12345

5/31/2011

[Warning] Identified malicious file masqueraded as an e-mail attachment file.

1. Introduction

It is prevalent technique spreading malicious file masqueraded as an e-mail file.
Because general user receives various kinds of mails every day, they do not usually hesitate to download and execute attached file from e-mail.
We are going to introduce this case, masqueraded as an email sent by DHL, one of international mail express company.


2. Spreading path and symptoms of infection

As its name is, spreading technique of these malicious files is that it masqueraded as a normal attached file. And lead receiver to download for getting informed details.



You can see a “ZIP file” at the attached area, a fool hacker wrote the year as 2010’s though.
Because this mail has been sent at May 17, 2011.

Based on content, this mail said that it was sent due to wrong recipients’ address and this mail tries to induce user to download and install attached file.
After extracting compressed file, you can see the executable icon such as following image.


Its file name also has been disguised as DHL and related stuffs, “DHL-Notification-print-copy-Delivery”.
It will generate file this following path and modify certain registry value.

* Generated file
- (User account folder)\Application Data\(Random alphabets)\(4 random alphabets).exe

* Generate and modify registry
- Name : [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Data : (User account folder)\Application Data\(Random alphabets)\(4 random alphabets).exe

* (User account folder) usually means C:\Documents and Settings\(User account). 

Furthermore, it will try to access external site and can download additional malicious file or perform Bot function through “explorer.exe”.



3. How to prevent

In this case of malicious file disguised as a normal e-mail can be downloaded and executed easily. We can say this kind of security threat as a Social Engineering. And the range of exposure is getting wider.
To use your PC safely from security threats of these malicious applications, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

Diagnosis name

- Trojan/W32.Agent.171008.GM


tips

5/25/2011

[Warning] Found malicious file aiming at Korean online banking user.

1. Introduction

Together with sprawling “Zeus” source code aimed at overseas internet banking web site, fortifying financial service on internet seems to be widely accepted in public.
Since, both to reduce and possibilities being leaked financial information and to avoid these emerging various threats on using financial internet service, we need more attention against those critical threats.


Especially, found malicious file lately is the first official case being made for aiming at Korean online banking user, with the reason of set default language as Korean, including 27 domestic internet banking site are being regarded as a shocking accident.

We, mainly servicing security components in financial area, are monitoring the first influx date of malicious file and getting various variants samples.
Furthermore, based on our own “Malicious file integrated management automation system”, various variants had been being spread; some of those were already infected on September, 2010. And we are inspecting those samples.

* Anti-virus for Trojan-Spy/W32.KRBanker (For Korean Financial Supervisory Service)

http://avs.nprotect.net/FreeAV/nProtectEAV_KRBanker.exe



* Related code in malicious file about online banking


 
* Trojan-Spy/W32.KRBanker malicious file’s target list

01. Kookmin Bank (bank.kbstar.com)
02. Woori Bank (http://www.wooribank.com/)
03. Korea Exchange Bank (http://www.keb.co.kr/)
04. Korea Industrial Bank (http://www.ibk.co.kr/)
05. Hana Bank (http://www.hanabank.com/)
06. Shinhan Bank (http://www.shinhan.com/)
07. Citibank (http://www.citibank.co.kr/)
08. Standard charted (http://www.scfirstbank.com/)
09. Daegu Bank (http://www.dgb.co.kr/)
10. Kyungnam Bank (http://www.knbank.co.kr/)
11. Jeonbuk Bank (http://www.jbbank.co.kr/)
12. Kwangju Bank (http://www.kjbank.com/)
13. Busan Bank (http://www.busanbank.co.kr/)
14. Jeju Bank (banking.e-jejubank.com)
15. HK Saving Bank (http://www.hksb.co.kr/)
16. Nonghyup (banking.nonghyup.com)
17. Suhyup (http://www.suhyup-bank.com/)
18. Hyundai Swiss Saving Bank (http://www.hsb.co.kr/)
19. Jeil Saving Bank (http://www.jeilbank.co.kr/)
20. Community Credit (http://www.kfcc.co.kr/)
21. Credit Union (http://www.cu.co.kr/)
22. Korea Industry Bank (http://www.kdb.co.kr/)
23. Post Office Bank (http://www.epostbank.go.kr/)
24. Solomon Saving Bank (http://www.solomonbank.com/)
25. Seoul Saving Bank (http://www.seoulbanking.co.kr/)
26. Tomato Saving Bank (http://www.tomatobank.co.kr/)
27. Pureun Bank (http://www.pureunbank.co.kr/)

We found that this malicious file tries to steal or tamper user’s certificates, password, account password, security card number, OTP(one time password.
Collected information may be used to malicious behaviors, such as withdrawing balance without noticing real owner.

In addition, it contains certain functions to kill some of famous Korean anti-virus SWs and looks like well customized in Korean environment.

2. Malicious code activating scenario

INCA Internet security response team tested whole information leakage process as a real environment.

* Active process of this malicious file

If this malicious file activated, it senses activating Internet Explorer window concerning Korean online banking sites after certain conditions.
Besides it was also designed to perform malicious behaviors per each bank, which means that malicious developer coded as many type as the number of each banking systems.

%SystemRoot%\folderlist.srg
%ProgramFiles%\Common Files\CommonDirs\runmode.dll
%SystemRoot%\system32\folderlist.srg
%SystemRoot%\help\iishelp\common\explorer.exe
%ProgramFiles%\Common Files\CommonDirs\winnet.exe

If this malicious file performs, this will create folder on sub path of Windows system folder as a hidden preference. And it monitors usage history.

C:\WINDOWS\Drivers\TPP\DirectX\Dinput\np

Folder name "np" seems to be abridged form of NPKI(National Public Key Infrastructure), it creates another folder and tries to steal certificates located in local disk or removable disk.


.NLS file is captured screen on user by time to time. It sometimes can be saved as .DAT file.
This malicious file seems to perform another additional malicious behavior with those captured files.
This following figure is one of .NLS files containing screen and mouse position.


<User can choose certificates and must insert password to be proven himself at Kookmin Bank>


<At KEB bank>

.XCD file is a type of TXT file and which contains the name of drives information in local PC. It can help to copy NPKI saved folder.


NPKI file was copied and saved in f2nk14677.1171875 folder.
Sometimes it created various name depending on user environment.


Infected user’s certificates will be captured and moved at C:\Windows\Help\iishelp\common\ dllimage.bmp on signing in online banking service.



Saved dllImage.bmp will be used as a background image on signing in with certificates.

At the next time, it will activate Script page or fake error, and try to deceive user by re-inputting certificates and password.

Following image is as same as Shinhan Bank’s error page.


You can find artificial blue box to snatch password in at the input form.


<Additional form is overwrited in current form>

And it also shows a form to get password, OTP, and security card number in a certain case.


Inputted information is saved C:\Windows\inf\d3dx9_94_x.inf with the time and date.


 
This malicious file also has other functions such as sending e-mail, using FTP, checking IP, collecting system information, p2p, setting windows firewall, hiding browser, masquerading as a nProtect security module, and interrupting anti-virus.

Since we identified our nProtect Netizen has been blocked, we updated its variant on May 25, 2011.
This following image describes the test result of nProtect Netizen against that malicious file.
Our Netizen can scan and treat malicious file flawlessly.



3. How to prevent

Those financial security threats must be prohibited. One of our recommend methods is to change signing in form regularly.
To use online banking safely from security threats of these malicious behaviors, we recommend following tips "Online banking security management tips" for general users.

※ Online banking security management tips

1. Maintain the latest security update on OS and applications
2. Use security components on using online banking (about keyboard, anti-virus, and so on).
3. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
4. Be careful on clicking shorten URL
5. Save NPKI to removable disk.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.

[Warning] Detected Fake Anti-Virus SWs (Mac Defender, Mac Security, Mac Protector) based on MAC OS

1. Introduction

Various fake anti-virus SWs are emerged on Mac OS.
In these cases of anti-virus SWs, these SWs were spread all over the world, at the same time, apple products are big trend in Korea these days.
Therefore, users who are using devices adopted Mac OS need special attention to avoid those fake anti-virus SWs.

[MacDefender fake AV security software tops Apple Mac user woes]
http://www.computerweekly.com/Articles/2011/05/20/246730/MacDefender-fake-AV-security-software-tops-Apple-Mac-user.htm

[Mac users hit with fake anti-virus when using Google image search]
http://nakedsecurity.sophos.com/2011/05/02/mac-users-hit-with-fake-av-when-using-google-image-search/

One of german community site : http://macdefender.org/
This fake anti-virus SW has the same name as one of German community site. Hence that site noticed that the site has no relationship with that malicious software.

2. Spreading path and symptoms of infection

This anti-virus SW can be spread with not only Search Engine Optimization techniques but attached file and shorten URL of SNS or instant messenger. In Mac OS, this package can be installed as soon as finished download.

After the download is completed, it will show package installation pages, and can ask password for acquiring administrator permission.



After the installation is completed, fake anti-virus SW will scan like as following.



To click “Cleanup” button, you can see the register page.


To click "Register" button, it shows the form to pay as same as other malicious applications.



Needless to say that, the result is untruth.

* This fake anti-virus SWs may contain following packages..

- macprotector.pkg
- macProtectorInstallerProgramPostflight.pkg
- macsecurity.pkg
- macSecurityInstallerPostflight.pkg
- MacDefender.mpkg
- macdefenderSetupPostflight.pkg

3. How to prevent

Even if anti-virus SWs for Mac OS is not so prevalent, to keep safe Mac OS, installing anti-virus SW is necessary.

※ INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

5/18/2011

[Warning] How to respond to ransomwares

1. Introduction

Recently, RANSOMWARES, to require money for repairing PC with showing untruth information, have been spread widely.
If infected, Window is blocked by ransomware.
To use window, user have to pay for getting key to release locked window.
For using window without threats of this ransomware, we hope this post will be helpful to you.

2. Spreading path and symptoms of infection

Ransomwares can be spread via vulnerable web site, attatched file on e-mail, instant messenger, and SNS(Social Network Services).

If infected, it "LOCKS" window and doesn’t allow using window without certain steps such as following figures.



We can find the form to input 10 digits key which will be received after paying certain amount of money.
This locking window will not be removed on rebooting.

3. How to respond

We will let you know how to remove and treat this ransomware.

◆ How to treat

1) Press "F8" on booting and starting window with “safe mode”.


2) On windows, "Start" -> "Run" -> "regedit"

3) Remove registry information on following path.

- Name : [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Data : C:\Documents and Settings\(user account)\Application Data\Microsoft\explorer.exe

4) Move following path and remove malicious file.

- Path : C:\Documents and Settings\%username%\Application Data\Microsoft
- File Name : explorer.exe

5) Reboot to complete treatment
  
4. How to prevent

This kind of ransomware can damage not only data but financially.
Since it has big possibilities to emerge various variants, users have to prevent from this malicious ransomware with this following “Security management tips”.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

5/17/2011

[Warning] Identified malicious file stealing online game account information disguised as v3lite file name

1. Introduction

Recently, various type of malicious files generated to steal online game account information has been spreading in Korea these days.
Among those files, variants of “lpk.dll” are quite prevalent. This file name is masqueraded as a Korean famous anti-virus installation file. Therefore, users who try to install "v3 anti-virus" need special attention about prevalent malicious file.

In this case, it is hard to recognize that whether being infected from malicious file or not, therefore consecutive infection can occur.
Since malicious file for targeting online game account can damage financially, user need to be careful from this kind of malicious file.

2. Spreading path and symptoms of infection

This malicious file can have various spreading path. One of prevalent method is tampering website in which have a link for download with using vulnerability. Of course it can be spread via attached form in e-mail, instant messenger, shorten URL, and so on.

The most common and prevalent file for stealing online game account information is malicious file used “lpk.dll”.

To seduce user into spreading and being infected from malicious file, developers usually tries any methods that user can be succumbed to temptation.
This found malicious file changed its name as a Korean famous anti-virus’ file name to allure common user.


It just changed its name as a Korean famous anti-virus file though; file name, icon and file preference can also be disguised. User needs to careful while downloading via web site.

As soon as executing this malicious file, PC can be infected for leaking online game account. And the file name will be same as normal file “lpk.dll”.

* Generated file

- C:\Program Files\%TOOYUAMER%\66621.exe (33,629,048 bytes)
- (Windows system folder)\lpk.dll (47,250 bytes)
- (Windows system folder)\lpk32.dll (22,016 bytes) -> normal “lpk.dll” file


* (Windows system folder) is generally C:\WINDOWS\SYSTEM in Windows 95,98, and ME C:\WINNT\SYSTEM32 in Windows 2000 and NT, and C:\WINDOWS\SYSTEM32 in WindowsXP.

You can find that lpk32.dll file has been created. And this file has been changed its file name.

If infected from this malicious file, it will change the name of normal lpk.dll file to lpk32.dll and replace the file name malicious file to lpk32.dll. Following figure will help you to understand.



                      <Normal lpk.dll file>                                            <Malicious lpk.dll file>

3. How to prevent

In case of malicious file related “lpk.dll”, it can make its clone masqueraded as an Usp10.dll and spread to various folders. To find and remove whole folders including cloned file is difficult against its spreading speed.

As we described above, for malicious file developer, it’s a big trend using social engineering to easily distribute malicious files in these days. So we need to be careful while using PC to avoid security threats.

Since malicious file developers are always trying to make more sophisticated methods than generally expected, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function runs responding system 24 hours against various security threats.

5/11/2011

[Warning] Identified malicious file at face YouTube site

1. Introduction

Recently, malicious files have been spread with Java Applet from the fake YouTube site.
As always we surf and see the videos in YouTube or elsewhere and we have no doubt to see those media.
Therefore, we need to be careful for these cases of being infected this malicious file. And have to find to avoid from those symptoms.


2. Spreading path and symptoms of infection

Not only for this site disguised as this kind of a video sharing website as following figure, but the commonly disguised site also can dazzle that user can be download malicious file.



If you visit this site, you can download "(~)youtube.com/YouTube.jar" which is using Java Applet and execute that file. Moreover, in case of being installed and configured JDK, additional malicious files can be downloaded because of "YouTube.class" in "YouTube.jar" file.

* Internal code of “YouTube.class”



* Generated file

  - (User temporary folder)\10058-1.exe(89,600 bytes)
  - Changing downloaded file name : 10058-1.exe -> privzate.exe

* C:\Documents and Settings\(user account)\Local Settings\Temp is generally user temporary folder.

Excepting for fake YouTube site mentioned above, various types of sites containing interest contents can be using bypass.



Additional malicious file(10058-1.exe) is being downloaded from Romanian server with this following figure.



Furthermore, if infected from this “10058-1.exe”, PC will try to access this following site and can work as a Bot sometimes.



3. How to prevent

In case of this malicious file, there is a big possibility to be emerged various variants.
To use PC safely from these security threats of these malicious files, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

[Warning] Spreading decrypted version of Zeus source.

1. Introduction

On May 11, 2011 INCA Internet Emergency Response Team detected the source code, final version of Zeus malicious file automation development tool and password from an Indian twitter account. General users need to be careful on using internet.
Zeus builder source codes that were previously found were compressed and encrypted files on the internet, but without decrypt password, those files haven’t been being used so far.
From today, available sources’ sharing officially has been confirmed.

INCA Internet Emergency Response Team already got the original Zeus source code on May 2 which began spreading from May 11, started to develop blocking technique and detailed analysis. When the INCA Internet found the source code, fortunately, the password hasn’t been shared yet.

Since spreading files to release encrypted source code will help user easily decode, variants of Trojan horse targeting online banking will be increased exponentially. In addition, the threats of Bot-Net consisted of malicious files are relatively high.

Therefore, "A comprehensive security review” is required to minimize security threats on online banking involved with Zeus malicious file.

2. Disclose decompressed version Zeus source code

Following figure was captured by INCA Internet Emergency Response Team. It shows that a Indian hacker uploaded Zeus source code in his web site and set the link including encryption password on his twitter. With the retweet function in Twitter, various routes including SNS, hacking forums are now still available.


This following figure is the Zeus source code in certain website.


Downloading is available via shared domain found by us, and password spread on his twitter also can role as a key of that compressed file.


Based on our analysis, comparison between our source code and currently prevalent source code, the source code, compressed file found lately, was almost same but just excluding Russian document file.

In addition, if you trying to build source code, you can see Zeus Package Builder screen as following and can build.



3. Easy to make Zeus variant malicious file

Zeus malicious file can be detected and treated by latest version of nProtect Anti-Virus with the diagnosis name of Zbot. The more worsen is emerging and spreading similar variants of Zbot, and spreading Builder source program will copy variants uncountable.

Furthermore, various versions of builders are used to make malicious file.


Because source code can change the builder tool to be able to develop malicious file, the technique to block at source level is needed.

Following figure shows that leaked source can work. Malicious files configuration is in Actions part and it can aim for various online banking web site.



4. How to respond

We tested simple procedure with using latest malicious file built by this Zeus builder. nProtect KeyCrypt, Keyboard security solution of INCA Internet, protected inputted key with the result of web page password key inputting test.


General user can hardly notice something happened in his PC while spreading malicious file.
To use PC safely from security threats of these malicious files, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

 

Microsoft Security Bulletin Summary for May 2011

1. Introduction

Microsoft (MS) regular security updates were released for May 2011.
This update is strongly recommended users to be safe from the vulnerabilities through updating Windows OS security Update for WINS vulnerability, Microsoft PowerPoint vulnerability.

Microsoft Security Bulletin Summary for May 2011
http://www.microsoft.com/technet/security/bulletin/ms11-may.mspx

2. Updates details

[Critical]
[MS11-035] Vulnerability in WINS Could Allow Remote Code Execution (2524426)

Vulnerability: WINS Service Failed Response Vulnerability - CVE-2011-1248

This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system. Only customers who manually installed this component are affected by this issue.
This security update is rated Critical for servers running supported editions of Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed. For more information, see the subsection, Affected and Non-Affected Software, in this section.

◈ Affected Software

- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP2
- Windows Server 2008 for x64-based Systems and Windows Server 2008  for x64-based Systems SP2
- Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2
   for x64-based Systems SP1

- Reference site

http://www.microsoft.com/technet/security/bulletin/MS11-035.mspx



[Important]
[MS11-036] Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

Vulnerability:Presentation Memory Corruption RCE Vulnerability - CVE-2011-1269
          Presentation Buffer Overrun RCE Vulnerability - CVE-2011-1270

This security update resolves two privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1269 and CVE-2011-1270. See the section, Frequently Asked Questions (FAQ) Related to This Security Update, for more information about how the Office File Validation feature can be configured to block the attack vectors.

This security update is rated Important for all supported editions of Microsoft PowerPoint 2002, Microsoft PowerPoint 2003, Microsoft PowerPoint 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. The security update is also rated Important for all supported versions of Open XML File Format Converter for Mac and Microsoft Office Compatibility Pack. For more information, see the subsection, Affected and Non-Affected Software, in this section.

◈ Affected Software

- Microsoft Office XP SP3
- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2004 for Mac
- Microsoft Office 2008 for Mac
- Open XML File Format Converter for Mac
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP 2

- Reference site

http://www.microsoft.com/technet/security/Bulletin/MS11-036.mspx