12345

4/12/2011

Identified spread malicious file using vulnerabilities of adobe product Family

1. Introduction

Spread malicious file using vulnerability of Adobe Flash Player, Acrobat Reader is identified on April 12, 2011.
This malicious file uses vulnerability, old versions of Adobe applications, on executing attachment of e-mail.
Adobe released security notice about that security issue on April 11, 2011, user who are using adobe family's product needs to be careful on using those applications.


* Adobe CVE-2011-0611 Security Bulletin & Common Vulnerabilities Application Programs

[Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat]
http://www.adobe.com/support/security/advisories/apsa11-02.html


2. Spreading path and symptoms of infection

Currently, this malicious file consists of .DOC file of MS Office which name is "Disentangling Industrial Policy and Competition Policy.doc". And it contains SWF file its inside.

Following figure is attached DOC file. And it can spread as a different file name.



http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html

When you excute this document file, you can find this title, "Disentangling Industrial Policy and Competition Policy in China".



Executed malicious file will create another malicious file on following path. And it will change normal"mspmsnsv.dll" file to malicious .DLL file.

C:\Document and Settings\User account folder\Local Settings\Temp\svchost.exe (3,728 bytes) C:\WINDOWS\System32\mspmsnsv.dll (8,704 bytes)



* Comparison between normal mspmsnsv.dll and malicious mspmsnsv.dll



Furthermore, it will create additional file, some of created files contains certain system process information of user's PC.



3. How to prevent

General user can hardly notice something happened in his PC while spreading malicious file with using social engineering.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

1 comment: