12345

4/19/2011

[Warning] Malicious file using vulnerability of web browser

1. Introduction

Recently, a malicious file using vulnerabilities of certain web browser has been found.
Since this malicious file can work on clicking URL link included in instant messenger, general user needs to be careful about being infected malicious file from those malicious file.


2. Spreading path and symptoms of infection

As we mentioned above, this malicious file will infect user's PC on clicking URL link with using vulnerability on web browser such as Internet Explorer.

Message, being spread so far, contains uncertain URL as following.


Additional malicious file will be download and being installed with that malicious Script code on accessing URL. This infection is caused by vulnerabilities such as "CVE-2010-0806, MS10-018".



After checking PC's status, if it found vulnerability, it will try to access "1.html" through included malicious code, and download normal image file to induce user against malicious file's infection.
Download figure is as following.



When we open "1.html", it had been encoded as following.
We decoded it to be seen easily.



Decoded "1.html" contains URL address to download executable .EXE file in its inside.



Downloaded "adjku.exe" contains "Fake Digital Signature" and "Version Information" to be seen as a normal file.



When the downloading "adjku.exe" is complete, it will create malicious file on following path.

[Generated file]

C:\WINDOWS\FXSST.dll (33,340 bytes)
C:\WINDOWS\system32\m_user.dll (80 bytes)
C:\WINDOWS\system32\V3lght.dll (15,360 bytes)
C:\Documents and Settings\(User account folder)\Local Settings\Application Data\f.exe (64,376 bytes)



* Control flow of malicious file infection and works



3. How to prevent

In this case of spreading technique, infection can appear without applying latest patch, so user must apply patches including MS Windows secure patch and each application's latest patch.

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

No comments:

Post a Comment