report that malicious files were being spread via certain online shopping sites.
Although malicious file can't be downloaded just visiting corresponding online shopping site, it still has the possibility to spread and perform malicious way with that file.Furthermore, some of file sharing sites are also suspected as spreading that files.

Therefore, general users who frequently visit online shopping sites and file sharing sites need to be careful on surfing internet.

2. Spreading path and symptoms of infection

Following site contains malicious files, and additional spreading is being expected.

http://www.(.......).co.kr/(.......)/USB_Vlad.exe



http://www.(.......).co.kr/(.......)/file/pds.exe



Following figure shows downloaded files.


* What do they do?

* USB_Vlad.exe (32,256 bytes)

* Upon infected by this malicious file, it will create copy of itself on following path.

 - (Windows System Folder)\raidhost.exe (32,256 bytes)

* With the registering registry value, it can run on booting.

 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 - Value Name : raidhost
 - Value Data : (Windows System Folder)\raidhost.exe

* It is expected as using backdoor or proxy server with accessing certain sites(IRC Server)

 - http://(.......).(.......).com:1033/

* (Windows System Folder)is C:\WINDOWS\SYSTEM on Windows 95,98, and ME, C:\WINNT\SYSTEM32 on Windows 2000, NT, C:\WINDOWS\SYSTEM32 on Windows XP.

* pds.exe (59,392 bytes)

* Upon infected by this malicious file, it will create copy of itself on following path.

 - (Windows System Folder)\(Random 5-digit alphanumeric).exe (59,392 bytes)

* With the registering registry value, it can run on booting with userinit.exe.

 - [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 - Value Name : Userinit
 - Value Data : (Windows System Folder)\userinit.exe, (Random 5-digit alphanumeric).exe

* It is expected that it collects certain online game account information and sends collected information on certain web site.

 - http://180.(.......).(.......).180:1035/

* (Windows System Folder)is C:\WINDOWS\SYSTEM on Windows 95,98, and ME, C:\WINNT\SYSTEM32 on Windows 2000, NT, C:\WINDOWS\SYSTEM32 on Windows XP.

3. How to prevent

Since it can be spread with using iframe exploit via tampered web site, to use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Backdoor/W32.IRCBot.32256.X
- Trojan/W32.Agent.59392.JL


Center

1/17/2011

Malicious files for leaking personal information are getting evolved.

1. Introduction

Recently, malicious files for aiming at leaking personal information are being spread through various ways.
In the midst of spreading, peculiar malicious files tampering Windows System files or bypassing anti-virus SW are found, so users need to be careful on using internet, and urgent response strategy is needed.


2. Spreading path and symptoms of infection

Currently, this malicious file will be performed on certain PC which is exposed Microsoft's security vulnerability. Malicious file, variant form of normal Comres.dll, can infect victim's PC when a victim is trying to access suspicious URL.

* Control flow of spreading malicious file



This malicious file, known as a Nateon malicious file, adopted more sophisticated technique for its spreading and infected.
This kind of malicious infection won't be spreading on after patching latest Microsoft security updates.


Downloaded 01.exe and 3.exe will create files on certain path on executed. Besides, if infected by this malicious file, it will tamper normal comres.dll and imm32.dll.

[Generated files]
(Windows System folder)\ComResA.dll
(Windows System folder)\imm32.dll(Random alphanumeric.tmp)
(Windows System folder)\nt32.dll.(Random alphanumeric.tmp)
(Windows System folder)\systemInfo.ini
(Windows System folder)\systemInfomations.ini

 - (Windows System folder) is C:\WINDOWS\system32 in a common.

If normal Comres.dll is being deleted, it can cause system abnormalities; therefore, recovering process of normal system files is needed.

* Size differences of normal and malicious files

A. normal Comres.dll file
     C:\WINDOWS\system32\comres.dll (16,232 bytes)

B. malicious Comres.dll file
     C:\WINDOWS\system32\comres.dll  (7,168 bytes)

nt32.dll generated by 3.exe is designed to aiming at stealing certain online game account.
 
Pmang.com
Netmarble.net
Nexon.com
Lineage.plaync.co.kr
Hangame.com

* Comparison between normal Comres.dll, Imm32.dll file and tampered Comres.dll, Imm32.dll file





Left one is normal, right one is tampered form.

3. How to prevent

A lot of variants of comres.dll and imm32.dll are getting spread these days.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Downloader/W32.Small.7168.FG
- Trojan/W32.Agent.7168.LX
- Trojan/W32.Agent.23040.PA
- Trojan/W32.Agent.53248.AXC
- Virus/W32.Patched.P