12345

2/25/2011

Be careful on malicious file disguised as a MS Office's DOCX file

1. Introduction

On Feb 24, 2011, one of malicious files disguised as DOCX file, MS office document file, has been found from overseas web site.
This document includes EXE file with PE structure, which can infect user's PC on executing.
Therefore, general users need to be careful on executing file on downloaded DOCX files.



2. Spreading path and symptoms of infection

Downloaded DOCX file is named "satna.docx". Besides, its file name can be changed and spread with various techniques.
Following figure is downloadable malicious DOCX file.


You can see this message written in English and Arabic.



Furthermore, it induces to click notepad icon.
Double clicking will execute EXE file(PE structured) with this warning page.


We extracted this EXE file with drag and drop and inspected its internal structure.



To click execute button, it will create malicious file disguised TXT file on following path.



Generated svchosts.exe file will be registered in certain registry value and re-infect on booting.

[Register registry value for running on boot]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Value name : "HKCU Key"
- Value data : "C:\Documents and Settings\Administrator\Application Data\svchosts.exe"

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

2/23/2011

Phishings on online transactions

1. Introduction

Recently, we found pop-up type phishing case on accessing certain web site; therefore, general users need to be careful on using internet.
Damage cases occurred on ticketing movie ticket using credit card or online banking in South Korea.
Because it can cause financial damage, general users must be careful on using financial related tasks.

2. Spreading path and symptoms of infection

It can be downloaded from attachment of e-mail or clicking link on messenger or SNS.
Besides, we found this malicious file has been being loaded running process list on victim's PC.


In this figure, we can check that "noloadf5A.dll" is injected in normal process "rundll32.exe". This dll file remains as a hidden on following path. Furthermore, infected PC can register following certain registry value.


* File path of noloadf5A.dll

C:\WINDOWS\system32\noloadf5A.dll ( 614,400 bytes, hidden )

* Registry value

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool"="C:\WINDOWS\system32\noloadf5A.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool"="C:\Documents and Settings\(User account)\noloadf5A.dll".

These 2 types of tried cases have been found recently, and various cases can appear.

A. Tried case on signing in online banking site

Following figure can appear while signing in domestic online banking site in infected PC.

It induces user input card information. Besides, this page will appear only in "Internet Explorer".

B. Tried case on ticketing movie tickets online site

Another case appears on reserving tickets on movie tickets online site. If you input information for the ticket,


This Mastercard's secure code input form will appear.
This page is fake page and requires user card's information.


By the way, this pop-up will appear while using card for international-use.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

2/22/2011

Malicious files are spreading through MSN messenger.

1. Introduction

A malicious file has been found in South Korea through MSN(Live) messenger on Feb 21, 2011.
Accessing certain URL will infect user's PC.
General users who use MSN frequently need to be careful on clicking URL.



2. Spreading path and symptoms of infection

This malicious file can infect on clicking URL.

On clicking link, (DSC002502011.JPG.scr), a malicious file disguised as a image file, will be downloaded.



Downloaded DSC002502011.JPG.src is masqueraded as a image file.

Furthermore, upon executed this malicious file, it will download additional malicious file.


Downloaded malicious kbn.exe will be saved as a winrsvn.exe on following path and will register in registry for running on boot.

[Generated File]

User account\Microsoft-Driver-[Random numbers]\winrsvn.exe

[Registry Information]

HKEY_CURRENT_USER\Sofrware\Microsoft\Windows\CurrentVersion\Run
"Microsoft(R) Service Update="%User account&Microsoft-Driver-[Random numbers]\winrsvn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
"%User account%\Microsoft-Driver-[Random numbers]\winrsvn.exe"

 This malicious file will deliver following message and malicious file link to certain user.

[Message]


hab ich dir das foto schon gezeigt?
wie findest du das foto?
das foto solltest du wirklich sehen
so will ich nicht aussehen wenn ich alt bin
kennst du die person aufm foto?
kennst du das foto schon?
schau mal das foto an
unglaublich welche fotos leute von sich machen schau mal
die sieht aus wie angela merkel
tell me what you think of this picture i edited
i cant believe i still have this picture of you from last winter
should i make this my default picture?
this is the funniest photo ever!
tell me what you think of this photo
i don't think i will ever sleep again after seeing this photo
my parents are going to kill me if they find this picture

3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

* Diagnosis name

 - Trojan-Downloader/W32.Agent.18944.FE
 - Trojan-Downloader/W32.Agent.38912.CM

2/17/2011

Malicious files using ARP Spoofing are spreading.

1. Introduction

Since ARP Spoofing malicious files are rapidly spreading these days, additional damages including infection of additional malicious file and stealing online game account can be accumulated.
If infected, internet speed can be reduced and malicious files can be infected through its network.
Therefore, general users need to careful on using internet.

Furthermore, this ARP Spoofing malicious file is widely infecting under the certain management program.

2. Spreading path and symptoms of infection

The place of origin hasn't been figured out so far, however, spreading technique of this malicious file is not as usual.

The biggest difference between previous malicious files and recently found malicious file is including iframe for download additional malicious file. In other words: infected PC can work as a spreading server.
Upon infected ARP Spoofing, it can generate following files.

* Generated and downloaded files

C:\WINDOWS\system32\wbem\AdmDll.dll
C:\WINDOWS\system32\wbem\H1A1-DNA.dna
C:\WINDOWS\system32\wbem\H1A1.exe
C:\WINDOWS\system32\wbem\H1A1.html
C:\WINDOWS\system32\wbem\H1A1_NDA_8.exe
C:\WINDOWS\system32\wbem\PCBangMng.exe
C:\WINDOWS\system32\wbem\TIMEDNA.dna
C:\WINDOWS\system32\wbem\UpdateService.exe
C:\WINDOWS\system32\wbem\dllhost.exe
C:\WINDOWS\system32\wbem\mongoose.conf
C:\WINDOWS\system32\wbem\mongoose.exe
C:\WINDOWS\system32\wbem\sys.rna
C:\WINDOWS\system32\wbem\translator.dll



Besides, it can launch certain file through ActiveX which was injected Script file on iframe.



This file can try to download additional certain file on infected PC.


Furthermore, it can set certain folder to shared folder.



This malicious file can kill certain anti-virus software with using taskkill.exe, can make Windows firewall exception on certain service on registering registry, and can control infected PC remotely with using "UpdateService.exe"(Remote control module).

3. How to prevent

If a PC infected, PCs in same IP range can be infected in a row.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

QR(Quick Response)code. Convenient but can be used malicious.

1. Introduction

We can see a tons of QR(Quick Response) codes recently.
With a spreading of using QR codes, general users need to know how to use and be careful on using or scanning QR code.
We mentioned earlier about this code, however, we'd like to make sure how to use and how to avoid from malicious effects.



2. What is QR and its exploitability?

A QR code (abbreviated from Quick Response code) is a type of matrix barcode (or two-dimensional code) designed to be read by smartphones. The code consists of black modules arranged in a square pattern on a white background. The information encoded may be text, a URL, or other data.

This QR code can contain various information, and can be scanned by scan application of smartphone.

<QR Code>

How can we create QR code?

A. We can visit one of QR code generating site.

* QR code generating site : http://www.bit.ly/



When we type address to be shorten, we can get a shorten URL.

* http://www.nprotect.com/ -> http://bit.ly/cSNgWa

B. Attaching at the end of the address ".qr" will create QR code of shorten address.

Such as (http://bit.ly/cSNgWa) to (http://bit.ly/cSNgWa.qr).



We can find any kinds of information can be saved as a QR code, malicious file programmer and distributor also can use QR code to do malicious behavior.
If QR code contains certain information of malicious file, general user can't notice easily with just given shorten form URL.

< QR code is used in various ways >

QR code is being used various way including various AD. As we mentioned above, general users are careless on scanning QR code. The more it became popular, the more dangerous it will be spread.

3. How to prevent

We use, enjoy, and even work with smartphone. With the spreading of smartphone, malicious applications for mobile are getting spread. In the midst of big booming of QR code, it can be used as a malicious way and can be new trend of security threats.
To use PC safely from security threats of these malicious stuffs, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

2/15/2011

Found Ransomware disguised as a QuickTime Player.

1. Introduction

Various kinds of Ransomwares and its variants are prevalent these days.
Among these ransomwares, a peculiar ransomeware disguised as a QuickTime player has appeared.
Damage case hasn't reported in South Korea so far, however, for preventing its financial damage, we need to be careful on using internet.


2. Spreading path and symptoms of infection

Previously found ransomware was disguised as various types of application, recently found ransomware was masqueraded as a QuickTime player.


Besides, it adopted digital signature of "Avira", one of famous anti-virus SW company.


This ransomware can be injected tampered web page or can be spread as a attachment of e-mail.
Link on messenger or SNS also can be possible.

Since this ransomware has similar icon and file name to QuickTime player's, general users can be easily induced. Furthermore, once infected this ransomware, following run screen will appear.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name
- Trojan/W32.Gimemo.563336

New malicious application targeting user information for Android mobile has appeared.

1. Introduction

Since repackaged Android's malicious apps have been found recently, we found repackaged malicious application for Android from Chinese black market.
This repackaged malicious application can spread via various black markets and 3rd party markets and can require various permissions.

2. Spreading path and symptoms of infection

Following figure is the preference of this malicious application.


Following figure is comparison between normal and malicious application.


As always, malicious application needs more grants than normal application.
Upon installed, we can see the icon.


Following image is run screen.


Based on our analysis, we found suspicious symptoms as following.

* Suspicious symptoms

- Try to access certain web site
- Breach mobile information
- Send text
- Remote control
- Install additional application

3. How to prevent

With a big booming of smartphone, general user can easily install various applications.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.PJApps.A
- Trojan-Spy/Android.PJApps.B

3.

New Trojan "ADRD" for Android mobile has appeared.

1. Introduction

Recently, one security blog reported about mobile trojan for Android.
This Trojan injects malicious code to perform malicious behavior on normal application.
In this case, users who frequently download application via black market can be easily infected by this malicious application.



[ New Android Trojan "ADRD" Was Found in the Wild by Aegislab ]
http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1

[ Samsung Galaxy S live wallpapers hacked onto other phones ]
http://www.androidcentral.com/samsung-galaxy-s-live-wallpapers-hacked-nexus-one

2. Spreading path and symptoms of infection

It, spread via black market, aimed at Dandelion Live Wallpaper and tries to inject malicious code for tampering.
This malicious application is named "ADRD", and has no execution icon.

* Download Dandelion Live Wallpaper
- http://www.livewallpapers.org/dandelion-424/

This malicious application has same Wallpaper display as normal application.


Following figures are showing differences between normal and malicious application.

 
                          <Malicious application>                                                <Normal application>

We don't need to let you know which one is for malicious.
Malicious application is always requiring a lot of grants. And the size is also little bit different between normal and malicious app.

                          <Malicious application>                                                <Normal application>

* Infected symptoms

A. Remotely Controlled
B. Collects information IMEI(International Mobile Equipment Identity) and IMSI(International Mobile Subscrilber Identity)
C. Access certain web sites
- http://adrd.zt.cw.4/
- http://adrd.xiaxiab.com/pic.aspx
- http://adrd.taxuan.net/index.aspx

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.ADRD.A

2/14/2011

Spear-Phishing case on global energy company: Night Dragon

1. Introduction

Security threat about Spear-Phishing on global energy company has been reported on Feb 09, 2011.
This threat named Night Dragon was reported from Mcafee, an anti-virus SW company.
It can cause huge amount of financial damage with hitting industry facilities.



2. Spreading path and symptoms of infection

* SPEAR-PHISHING

http://itlaw.wikia.com/wiki/Spear-phishing
Spear-phishing is "impersonating a company employee/employer via e-mail to steal colleagues’ passwords/usernames and gain access to the company’s computer system."

Following figures shows the process of Night Dragon security threats



* Process of attack and infection

- Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution
- Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company’s intranet and giving them access to sensitive desktops and servers internally
- Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers
- Initially using the company’s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings
to allow direct communication from infected machines to the Internet
- Using the RAT malware, they proceeded to connect to other machines (targeting executives)
and exfiltrating email archives and other sensitive documents

McAfee reported that
"There is nothing to suggest that the developers of these tools had any direct connection to these intrusions, as the tools are widely available on the Chinese web forums and tend to be used extensively by Chinese hacker groups. Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else. We have strong evidence suggesting that the attackers were based in China."

3. How to prevent

Night Dragon can cause huge amount of financial damage after Stuxnet. Continuous appearance of security threats can threaten industry facilities.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.