12345

4/19/2011

[Warning] Malicious file using vulnerability of web browser

1. Introduction

Recently, a malicious file using vulnerabilities of certain web browser has been found.
Since this malicious file can work on clicking URL link included in instant messenger, general user needs to be careful about being infected malicious file from those malicious file.


2. Spreading path and symptoms of infection

As we mentioned above, this malicious file will infect user's PC on clicking URL link with using vulnerability on web browser such as Internet Explorer.

Message, being spread so far, contains uncertain URL as following.


Additional malicious file will be download and being installed with that malicious Script code on accessing URL. This infection is caused by vulnerabilities such as "CVE-2010-0806, MS10-018".



After checking PC's status, if it found vulnerability, it will try to access "1.html" through included malicious code, and download normal image file to induce user against malicious file's infection.
Download figure is as following.



When we open "1.html", it had been encoded as following.
We decoded it to be seen easily.



Decoded "1.html" contains URL address to download executable .EXE file in its inside.



Downloaded "adjku.exe" contains "Fake Digital Signature" and "Version Information" to be seen as a normal file.



When the downloading "adjku.exe" is complete, it will create malicious file on following path.

[Generated file]

C:\WINDOWS\FXSST.dll (33,340 bytes)
C:\WINDOWS\system32\m_user.dll (80 bytes)
C:\WINDOWS\system32\V3lght.dll (15,360 bytes)
C:\Documents and Settings\(User account folder)\Local Settings\Application Data\f.exe (64,376 bytes)



* Control flow of malicious file infection and works



3. How to prevent

In this case of spreading technique, infection can appear without applying latest patch, so user must apply patches including MS Windows secure patch and each application's latest patch.

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

Be careful of Facebook's auto-posting App

1. Introduction

It's rare to find feature phone user these days such a boom of smartphones these days.
Besides, most of people have their own SNS which helps user sharing interests and activities.
A social network service essentially consists of a representation of each user (often a profile), his/her social links, and a variety of additional services and sometimes even faster than news.

These days, auto-post apps are getting prevalent aiming at posting on wall for advertisement or malicious link after obtained several permissions.
Therefore, general user who is using Facebook needs to be careful about being infected malicious applications.

2. Spreading path and symptoms of infection

Applications, mentioned above, will require permissions on certain functions on installation. Upon allowing, it will be granted several permissions. This app also can post on user's friends' wall for inducing installation same app without asking.



3. How to prevent

Just clicking can infect(?) him or herself and another user and can grant "Accessing personal information, subscribing e-mail, posting on wall".

To remove these applications, check our following guidelines.
  


* How to remove

1. [Account] -> [Account Settings] -> [Application settings]
2. Click "x" to remove



To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.
attached

4/15/2011

imm32.dll, its unforeseeable evlution (2)

1. Introduction

We already posted about imm32.dll file related patch type malicious file before.
However, we are posting again after finding another malicious file which creates malicious svchost.exe.
Since this malicious file can leak personal information, user needs special attention to be careful on downloading and executing from the internet.

2. Spreading path and symptoms of infection

Found malicious file at this time has its new features with creating another malicious svchost.exe in Windows system folder and acting except normal imm32.dll patch.
Besides, this, injected in certain online games, messenger, Internet Explorer, tries to sniff login information and send to certain external site.

Currently, this malicious file, as we mentioned earlier post, is being infected after downloaded from hacked web page or vulnerability of certain web browser.

This following figure is one of spread malicious files..


Upon execution downloaded lala.exe, it will create malicious svchost.exe in Windows system folder. Generated svchost.exe file will download .TXT file which contains server path to download additional malicious files and download files from that path.



* Information file containing malicious file distribution server


* Malicious file spreading Domain IP



Malicious svchost.exe and imm32.dll files are injected certain file generated by lala.exe. And it will be working after injected certain online game, messenger, and Internet Explorer.



Furthermore, malicious svchost.exe can incapacitate some of Korean anti-virus softwares. This following figure is the list of process.


* Before and after process status on being infected by malicious files



Upon execution those malicious files, it will create additional malicious file and set itself work on rebooting.

[Generated file information]

C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\imm32A.dll
C:\Documents and Settings\User account folder\Local Setting\Temp\(random 6 numbers).tmp

* Preferences of normal and malicious imm32.dll file



* Preference of malicious svchost.exe



[Registry information]

HKLM\WOFTWARE\Microsoft\Windows\CUrrentVersion\RUN
▣ Value name : Rundll32.exe
▣ Value data : "C:\WINDOWS\system\svchost.exe"

* Registry registered information 



3. How to prevent

To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

4/14/2011

imm32.dll, its unforeseeable evolution (1)

1. Introduction

Recently, spread of malicious file to steal Korean online game account information is prevalent in here.
Besides, this malicious file adopted these methods changing "imm32.dll" file, located in Windows folder, to new type of malicious file or generate itself.
Therefore, general user who plays online game needs to be careful of infection.


2. Spreading path and symptoms of infection

This case of spreading infected malicious file related normal imm32.dll patch is frequently found. And its techniques are various. One of these main purposes is giving financial damage of infected user. One of spread malicious file found lately is using vulnerability of IE and induces to leak personal information.

Currently, this malicious file is redirected from certain web site, and following image shows download window to be spread so far.


Upon execution downloaded "aa.exe", it will create additional malicious file on following path.
Furthermore, it will rename normal imm32.dll to another name and patch.

Normally patched malicious imm32.dll will try to leak user account information and forcibly stop to certain anti-virus software.

* Generated files

C:\WINDOWS\system32\imm32.dll (86,016 bytes, Malicious)
C:\WINDOWS\system32\imm32B.dll (86,016 bytes, Malicious)
C:\WINDOWS\system32\imm32A.dll (110,080 bytes, Normal)


* Comparison information between normal and malicious imm32.dlls



* Control flow of malicious file and patching imm32.dll



3. How to prevent

To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

4/12/2011

Identified spread malicious file using vulnerabilities of adobe product Family

1. Introduction

Spread malicious file using vulnerability of Adobe Flash Player, Acrobat Reader is identified on April 12, 2011.
This malicious file uses vulnerability, old versions of Adobe applications, on executing attachment of e-mail.
Adobe released security notice about that security issue on April 11, 2011, user who are using adobe family's product needs to be careful on using those applications.


* Adobe CVE-2011-0611 Security Bulletin & Common Vulnerabilities Application Programs

[Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat]
http://www.adobe.com/support/security/advisories/apsa11-02.html


2. Spreading path and symptoms of infection

Currently, this malicious file consists of .DOC file of MS Office which name is "Disentangling Industrial Policy and Competition Policy.doc". And it contains SWF file its inside.

Following figure is attached DOC file. And it can spread as a different file name.



http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html

When you excute this document file, you can find this title, "Disentangling Industrial Policy and Competition Policy in China".



Executed malicious file will create another malicious file on following path. And it will change normal"mspmsnsv.dll" file to malicious .DLL file.

C:\Document and Settings\User account folder\Local Settings\Temp\svchost.exe (3,728 bytes) C:\WINDOWS\System32\mspmsnsv.dll (8,704 bytes)



* Comparison between normal mspmsnsv.dll and malicious mspmsnsv.dll



Furthermore, it will create additional file, some of created files contains certain system process information of user's PC.



3. How to prevent

General user can hardly notice something happened in his PC while spreading malicious file with using social engineering.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

4/05/2011

Identified malicious files disguised overseas' famous anti-virus' installation file

1. Introduction

Recently, a russian site has been revealed the root site of being spread malicious file disguised as famous anti-virus software.
This downloadable file can cause user financial damage on executing, fortunately damage case hasn't reported in South Korea so far.
With the scam techniques getting sophisticated, user who installs overseas anti-virus software needs to be careful on downloading and installing those SWs.
  
2. Spreading path and symptoms of infection

Found malicious file disguised as an installation file is being spread Russian web site.



You can see famous anti-virus' icon in red square, clicking anti-virus software will move current page to following site.
Clicking related link will download malicious file masqueraded as an overseas' famous anti-virus software.



* Downloadable fake anti-virus malicious files



This site already has various malicious files disguised as famous anti-virus' setup file, you can see same activation code field on executing after downloaded.



Clicking "Payment Terminals" will open another window for micropayment via SMS which can cause user financial damage.



3. How to prevent

Currently, cybercrimes especially for financial exploit are big booming these days.
To use PC safely from security threats of these malicious files and social engineering, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

4/04/2011

Spreading malicious file about Libyan revolution

1. Introduction

Recently, spreading malicious file related Libyan revolution, covering main page of newspaper these days, has been detected.
Big global issues, such as Japanese earthquake, are the easiest way to be used as a social engineering by cyber criminals and malicious file distributor.



2. Spreading path and symptoms of infection

This site and domain looks newly generated recently. You can get information about Libyan news on this web site.


This site provides most information through various links with reliable organizations.
Also, it can download additional malicious files through Java Applet on accessing.

* Downloaded file

- FreeLibya.jar (2,762 bytes)

Since its file name "FreeLibya.jar" is also related with Libya, users can be easily lured.
But downloading jar file depends on current installed Java JDK version.



* When JDK hasn't been installed



* When JDK has been installed







Upon executed download jar file, it will download additional malicious file, "javaclient.exe" through internal class file.

디컴파일된 class파일 내부코드

If downloaded malicious file "javaclient.exe" is executed, it will create its cloned file as following path and set preference to start itself on booting automatically.

* Generated file
- (User temporary folder)\svc21host.exe (1,130,496 bytes)

* Generated registry
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Name : svc21host
- Data : (User temporary folder)\svc21host.exe

* (User temporary folder) means "C:\Documents and Settings\(User account)\Local Settings\Temp" generally.

Furthermore, it will be still connecting to certain external site continuously such as following figure; as a result this PC can be a Botnet.



3. How to prevent

Global issues can take interest of publicity. Malicious file programmer and cyber criminals are distributing malicious files with using social engineering.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
※ Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.