12345

3/05/2011

Be careful on using file hosting web sites.

1. Introduction

3.3 DDoS' malicious files were troublesome for tampering update modules in Korean file hosting web sites and distributing.
This time, related web site had been attacked and tried to spread malicious files whom they didn't update latest security patch.
In case of Sharebox, one of famous Korean file hosting web sites, that site had been spreading malicious file to visited user. Hence deep inspection for management must be needed.


INCA Internet Security Center's Emergency Response Team identified that more than 8 Korean file hosting web sites had been spreading malicious files, and emergency update had been completed.

Based on our analysis, to be visited by many users seems one of the biggest reason why those sites had been targeted.

2. Spreading path and symptoms of infection

Accessing Sharebox web site


Malicious code injected in JavaScript will activate only just visiting web site.

(Sharebox)

In case of other web sites, similar malicious codes are injected as following.

(Other file hosting web site)

Decoded code of injected in Sharebox is as following.

(Sharebox)

Decoded code of another file hosting web site is as following.

(Other file hosting web site)

It was coded to connect certain domain through iframe command.
Upon executed main.htm, CVE-2010-0806/MS10-018 Exploit Code, one of Internet Explorer vulnerability, and Scripts between the tag <script src="K.Js"></script> will be activated.



Upon executed the area of Exploit Code, malicious file from Taiwan, "biz.exe", will be installed and perform malicious behavior.

http://file.*****.com/biz.exe


Since this malicious biz.exe is encrypted XOR operation on web, it is not the type of PE Header, which can be executed as soon as downloaded. It will be installed as a normal EXE file.

Following figure is comparison of "a.exe"'s Hex values between biz.exe files on web and on user's PC.
biz.exe will be converted normal executable a.exe with 0xA2 XOR operation Key.
Based on our analysis, the reason registering encrypted file on web seems for bypassing of Anti-Virus SW's real-time scanning option.




Upon downloaded and infected by malicious file, it will create a.exe on Application Data path then execute.

C:\Documents and Settings\(user account)\Application Data


And then, it will change imm32.dll in System folder to malicious file and create malicious nt32.dll file as a hidden.
Tampering technique can be vary depending on each PC's Anti-virus SW and condition.


Installed malicious file will perform stealing online game user's information on certain condition.

Except for we described above, many other file hosting web sites were tampered and our nProtect Anti-Virus can detect those malicious files.

[Our diagnosis name]
ad.jpg -> Script-JS/W32.Agent.VN
expomody.exe -> Trojan/W32.Klone.265728
images.jpg -> Script-JS/W32.Agent.VM
ain.htm -> Script-JS/W32.Agent.BNE
nt32.dll -> Trojan/W32.Agent.69632.AVN
reutkc.htm -> Script-JS/W32.Agent.BNI
revtkl.htm -> Script-JS/W32.Agent.BNF
yveqer.htm -> Script-JS/W32.Agent.BNG

3 comments:

  1. So good i like your Blogspot and i have blog to talking about Web Hosting and a lot of thing related to Web Hébergement as hébergeurs hébergement,site hébergement,comparatif hébergement,ecommerce hébergement,asp hébergement,joomla hébergement,spip hébergement,hébergement web gratuit and thanks a lot again admin ,,, 4Web-Hosting.Info

    ReplyDelete
  2. I will come to you to know about the Spreading path and symptoms of infection which is very essential for me as well. I must follow the content for me as well. Keep it up.
    web hosting

    ReplyDelete
  3. I am very glad to get this I am so excited to get this.
    $1 a month web hosting

    ReplyDelete