Program suspected as a keylogger in Samsung notebook is revealed by misdiagnosis.

Samsung's laptops have been suspected that it contains keylogger program.
But it has been revealed as a misdiagnosis of certain anti-virus program (Vipre).
Unlike Google which collected personal information without any agreement, it has been turned out as a misdiagnosis.
  

[Is Samsung intentionally shipping laptops with keylogger/spy software?]
http://nakedsecurity.sophos.com/2011/03/30/samsung-intentionally-shipping-laptops-with-keyloggerspy-software/
[Samsung installs keylogger on its laptop computers]
http://www.networkworld.com/newsletters/sec/2011/032811sec2.html

Sources said that Mohamed Hassan, a founder of "NetSec Consulting Corp" found keylogger suspected program through certain anti-virus program and sent related details.

Manufacturer said that they resolved about the problem and didn't install keylogger suspected program to get certain information intentionally.

This problem will not be emerged all over the world in same model, and because its specification varies depending on its country, they can't sure same problem will be risen.

Furthermore, Samsung announced that this was happened as a misdiagnosis one of multi-language related folders of Windows Live Application of MS to malicious program.

  
According to official announcement of Samsung, Vipre had been misdiagnosed "C:\WINDOWS\SL" folder to keylogger and Vipre also admits misdiagnosis itself and posted its official announcement as following link.

[Samsung Laptops do not have a keylogger (and it was our fault)]
http://sunbeltblog.blogspot.com/2011/03/samsung-laptops-do-not-have-keylogger.html

Overseas' users are sharing how to remove suspected program (StarLoger).

[How to detect and remove StarLogger]
 http://download.cnet.com/8301-2007_4-20048963-12.html

It is hard to be found whether malicious purposed program is being installed or not as soon as sealed off for general user.
Besides, if owner is using disk cloning program, removing keylogger program installed initially will be more difficult.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Smartphone security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

Tsunami related scams are prevalent

Recently, many cases of rooked users by scam-related social engineering technique of Japanese Tsunami have been reported.
Among several types of damage cases, fundraising with the purpose of aid Japanese earthquake victims, have been reported.

In South Korea, some hosts of illegal fundraising site have been prosecuted.



Illegal fundraising was going on via SNS, and inducing monetary damage to the victims. Among these sites, Japanese Tsunami related sites have been found to scam and distribute malicious programs. This Tsunami related site induces user to move other site containing additional and astonishing photos as following;

 

Clicking "See it All Here" link to see additional image will move current page to certain program download page as following.

 

General user can think that the page is for downloading Google Earth, a freeware.

After on the process to download, it induces for payment.

Usually, using social engineering for scam is prevalent when global issue is booming. To avoid against that social engineering related techniques, user needs to be careful on surfing internet.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

Get our nProtect MBR Guard for free.

1. How's your HDD?

Recently, various variants of boot sector failure(MBR : Master boot record) cases are being reported.
To protect from MBR, we designed and distributes "MBR protection program" including "Prevent Real-time HDD destroying" function.

nProtect MBR Guard v3.0.1.4 (Supports Hangul Windows XP, Windows Vista, Windows 7/ added service mode and functions)
http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe
http://www.nprotect.com/v7/down/sub.html? mode=vaccine_view&subpage=4&no=308&page=&field=&field_value=

*MD5 : fde66c9a0d147ebca057da005e384a8c
*Supporting OS : Windows XP/Vista/7 (32/64bit)

* Writing a reply of error while using nProtect MBR Guard v2.0.1.4 is the fastest way to solve the problem.

* Our COMPLIMENTARY "nProtect MBR Guard" can protect most of MS Windows MBR sector including Windows XP, Windows Vista, Windows 7 and so on.

2. Main functions

This malicious file with the destruction capabilities, which is tampering into MBR area function, can cause unable to boot.
Following figure describes the order of infection.



First of all, web hard site is tampered by attacker, then spreading malicious file after being injected malicious code. PCs infected after downloading this malicious file will be becoming zombie PC. These tampered PC can download DDoS related malicious file, containing capability of destroy HDD, and can work on certain condition.

* MBR : Master boot record

A master boot record (MBR) is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk. MBRs are usually placed on storage devices intended for use with IBM PC-compatible systems.

If the values are overwritten as "0" such as this figure below right, normal booting won't be performed.


                  [Normal MBR Sector]                                                   [Destroyed MBR Sector]
 

[Video for MBR destroying test on HDD]

This video is for the test on "sample.exe" for destroying HDD.

1. Upon infected, it will work in background task.
2. After about 2 minutes, MBR sector of HDD will be destroyed and Windows screen can be changed BSOD (Blue Screen of Death).
3. After BSOD, normal booting can be impossible.
4. Restoring HDD with damaged MBR may be difficult, however, reinstalling OS can use possible.

The main function of INCA Internet's "nProtect MBR Guard" is protecting from illegal tampering MBR sector of HDD and it adopted Command-Filter Driver technique to restrict "Overwrite" in that sector with fully understanding of API's in Windows.
These are minimum factors for securing integrity and protecting system. MBR sector must be protected for using computer safely.

"nProtect MBR Guard" will remain driver Layer and protect from all malicious commands. Unlike MBR, general disks such as (C:\, D:\) are mounted and can be protected with File System Filter modules.
That's the reason why "nProtect MBR Guard" adopted "Disk Filter" which is filtering Disk.sys Driver on MBR sector and understood Disk I/O flow.

3. How to use

You can download "nProtect MBR Guard" through following link.

- http://www.nprotect.com/
- http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe



Right clicking tray icon will show following menu.

[MBR 보호][MBR Protection] is set by default and will protect from malicious access.
[자동시작][Auto Start] function is also set by default and will run on booting automatically.
When [MBR 보호][MBR Protection] is activated, our "nProtect MBR Guard" will protect all of attempts accessing MBR sector.

 [Video for MBR Guard's block test]

This video shows how "nProtect MBR Guard" can protect from accessing MBR sector.

1. Activates MBR Guard with selecting [MBR 보호][MBR Protection] on tray icon.

2. Runs same malicious file executed above video.

3. BSOD is supposed to be shown after 2 minutes, however, MBR Guard will protect from BSOD and create popup window for notice.

Emerged ransomware disguised as a web browser update file

1. Introduction

Financial purpose malicious wares with using various techniques including encryption for file have been being spread these days.
We name this kind of file as a Ransomware, one of computer malwares which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.

2. Spreading path and symptoms of infection

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

When accessing distributing site, we can see the warning sign.



Clicking "Install update for Internet Explorer" will download following ransomware installation file.

* "Internet-Explorer_update.exe" will be for Internet Explorer web browser user.
"chrome_update.exe" will be for Google chrome web browser user.

Furthermore, it will generate additional file after being infected, and set scheduled tasks for periodical performing.

* Generated file
- (Windows folder)\Tasks\(random alphabets).job

* (Windows folder) usually means C:\WINDOWS on Win95, Win98, WinME, Win2000, and WinXP on WinNT, it will be C:\WINNT. 

On rebooting or after certain time, PC will show follow screen and interfere normal using.
Main content is plagiarized as a notice of police and contains notice about obscene material and illegal download.



Because of incongruous context written in Korean, it seems like using translator. So we can expect that it might be translated various languages.



Clicking "Next" will induce making a call to this following 3 numbers and needs $0.3, A typical example of ransomware.



Additionally, this malicious file is being spread with various file name and disguised as a normal update module.



3. How to prevent

Ransomware can damage user's data and even give financial damage. With its malicious feature, various variants can be emerged. To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

Dangerousness of spreading malicious file through ESM

1. Introduction

Security managers are busy due to notices of being spread malicious file through ESM(Enterprise Systems Management) these days.
Concurrences with that malicious file threats have been disclosed as a real with various cases of severe damage, core data loss and severe damage after infected malicious file are topic in media; therefore, it can cause enormous damage in financially.

2. Dangerousness of infected ESM

Most of the companies adopted various ESMs with its convenience. To use safely, various security policies are set and let administrators and users use conveniently.

What if security threats emerged with the inattention of security manager? What if these convenient functions are being used as a malicious way? It is an extreme case; however, nobody can guarantee that it won't be happened.

Assume that ESM server has been hacked and uploaded malicious file for "destroy HDD". All agents will be infected and HDDs of each PC will be destroyed.

Needless to say that important or even essential file and information can be destroyed, and those won't be recovered. Not only for working as usual, financial damage and image of that company will go down.

Specific purposed malicious files are designed for these security threats, and a lot of cases had been reported.

3. How to prevent

What can security manager do for threats? First of all we distribute nProtect MBR Guard v1.0 against MBR destroy.

nProtect MBR Guard v1.0 (For Windows XP)

http://erteam.nprotect.com/135
http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Set policy for ESM server operating in another network
2. Keep updates the latest patch.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Change password strong and regularly.
5. Block accessing server from unapproved user.
6. Set backup policy for important data.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

Identified malicious file disguised as an Anti-virus SW for DDoS

1. Introduction

Recently, an erratic malicious file disguised as an Anti-Virus SW for DDoS has been found. This malicious file has been revealed that it doesn't have a function to DDoS attack, however, appearance of malicious file used social engineering technique can cause additional damage related DDoS.

2. Spreading path and symptoms of infection

First of all, recently found malicious file, known as spreading from Korean public web portal and forums, can also be spread as an attachment of e-mail or link in SNS.

 

General user can be seduced with its familiar icon. Furthermore, it was known of using "ALYAC"'s digital signature. Its various variants can be created and spread until now.

With the figure above, it pirated its icon and even set its company name as "Microsoft Corporation".
Upon infected, it will create additional malicious files.

* Generated files

- (Windows system folder)\inpleqlxa.exe (179,181 bytes)
- (User account folder)\Temp\(7~8digits number)_lang.dll (125,570 bytes)

Also, it registered registry value and makes generated files run on booting.

* Generated registry value

- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\its CLSID]
- Value name : "stubpath"
- Value data : (Window System folder)\inldtepix.exe

* (Window System folder) is C:\WINDOWS\SYSTEM on Windows95,98, and ME,

C:\WINNT\SYSTEM32 on Windows2000 and NT, C:\WINDOWS\SYSTEM32 on WindowsXP.

* (User account folder) is C:\Documents and Settings\(User account).

Based on our analysis, this malicious file is expected to steal account information with using keylogging. Detailed analysis is on progress.

3. How to prevent

The most important thing is that user must have a big eye to avoid from malwares.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect AVS” and runs responding system against various security threats. 

How to prevent from 3.3 DDoS malicious file

1. Introduction

After the first attack of "3.3 DDoS" on Mar 3, 2011, the rumor has that first destruction of HDD will appear on Mar 10.
The expectation was wrong and variant of 3.3 DDoS appeared 2 days later than its previous version emerged.
General user need to be careful from avoiding unwished HDD destruction.

2. How to prevent

User must boot his/her computer safe mode with networking for safety. And scan/treat PC with using anti-virus SW.

* When PC is turned "ON"

User must keep anti-virus SW latest version and scan PC or scan current version of anti-virus SW after unplugging LAN cable.

※ When PC is turned "ON"

Boot computer safe mode with networking with pressing "F8" after CMOS page.

 

* Screen of Windows XP

▼ Screen of Windows 7

In either cases of having no anti-virus SW or having not updated latest version, download file first and scan/treat.

[Download our anti-virus for DDoS]
http://avs.nprotect.net/FreeAV/nProtectEAVDllbot.com

* Screen for our anti-virus for DDoS

 

We recommend total scan for treating 3.3 DDoS related malicious files as following.

▼ Screen for diagnosis 3.3 DDoS related malicious file

This kind of DDoS related malicious file will damage HDD and unable to use PC normally.
Furthermore, a lot of user who use file hosting web sites may be infected by this malicious file.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

* Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect AVS and runs responding system against various security threats.

Be careful on using file hosting web sites.

1. Introduction

3.3 DDoS' malicious files were troublesome for tampering update modules in Korean file hosting web sites and distributing.
This time, related web site had been attacked and tried to spread malicious files whom they didn't update latest security patch.
In case of Sharebox, one of famous Korean file hosting web sites, that site had been spreading malicious file to visited user. Hence deep inspection for management must be needed.


INCA Internet Security Center's Emergency Response Team identified that more than 8 Korean file hosting web sites had been spreading malicious files, and emergency update had been completed.

Based on our analysis, to be visited by many users seems one of the biggest reason why those sites had been targeted.

2. Spreading path and symptoms of infection

Accessing Sharebox web site

Malicious code injected in JavaScript will activate only just visiting web site.

(Sharebox)

In case of other web sites, similar malicious codes are injected as following.

(Other file hosting web site)

Decoded code of injected in Sharebox is as following.

(Sharebox)

Decoded code of another file hosting web site is as following.

(Other file hosting web site)

It was coded to connect certain domain through iframe command.
Upon executed main.htm, CVE-2010-0806/MS10-018 Exploit Code, one of Internet Explorer vulnerability, and Scripts between the tag <script src="K.Js"></script> will be activated.



Upon executed the area of Exploit Code, malicious file from Taiwan, "biz.exe", will be installed and perform malicious behavior.

http://file.*****.com/biz.exe

Since this malicious biz.exe is encrypted XOR operation on web, it is not the type of PE Header, which can be executed as soon as downloaded. It will be installed as a normal EXE file.

Following figure is comparison of "a.exe"'s Hex values between biz.exe files on web and on user's PC.
biz.exe will be converted normal executable a.exe with 0xA2 XOR operation Key.
Based on our analysis, the reason registering encrypted file on web seems for bypassing of Anti-Virus SW's real-time scanning option.



Upon downloaded and infected by malicious file, it will create a.exe on Application Data path then execute.

C:\Documents and Settings\(user account)\Application Data

And then, it will change imm32.dll in System folder to malicious file and create malicious nt32.dll file as a hidden.
Tampering technique can be vary depending on each PC's Anti-virus SW and condition.



Installed malicious file will perform stealing online game user's information on certain condition.

Except for we described above, many other file hosting web sites were tampered and our nProtect Anti-Virus can detect those malicious files.

[Our diagnosis name]
ad.jpg -> Script-JS/W32.Agent.VN
expomody.exe -> Trojan/W32.Klone.265728
images.jpg -> Script-JS/W32.Agent.VM
ain.htm -> Script-JS/W32.Agent.BNE
nt32.dll -> Trojan/W32.Agent.69632.AVN
reutkc.htm -> Script-JS/W32.Agent.BNI
revtkl.htm -> Script-JS/W32.Agent.BNF
yveqer.htm -> Script-JS/W32.Agent.BNG